By Paul Lanois
On January 13th, 2022, the Austrian data protection authority (“DSB”) published its decision concerning the use of Google Analytics by a health website called “netdoktor.at.” The DSB held that the website operator violated Article 44 of the GDPR by failing to ensure that personal data transferred to Google in the United States had been afforded an “adequate” level of protection that should be equivalent to the level of protection offered in the EU.
The DSB found that the data collected by Google Analytics – which they state includes unique identification numbers, IP address, and browser parameters – constituted personal data within the scope of the GDPR. While such data may not include the real name of a person, the DSB found that the data is not considered ‘pseudonymous’ according to the EU standard because, according to the DSB, the unique identification numbers (alone or when combined with other data elements) could be used to “single out” the user from other website visitors. Furthermore, it was noted that the website operator had not properly enabled the “IP anonymization” feature available within Google Analytics.
The DSB found that the data was made available to Google LLC and was therefore “transferred” to the United States within the meaning of Article 44 of the GDPR. However, the transfer mechanism was based on the old version of the European Standard Contractual Clauses (“SCCs”). That leaves open the question as to what an EU data protection authority would decide if the website operator had instead contracted with Google Ireland or even used the new EU SCCs. In any case, the website operator (as the data exporter) was found solely responsible for the violation of Article 44 of the GDPR. As the data importer, Google was not held responsible.
Then, on February 10, 2022, the French data protection authority (“CNIL“) issued a press release regarding Google Analytics in which it mentioned that data transfers towards the US in the context of the Google Analytics functionality are unlawful. According to the CNIL, the data collected by Google Analytics (including IP address and browser parameters) constituted personal data within the scope of the GDPR. Where a data controller argues that it is not able to identify a user through such an identifier (alone or combined with other data), it will have to prove what measures are in place to ensure that the identifiers collected are anonymous.
According to the CNIL, the IP address would be combined with other data such as the site URL, metadata relating to the browser and operating system, time and other data relating to the visit of the website, and that the combination of such data allows an identification of a user. It is not necessary to know the name or postal address of the website visitor because, in light of Recital 26 of the GDPR, the individualization of visitors may be sufficient to make them identifiable. The CNIL further stated that users of the website may be identified when they login through their user account or make a purchase, and may therefore be linked to identifiable data. The CNIL also stated that in certain cases, Google may be informed that a user that is logged in to their Google account has visited a website, therefore personal data relating to that account is collected.
In addition, the CNIL referred to the case C-311/18 (“Schrems II“) from the Court of Justice of the European Union to find that Google is an ESCP subject to FISA 702, meaning that Google has the obligation to provide personal data to the US authorities pursuant to FISA 702. The CNIL found that Google’s Transparency Report confirms that the company is subject to such obligation. According to the CNIL, neither notification to users (if that is possible) or the publication of a transparency report or a policy on handling government requests are sufficient to prevent or reduce access to US intelligence services. In relation to encryption measures, including to protect the data in data centers, Google has the possibility to access the data unencrypted, so it is not a sufficient measure. Also, the additional technical measure highlighted by Google LLC, which is an anonymisation of the IP address, is only optional and not applicable to all transfers. Therefore, there is a possibility that the full IP address may be accessed before it is truncated. On this basis, the CNIL found that the supplementary measures adopted by Google are not sufficient because they do not resolve the issues and do not prevent access by US authorities.
The Italian data protection authority (“Garante”) indicated on its website the following:
A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection. The Italian [Supervisory Authority] came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU data protection authorities following complaints it had received. The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
In addition, the Dutch data protection authority indicated on its website that a legal process is currently ongoing in relation to two Dutch websites and that it expects to be able to indicate in early 2022 whether Google Analytics is permitted or not, noting that “it may soon no longer be permitted to use Google Analytics.”
Finally, the Norwegian data protection authority has indicated on their website that it is currently considering a case concerning the use of Google Analytics. Interestingly, they also indicate the following: “We know that there will also be more decisions about Google Analytics from other European data protection authorities. That’s why we now recommend everyone to explore alternatives to Google Analytics.