Google Analytics legality decision- March 2022

On January 13th, the Austrian data protection authority published a decision which seems to indicate that the use of Google Analytics violates the EU General Data Protection Regulation (GDPR). A few days later, on January 26th, the Danish data protection authority published a decision that had similar conclusions. Following these decisions on February 10th, the CNIL (French Data Protection Authority) issued a statement on its website announcing that the current setup of Google Analytics prevents it from being compliant.

In all of the above cases, these data protection authorities indicated that the transfer of an end-users’ data to the United States is unlawful.

The rationale behind these decisions argued:

• Google can no longer rely on an adequacy decision (Schrems II)

• Google is not allowed to base the data transfer on standard data protection clauses since the United States does not ensure an adequate protection of personal data transferred

• The contractual, organizational and technical measures further implemented by Google are not sufficient to ensure an adequate level of protection of the personal data transferred to the United States

For these data protection authorities, the concern is that the United States' intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for their surveillance activities regarding specific individuals. It notes that “it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant”.

Google has stated that it disagrees with the data protection authorities’ position and has not yet communicated on potential changes in the way Google Analytics operates in Europe. Google is suggesting that a potential Privacy Shield 2.0 would be the best way forward.

For those of our customers who may be concerned that the current implementation of Google Analytics on their website generates a liability risk, we suggest that they follow the below recommendations.

• Use IP anonymization function offered by Google Analytics

• Implement further privacy controls

• Obtain end-users’ explicit consent for the data transfer to the United States

Use IP anonymization function offered by Google Analytics

Google Analytics provides an IP-anonymization feature. We highly recommend activating this feature as it is mentioned in the decisions.

Didomi has reason to believe, however, that anonymizing the IP address will not be sufficient. It is only one step further towards compliance.

Implement further privacy controls

From disabling advertising personalization features to disabling data collection, Google offers a series of controls that their customers can implement to limit the data collected while using Google Analytics.

We recommend that you run an analysis of your use of Google Analytics to determine whether some or all of these measures are appropriate in light of the recent decisions.

Obtain end-users’ explicit consent for the data transfer to the United States

Article 49 of the GDPR states that “in the absence of an adequacy decision (...) or of appropriate safeguards (...), a transfer or a set of transfers of personal data to a third country (...) shall take place (...) if the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.”

This is not an ideal solution from an end-user standpoint, and as such can be considered more as a possibility than a recommendation for now.