Surprised faces all around during morning our coffee here at Sirius Legal, while reading a recent decision by the Austrian data protection authority DSB, which ruled in proceedings against an Austrian website and against Google LLC that the use of Google Analytics in all circumstances violates GDPR.
We don’t have to tell you that such a decision puts a small bomb under the online landscape throughout the EU, including Belgium, especially if it also turns out that the Austrian decision was clearly coordinated in advance at European level.
The use of Google Analytics was already very difficult due to the obligation to always request a prior opt-in to place GA cookies (or other analytics cookies). The latter has already had an enormous economic impact for many online companies and now, in addition to that, this recent decision threatens to have an even greater impact on websites throughout the EU.
Reason enough for us to dive into this thoroughly. Join us for a short analysis of the situation…
Let’s start with some background information
In 2020, the European Court of Justice ruled in its Schrems II judgment that the so-called Privacy Shield, which allowed for free exchange of personal data between Europe and the United States, was contrary to European law and more specifically to GDPR. The Privacy Shield ceased to exist with immediate effect and since then any company that wants to exchange data with the US is faced with extensive administrative and legal red tape. We’ve already discussed the obligations that company’s need to keep in mind on our blog several times. You can find all these articles in our Schrems II file. We have also developed specific compliance services for safe data export.
The above applies to any European company that entrusts data to a cloud service or online tool whose servers are (potentially) located outside the EU. Google, Microsoft, Mailchimp, Hotjar, Zoom, … are all such services that will potentially process European personal data in the United States and for which, in most cases, specific agreements, containing Standard Contract Clauses, must be concluded and for which a prior case by case risk analysis is required.
Shortly after the Schrems II judgment, the European privacy pressure group NOYB filed a total of 101 complaints in all EU countries against Google and Facebook because, according to NOYB, they systematically process personal data outside the EU without meeting the above conditions. It is precisely in one of those cases that a first ruling has now been issued by the Austrian data protection authority.
What has now been decided in concrete terms?
The Austrian Data Protection Authority investigated the functioning of Google Analytics and finds that website owners in the EU are data controllers under GDPR and that Google is a processor for them. Google offers, as it should, a processing agreement with the Standard Contract Clauses that are necessary for data export. Until then all is well, we think…
From thereon, the story becomes problematic. The Austrian government has established that data from Google Analytics is processed by Google on American servers. That data is thus exported to the US, and since Google is a “provider of electronic communications services” under US law, it is subject to oversight by US intelligence agencies and may be required to disclose data of European citizens to these intelligence agencies. Google does offer some “additional guarantees” on paper, but in practice these do not in any way prevent the possible access to European data by American intelligence services.
This, together with the finding that there is indeed personal data in the form of IP addresses, user ID and browser parameters, was sufficient for the DSB to condemn the website in question. Google itself escaped for the time being because the Austrian government was not authorized to condemn Google LLC, as an American company.
Harsh but fair decision?
As a lawyer, we can’t argue with this. From a purely legal point of view, the decision of the Austrian data protection authority is logical and defensible: data export outside the EU is only allowed if all conditions are met, one of which is the need to provide sufficient additional security guarantees that can ensure the appropriate confidentiality and security of European data. Google does not offer those additional guarantees and more in general, no American company can offer such guarantees under American law, where intelligence services potentially always have access to this communication data.
But at Sirius Legal we are not only lawyers, we are also companies and the entrepreneur in us revolts at these kinds of decisions. After all, the objective reality is that this decision is like cracking nuts with a sledgehammer. In an attempt to solve a very small and purely theoretical legal problem, a huge practical and economic problem for thousands of European companies is being created.
Google Analytics, along with other analytics services from Google such as the new Google Universal Analytics and Google Global Site Tag, represents more than 80% of the analytics market and many companies have invested a lot of time, money and energy in setting up their analytics properly. Correct numbers are vital for marketers, especially in e-commerce. That was exactly the reason why Sirius Legal lobbied long and hard on behalf of UBA, BAM, SafeShops, Feweb, ACC, Cube and UMA last year with the Belgian supervising authority GBA and with the Belgian federal government to abolish the mandatory opt-in for analytics cookies under Belgian law and replace it with a system alike the Dutch model, where analytics cookies without an opt-in are allowed if they meet a series of privacy protection requirements (read more about our agreement with the GBA).
Today we have to conclude that the problem for online companies is only getting bigger. The Belgian government has not listened to the legitimate complaints of the entire Belgian online sector, which has been hit very hard already by the mandatory opt-in for the use of Google Analytics cookies. This obligation results in less accurate figures, additional costs and a competitive disadvantage with regard to foreign companies. Based on this Austrian decision, opt-in for analytics cookies is suddenly the last concern for those same companies. Today however, the question rather is whether Google Analytics or Google Universal Analytics are still legal in the EU at all.
To make things even worse, the logic used in the decision applies mutatis mutandis to every US cloud service that processes personal data and where data could potentially be processed in the US. The major difficulty for companies is the fact that no service provider is really transparent about data location by itself or by any subcontractors. As an entrepreneur you simply do not know where your data is going, but today all responsibility is placed precisely with that entrepreneur. Google Workspace, MS Office 365,Teas, Zoom, Mailchimp (see also our article about using Mailchimp), Adobe Analytics, Hubspot, Hotjar, AWS (we reported on this before), Azure, … Who can guarantee in the present situation that the outcome for these services would not be the same as for Google Analytics?
What does Google itself say?
Google’s defense in the proceedings and its initial reaction afterwards were not very reassuring. Google confirms that personal data is indeed being exchanged with the US when using Google Analytics (and likely also Google Universal Analytics today), because this is simply necessary for the service to function properly. More generally, Google also states – quite rightly, by the way- that it makes great efforts to make its services privacy-friendly. Specifically in this case, Google says that it provides the necessary “additional guarantees”, as required on the basis of the Schrems II judgment. The DSB however ruled that those “additional guarantees” do not amount to much in reality. In response, Google can’t do much more than say that the user can choose to disable “third-party data sharing” in his or her account, but third-party data sharing isn’t the main legal issue here, that is the potential access by the American government and of course it cannot be turned off anywhere.
In other words, Google doesn’t really have an answer for the time being and that in itself is not surprising. It shows the large gap between the economic (globalized) reality today and the legal f(r)iction that GDPR often entails. Google is right when it says that a good analytics tool should work globally, and one can also sincerely question whether potential access to analytics data by the US government really poses a real privacy threat for 99% of European websites. We can hardly imagine that the NSA is looking for web visits from European clothing websites, kitchen sellers or law firms…
What does that mean for you as an entrepreneur?
This ruling has the potential to have a very far-reaching impact, also in Belgium. The decision may be Austrian, but it is very clearly coordinated with other European data protection authorities such as the Belgian DPA and with the European umbrella EDPB.
In order to coordinate the work of all relevant data protection authorities in the wake of the Schrems II judgment (data export), the Planet 49 judgment (cookies) and the subsequent flow of complaints by NOYB, the EDPB set up a special task force in 2021, which coordinates complaints and decisions regarding cookies and data exports within the EU. This decision by the Austrian data protection authority is the first to be reached in consultation with this task force and thus in consultation with the various national supervising authorities).
It is no coincidence that only a few days after the fine, the Dutch Data Protection Authorityits suddenly adjusted their website with the message: “Note: Use of Google Analytics may soon no longer be allowed”…
How should your company react to this?
It is of course difficult to dump all American cloud services overnight. That is practically, financially and commercially unfeasible. For analytics, you might choose to look at alternatives such as Matomo or Simple Analytics, but whether they offer the same functionality and ease of use as Google Analytics at no extra cost is questionable…
More generally speaking, it is now more than urgently time for a thorough Data Export Compliance Audit. In such an audit you ensure a thorough analysis of all your data exports, you investigate whether it is legally covered (is there a processing agreement, are there SCCs or another legal basis?) and whether there is any privacy risk associated with each specific export that requires setting additional safeguards (e.g. encryption of your data).
It goes without saying that performing a preliminary audit does not completely eliminate the problem associated with using tools and services that export your data outside the EU. What such an audit does do, is provide you with insight into any data export. It teaches you which tools export data, which data it concerns, which guarantees you have and where your greatest risks lie. In this way you can already investigate (and document) the best way to deal with those major risks: can you enter into a dialogue with the party involved to enforce a solution on its part or can you provide additional guarantees yourself (e.g. by to encrypt your data) or in the worst case you have to look for an alternative (or establish substantiated that there is no alternative and you therefore have no choice but to continue working). In this way, a good Data Export Compliance Audit gives you insight and knowledge, allows you to close gaps and ensures that you are optimally prepared to defend your internal operations in the event of complaints and audits.
Worried about your data export or questions concerning GDPR in general?
On February 11, we will repeat the data export webinar that we already gave several times in 2021 at Comeos and BAM, among others. In 45 minutes we will give you a clear analysis of the current legal situation in plain language and give you a pragmatic step-by-step plan to avoid unnecessary risks and fines.
Participation is free. You can register here (webinar is in Dutch).