Recent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines.
At issue was the transfer of personal data from the EU to the US through the use of Google Analytics.
These decisions, like the Schrems decisions, make it clear that organizations must have a technical understanding of their data flows, with an emphasis on: (1) where the data is going; (2) who is receiving the data; and (3) how the data is protected. Many of our clients are using the firm’s technical tool suite, NT Analyzer, to assist with their data protection and privacy efforts.
An Important Reminder
It is important to remember that the analysis should not end with just cookies and Google Analytics. Cookies are only one of many ways to collect/transfer data, meaning Google Analytics and similar services can receive personal data through other means.
For example, even if a website or app is not utilizing these types of cookies/technologies, the website or app could still send personal data to Google via HTTP parameters, which are sent as part of query string (e.g., www.website.com/pg1/?name=John_Smith (emphasis added)). Additionally, the website or app operator could also use browser/device fingerprinting or other means to track users across web properties. Therefore, it is important to conduct a technical analysis to determine if and how a website or app utilizes these types of services to determine if mitigations are needed.
Key Facts of the Austrian Ruling on the Use of Google Analytics:
[For a useful primer and additional background on the Data Transfer schemes and Schrems II, please scroll down to the end of this article]
Like the Schrems cases, the recent Austrian NOYB case reviewed the transfer of personal data to the US. The NOYB complaint was aimed at Netdokter.at (Netdokter), an Austrian health website operator that uses Google Analytics and relies on Standard Contractual Clauses (SCCs) to govern transfers of personal data to Google in the US. NOYB argued that Google qualifies as an “electronic communications service provider” and is therefore subject to Section 702 of FISA, meaning that it can be ordered by public authorities to disclose personal data of EU citizens. Therefore, in light of the Schrems II decision, adequate protection of EU citizen’s personal data cannot be ensured, resulting in an unlawful transfer of personal data to the US.
Netdokter’s Austrian publishing company and Google, however, argued that the data provided to Google, which included IP addresses, other user identifiers, and browser parameters did not qualify as personal data and, even if it did, sufficient supplemental measures were put in place to safeguard the personal data. Safeguards taken by Google included: (1) transparency reporting on data requests from US authorities, (2) encryption at rest in the data centers and (3) pseudonymization of the data.
Ultimately, the Austrian DPA sided with NOYB over Netdokter and Google.
Summary of the Rulings in Favor of NOYB:
The Austrian DPA held that data transfers to Google in the US in the context of Google Analytics results in a breach of Chapter V of the GDPR, which may make it difficult for EU business and non-EU business having an EU facing website or app to use Google Analytics going forward. Specifically, according to the Ruling:
- The data transferred to Google in the US constitutes personal data under the GDPR, especially given that IP addresses and online identifiers could enable foreign intelligence services to identify an individual; and
- Chapter V of the GDPR was violated because:
- Google is subject to section 702 FISA as an “electronic communications service provider”;
- The additional safeguards taken by Google were insufficient at preventing US intelligence services from accessing personal data of EU citizens; and
- For example, the Austrian DPA stated that encryption was insufficient since US intelligence services could require Google to hand over the decryption key. In addition, the DPA agreed with the German Data Protection Conference’s view that IP addresses and other user identifiers are not considered pseudonymized under recital 28 GDPR since these identifiers are used to make the individual distinguishable and addressable. Further, according to the Austrian DPA, the website operator could share other data elements with Google that could reidentify a data subject even without the IP address.
- Netdokter could not rely on an alternative transfer mechanism.
The French CNIL, through a press release, published a similar case last week. Although the CNIL has not yet made its decision public, the press release adopted similar reasoning as the Austrian DPA and ordered an unnamed French website operator to stop using Google Analytics.
Next Steps and Considerations:
In the meantime, there are several steps those impacted by these decisions should consider.
These decisions, like the Schrems decisions, make it clear that organizations must have a technical understanding of their data flows. Specifically: (1) where is the data going; (2) who is receiving the data; and (3) how is the data protected. As such, organizations should consider:
- Verifying if their website(s) or mobile app(s) use Google Analytics/similar vendors: Norton Rose Fulbright’s automated Data Transfer Scanner identifies and sorts Schrems IIrisk of data flows to third parties for further legal handling, including the use of Google Analytics and similar vendors. Specifically, the Scanner:
- Identifies high risk data endpoints (in the US and elsewhere);
- Geolocates the server collecting the data to determine the relevant jurisdiction;
- Classifies data endpoints as high or low risk under FISA 702, for further analysis (Downstream/PRISM);
- Identifies whether data is suitably encrypted to protect against NSA “Upstream” capture;
- Ranks sensitivity based on further jurisdictional information about the remote host;
- Risk rates the data endpoints; and
- Sorts the data endpoints for further action relative to legal protections.
- Deactivating US cookies/migrating to EU based adtech vendors: Consider deactivating US cookies and operating the EU facing website or app with EU adtech vendors only. Although practically speaking, migrating to EU based adtech vendors may be difficult.
- Storing the Encryption key in the EU with the Data Exporter: Since the Austrian DPA indicated that encryption at rest is insufficient if the data importer has access to the encryption key, a potential workaround may be to store the encryption key in the EU with the data exporter or a trusted third party.
- Activating Google’s Solutions: Following the Austrian DPA’s decision, Google published Some facts about Google Analytics data privacy, which address multiple data protection related items including a range of controls which, according to Google, can be used to keep data safe and secure. Google also offers: Take control of how data is used in Google Analytics. Given the DPA’s interpretation of the relevant law, it is questionable if the controls and other measures suggested in the documents would have led to a different decision. However, these measures may be worth considering with a view to minimizing risks.
There are a few things to consider with respect to the decisions.
Austrian Decision Considerations
- The Austrian DPA’s decision is of a pure declarative nature so it is not yet clear whether a fine will be imposed.
- A German publisher purchased all the assets of the Netdokter website from the Austrian company. As a result, the Bavarian DPA, which regulates the new German publisher, has jurisdiction to further sanction the publisher. However, we are currently unaware of the Bavarian DPA’s enforcement intentions and we do we know whether the new publisher implemented additional safeguard to prevent such an enforcement.
- The former Austrian-operated publisher could technically appeal the Austrian DPA’s decision (however, we believe this is unlikely since they no longer own the site).
- NOYB claimed that Google, as a data importer, should be held responsible as well. The Austrian DPA disagreed with NOYB on this front: it is only the data exporter’s responsibility to comply with the requirements of Chapter V of the GDPR.
French Decision Considerations:
- The French CNIL has not imposed a fine at this stage; and
- The website publisher has a month to comply with the CNIL’s order to either stop using the Google Analytics functionality at issue or using an alternative tool that avoids transfers outside of the EU.
Additional EU Member States:
As was the takeaway from the Schrems II decision, any data transfer outside of the EEA should be assessed on a case-by-case basis. Therefore, the impact of these first European decisions on other US analytics services, and any kind of US data importer for that matter, should be reviewed in light of the specific additional safeguards taken by those companies to supplement the SCCs. By no means should these decisions be interpreted to mean that all personal data transfers to the US result in a breach of the GDPR.
The Austrian and French decisions are the first of many. This is not surprising given that NOYB filed 101 complaints with various EU DPAs in 2020 regarding EU companies’ use of Google Analytics and Facebook Connect integrations. Following these complaints, the European Data Protection Board (i.e. the European body in which the EU DPAs are represented and whose purpose is to ensure consistent application of the GDPR and to promote cooperation among the EU DPAs) formed a taskforce to coordinate the work with respect to the complaints.
Additionally, other privacy activists are following NOYB’s approach. For example, InterHop issued a referral to the French CNIL asking it to consider the use of Google Analytics in the context of e-health.
Stay tuned, more to come.
Norton Rose Fulbright’s Information Governance, Privacy and Cybersecurity team stands ready to assist with your data transfer needs.
A Primer on International Data Transfers:
By way of background, under the GDPR data may flow freely within the EEA, consisting of the EU countries and Iceland, Lichtenstein and Norway. Personal data may also be freely transferred to countries outside the EEA (i.e. so-called third countries) that received an adequacy decision from the European Commission. Examples are New Zealand, Japan and the UK that recently received an adequacy decision following its departure from the EU.
Transfers to other third countries are subject to the more burdensome requirements of Chapter V of the GDPR, meaning that the transfer should be subject to appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Reasons for this is that the protection provided by the GDPR should be upheld wherever in the world the personal data is being transferred to. Appropriate safeguards may be provided by various means indicated in the GDPR, and these include the Standard Contractual Clauses (SCCs) adopted by the European Commissions and approved certification mechanisms, such as the EU – US Privacy shield that was valid until the Schrems II decision of the Court of Justice of the European Union (CJEU).
The Schrems II decision, which related to the transfers of personal data from Facebook Ireland to Facebook US, also impacted the use of SCCs. The CJEU ruled that US surveillance laws, in particular section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, do not limit or effectively oversee public authorities’ access to EU personal data. Given that the SCCs only bind the parties who have entered into them, public authorities are still able to mandate the data importer to provide personal data, or obtain personal data without the cooperation of the data importer.
Based on the Schrems II judgment it is clear that, in order to transfer personal data to third countries that did not receive an adequacy decision, including the US, it is necessary to:
- to make a “case-by-case assessment” of whether the laws and practices of the data importer ensures adequate protection for personal data; and
- if the laws and practices do not meet EU standards then the parties should consider to “supplement the guarantees” in the SCC’s using other means or halt the transfer.
These supplementary measures can either be contractual, organizational and technical, but the technical measures (such as encryption or pseudonymization) are considered the most effective.
Special thanks to Nicole Sakin for her assistance in the preparation of this content.