Almost every (internet) entrepreneur uses it; analytics and statistics software for websites. The most well-known - and probably most widely used - is Google Analytics. However, the use of Google Analytics has been in question since January. The Austrian privacy regulator fined an Austrian website and judged That the use of Google Analytics violates European privacy legislation, the General Data Protection Regulation (AVG).
This decision made us blink, especially because of the potential impact. As a Google Analytics user, what do you need to consider now? In this blog, we explain.
Personal data of European citizens processed in the US has been a thorny issue for years. The non-profit organisation 'None of Your Business' (NOYB) has already successfully filed two cases against Facebook's processing of personal data in the US. We have previously blogged about these 'Schrems I and II' rulings. The gist of them is that transfers of personal data to the US require additional measures to protect the personal data from access by US intelligence agencies.
Shortly after Schrems II, NOYB filed 101 complaints with various European privacy regulators. The complaints were filed against organisations using Google and Facebook services including Dutch companies such as PostNL, Marktplaats and Thuisbezorgd. Besides using the Standard Contractual Clauses, Google and Facebook would not take sufficient measures to effectively prevent access by the US intelligence community. One of these complaints led to this decision by the Austrian privacy regulator.
When using Google Analytics, Google qualifies as a processor. Google processes the personal data on servers in the US. Besides using the Standard Contractual Clauses, Google takes additional measures such as truncating IP addresses, encrypting the data and keeping a public register of government access requests. Yet this is insufficient, according to the regulator. After all, intelligence agencies can still gain access. Note, therefore, this also applies to the use of Google Analytics for which no 'cookie permission' is required in the Netherlands (where the IP address is truncated).
Up front, this puts an awful lot of companies in a quandary. This is because this ruling on Google Analytics also applies to other software services that use servers in the US.
Legally, the Austrian regulator's ruling is correct, but it shows that technological developments are sometimes difficult to translate into legislation. Incidentally, Google itself indicates that the Google Analytics service has never had a request from the US Intelligence Community in the past 15 years. Google Analytics is mainly used to market products to consumers. Of course, there is something to be said for an intelligence agency not being very interested in which brand of jumper a person likes.
However, the ruling will not be without consequences. At least on its website, the Norwegian privacy regulator has advised companies to consider alternatives to Google Analytics. The Personal Data Authority (AP) also warns on its website that Google Analytics may soon no longer be allowed. It says in its notice that two complaints about the use of Google Analytics in the Netherlands are currently under investigation.
Organisations cannot be expected to rush to cancel all services with servers in the US. However, exploring alternatives is recommended. In addition, it remains to be seen what the outcome of the AP's investigation will be. However, it is very likely that this decision will affect how Google Analytics will be used. For organisations, it is to be hoped that Google itself will also take the lead on this.
We advise organisations to at least properly map out which personal data flows outside the European Union themselves, what measures are currently being taken for this and what risks are present. Of course, we would be happy to help you with this.