On June 23, the Swedish Data Protection Authority (IMY) issued four decisions against companies that used Google Analytics. All the decisions found the use of Google Analytics to be incompatible with the GDPR. And two fines were issued this time, one for €1M.
The press release on IMY’s website gives a nice, high-level overview of the legal context of the decisions, but there is quite a bit more to dig into. So let’s take a closer look at the decision and what it means for the use of Google Analytics.
The legal issues
All four decisions stem from NGO noyb’s 101 complaints against Google Analytics and Facebook Connect. noyb has already successfully brought identical cases in other countries, and these decisions are more of the same- that is to say, their legal content is an application of the Schrems II decisions of the Court of Justice.
The Schrems II ruling requires companies that transfer data to the US to implement extra safeguards on top of the “standard” safeguards required by the GDPR for all data transfers (in most cases, the standard contractual clauses drafted by the EU Commission). These safeguards are needed because of the risk of State surveillance over foreign data, as highlighted in the Snowden files.
But these safeguards are very difficult to implement and entirely impossible to adopt for Google Analytics. This is because Google Analytics needs to precisely single out visitors in order to work!
In each of the four Swedish decisions:
- a data subject, represented by noyb, complained that the company’s website illegally transferred their personal data to the US
- the company listed the safeguards they took, as long as the safeguards taken by Google to secure the data transfer
- the DPA found all these measures to be insufficient and ordered the companies to dismiss the use of Google Analytics
What is new in the decisions?
While the core legal issues are the same as all other decisions against Google Analytics, the decisions are interesting in certain aspects.
The first is that fines were issued. In fact, the largest of the four- Swedish telecom giant Tele2- was fined by €1M.
Other data protection authorities have preferred a softer approach so far and only ordered companies to dismiss the use of Google Analytics. It will be interesting to see if more authorities will follow the IMY’s example. If so, Google Analytics could become a costly violation in the future!
Another interesting aspect of the decision is that two of the companies were actually implementing technical safeguards. That is to say, they were actually doing something to try and keep the data safe instead of drafting some compliance fluff in their paperwork, which is something of a rarity.
Unfortunately, the authority found that neither the hashing of cookie identifiers nor the proxying of IP addresses through server-side tagging is enough to keep the data safe. Google collects and controls enormous amounts of data, which they can use to link pseudonymized data to a person. For instance, a hashed identifier can be connected to the browsing data collected through a visitor’s Google account.
Bottom line: Google is collecting so much data- via Google Analytics, Google Accounts, its APIs, its (illegal) advertising trackers on Android devices, and so on- that it is practically impossible to properly anonymize any personal data you provide them.
In other words, Google’s own data-hungry business model is coming back to bite it under the GDPR!
The context
Google Analytics already has a history of being practically banned in EU Member Countries. But the story with data transfers is even longer, and a little recap can clarify the background of the decisions.
From Snowden to Schrems
It all started in 2012 when the Snowden files revealed the existence of extensive and indiscriminate surveillance programs over foreign data in the US. One year later, Austrian citizen Max Schrems (now a well-known privacy activist) filed a complaint against Facebook Ireland. He argued that the transfer of his personal data to US parent company Facebook exposed them to US surveillance and was therefore illegal under EU data protection law. This was the start of a long legal battle: the case was referred twice to the EU Court of Justice, invalidating two data transfer agreements between the EU and the US in the landmark Schrems I and II rulings.
Schrems II was decided in 2020 and tremendously impacted data transfers for two reasons. First, the Court invalidated the Privacy Shield framework, which previously allowed for easy data transfers from the EU to the US. Second, the Court examined standard contractual clauses, a common compliance mechanism for companies wishing to transfer data.
SCCs are a set of standardized clauses drafted by the Commission and are meant to be incorporated into a binding agreement with a recipient. In other words, if you want to transfer data outside the EU, you can implement the SCCs in a contract, and the clauses will tell the other party what they can and cannot do with the data. This is a way to ensure that personal data are transferred safely and confidentially outside the Union. But there is a problem: these clauses only bind the contract parties and do nothing to prevent State surveillance.
With Schrems II, the Court did not invalidate SCCs as a data transfer mechanism but ruled that they must be supplemented by additional safeguards when needed- as is the case with the US. So you can’t just copy-paste them, have the contract signed, and call it a day. You need to make sure SCCs actually work for your data transfer, and if they don’t, you need to make up for this lack of protection in some way. The problem is that this is difficult and sometimes impossible when dealing with State surveillance.
Data transfers post-Schrems II
Right after the Schrems II ruling, privacy NGO noyb (chaired by Schrems) filed a set of 101 strategic complaints against Google Analytics and Facebook Connect, in an attempt to nudge European authorities towards rigorous enforcement of the Schrems II ruling.
Authorities coordinated their approach to the complaints at a European level. As a result, the Austrian, French, Italian, Finnish, Norway, and Swedish privacy watchdogs ruled against Google Analytics when deciding noyb’s complaints (although the Norwegian decision is only preliminary). Additionally and the Danish authority embraced a similar position in a press release.
These decisions say the same thing: Google Analytics cannot keep personal data safe. With coordination at a European level, and the influential French and Italian authorities leading the way, more authorities are likely to follow.
It is worth clarifying that while the decisions formally address a specific website, they are practically a general ban against Google Analytics- because there is little or nothing a company can do to protect personal data from surveillance when using the tool.
Authorities and professionals alike know very well what is at stake. This is why Google Analytics’ legal troubles have received much attention and why the European Data Protection Board ensured a uniform application of Schrems II rather than leaving things up to individual authorities.
More than Google Analytics
It is not just about Google Analytics. Months ago, the Irish authority issued a record €1.2 billion fine against Meta and ordered the company to suspend data transfers for the US (which creates the very real risk of a Facebook blackout for Europe).
And to be clear, web analytics and social networks are the least of the EU’s problems. A strict application of Schrems II could threaten countless US providers, including some currently essential for European businesses- think Oracle or AWS!
The EU and the United States are setting up a new data transfer framework to solve this situation. However, this framework must still be approved by the Member States and- most importantly- survive the announced legal challenge in the EU Court of Justice.
It is difficult to say how a “Schrems III” ruling will play out, but for the moment, the fate of EU-US data transfers remains uncertain.
Conclusion
Ever since the decisions of the French and Italian DPAs, we have been warning that more and more national authorities would take a stance against Google Analytics. Time proved us right. The fines are starting to come in, so this is a good time to ditch Google Analytics!
And let’s not forget that data transfers are the least of Google Analytics’ problems! Google Analytics is a giant surveillance machine that extracts enormous amounts of personal data, combines it with more personal data collected by other services in the Google ecosystem, and feeds it to the privacy dumpster fire that is the real-time bidding system.
If the GDPR was enforced better, Google Analytics would be illegal because of what it does with personal data, regardless of where it goes. We believe we can do better!
Simple Analytics provides you with all the insight you need to grow your business and monitor your campaign without collecting personal data at all! We believe that doing more with less is key to an independent, privacy-friendly web. If this resonates with you, feel feel to give us a try!