Google Analytics violates the GDPR and using this tool is illegal and using it is a risk. These and similar headlines have often appeared in the media in recent weeks.
The reason for these headlines and press coverage on Google Analytics was due to decision by the data protection authority in Austria. THe agency found that a website operator had violated the GDPR by implementing Google Analytics on its website. The specific allegation was that personal data was transferred to the USA without adequate protective measures.
On February 10th, 2022, the French CNIL made a decision to prohibit the use of Google Analytics. The Netherlands also announced that a decision on Google Analytics will follow soon.
The decision in Austria was the first publicly known decision in one of the 101 complaints launched by NOYB. NOYB is an NGO founded by activist Max Schrems and is dedicated to data protection enforcement across the EU. The complaints were submitted in the summer of 2020 in response to the ECJ judgment in the Schrems II case. With these complaints, NOYB is targeting website operators because of the use of Google Analytics and Facebook Connect.
CNIL has now decided as the second authority in these procedures. Some complaints are also pending in Germany, but until now, no data protection supervisory authority has issued a decision in these proceedings.
Why is Google Analytics violating the GDPR?
NOYB criticizes the fact that when using Google Analytics, personal data is transmitted to the USA by EU website visitors without adequate protective measures. Specifically, the IP address, a unique user identification number and browser parameters are used for analyzing user behavior across different websites and other digital service offerings from operators.
Until the ECJ ruled in the Schrems II case, data transfer to Google Inc. in the USA was compatible with Art. 44 GDPR on the basis of the EU-US Privacy Shield. However, this adequacy decision for the USA has been dropped with the judgment of the ECJ. NOYB argued that consequently there is no appropriate level of data protection in the USA and that a transfer of personal data therefore violates Art. 44 GDPR. Other instruments of the GDPR, in particular the standard data protection clauses, cannot ensure an appropriate level of data protection in the USA.
The use of Google Analytics has long been the focus of the data protection authorities. As early as May 2020, the data protection conference published a resolution in which considerable concerns were expressed about the GDPR compliance of this analysis service. Among other things, it was criticized that Google Analytics was offered as data processing service within the meaning of Article 28 GDPR, although Google reserves the right to use the data for its own purposes. However, Google does not act as a processor here, but in joint responsibility with the website operator. In order for this to be compliant with the GDPR, a joint agreement under Art. 26 GDPR must be signed, but Google does not (yet) provide such a service.
Is Google Analytics a compliance risk?
Does this mean that companies have to stop using Google Analytics? How much risk is involved? As is so often the case, the answer is it depends. But one thing is certain: Google Analytics should only be used after a comprehensive risk analysis and only with a proper - GDPR compliant - configuration.
The decision of the data protection authority in Austria, which classified the use of Google Analytics as violating the GDPR, cannot be generalized. Google offers various configuration options for Google Analytics and has further developed the product since the time relevant for the decision (08/14/2020). The website operator has it in his hands to change some parameters. If you run a website, it's your responsibility to use Google Analytics in accordance with GDPR laws.
The initial configuration of Google Analytics is regularly not really privacy-friendly. It is up to the website operator to adapt these accordingly.
First of all, you must make sure that the "IP anonymization" function is activated. If this function is activated, the IP address will be anonymized before it is transferred to the USA. However, this does not completely solve the problem, because in some cases the IP address can still be transferred to the USA and only anonymized there. So there is still a risk that personal data ends up in the USA, even with a proper configuration.
Google Analytics uses a unique identification number (UID) to identify users. This is default setting, but it can be deactivated, albeit with functional losses. Although the UID is randomly assigned to users, it's still personal data and falls under article 44 GDPR.
2. Opt In or Opt Out
It is up to the website operator whether to activate Google Analytics as an default (with an "opt out") or only after the consent ("opt in") for each individual user. Activation without consent raises significantly more extensive legal concerns. Opt-out is a considerable risk and the majority of websites use Google Analytics only with explicit consent.
Whether consent can also be given to an otherwise unsafe US transfer (Article 49 (1) (a) GDPR) is still a matter of debate. The data authorities reject this, most recently again in the Telemedia 2021 orientation guide.
3. Standard Contractual Clauses 2021
Since June 2021 there have been new standard contractual clauses that can secure third-country transfers. The data protection supervisory authority in Austria decided on the standard contractual clauses 2010 that were in force and agreed on August 14th, 2020.
The decision in Austria states that these standard contractual clauses 2010 are not sufficient to create an adequate level of protection for third-country transfers. However, the new standard contractual clauses, which have been available since June 2021, already take up some of the additional measures discussed after the ECJ judgment in the Schrems II case and also refer to the admissibility of a risk-based approach - in contrast to what has been advocated by the supervisory authorities up to now. The authority in Austria did not address this as it had to decide on a possible violation on August 14, 2020.
Legal uncertainty remains
After all, the decisions from Austria and France show the considerable legal uncertainty and the risks associated with the operation of Google Analytics.
In this context, it is also interesting that the data protection authority in Austria didn't issue a fine. And the CNIL did not impose a fine either, but ordered the violation to be stopped.
However, civil law claims for damages are increasing. The LG Munich I has sentenced a website operator to pay damages of 100 euros to a website visitor. The reason: The font library from Google Fonts was integrated to display the website and the IP address of website visitors was transmitted to Google in order to display it.
What should I do?
In practice, you have to examine the use of Google analytics and similar tools very carefully. You can configure Google analytics accordingly and operate in a GDPR compliant manner. But keep in mind that you as a web site operator are legally responsible. You must assure that Google Analytics is configured properly and a small risk remains. If you misconfigure Google Analytics by accident, then you violate the GDPR and are liable, even if this has been configured by a third party. In a nutshell, there is a risk involved.
We recommend to use a tool like Matomo analytics in a self hosted setting. In doing so, you have full controll over the data and as european company you keep the data in the EU. The basic configuration is GDPR friendly and you don't need to worry about configuration issues that could backfire.
GDPR Compliant Data Collection
Use GDPR compliant tools to collect data for informed business decisions.