Following a recent decision by the Austrian data protection authority (DPA), France’s lead regulator CNIL has determined that the use of Google Analytics is a violation of the General Data Protection Regulation (GDPR).
The popular tool is widely used by websites to observe and measure user engagement. This information is nominally anonymized, but CNIL’s ruling found that the unique identifier assigned to visitors and the data collected in association with it could be enough for Google to personally identify someone. An associated issue is the precedent set by the Schrems II ruling, which essentially forbids this sort of information from being transferred to the United States due to government access and a lack of privacy protection.
Google Analytics could be off-limits in EU after GDPR ruling
The immediate order to cease use of Google Analytics pertains to a particular French website that was the subject of a GDPR complaint. However, CNIL says that it has consulted with its “European counterpart” DPAs and that they broadly agree on the ruling. That could pave the way for Google Analytics to be unusable across the EU unless changes are made to how it operates.
Google Analytics collects a variety of information about website visitors, such as which pages they access and where they linked in from. At the webmaster end, no personal information is visible save a very general geographic location. The idea is to gain insight into what content on the site is attracting the most attention and leading to conversions.
However, Google does assign a unique user identification number to each site visitor. The webmaster can’t do much with this in terms of identifying people, but Google potentially can by combining it with its other internal resources.
That alone causes a GDPR conflict, but one that could potentially be resolved if the site user is apprised of this process and asked for their consent. The part that may chase Google Analytics out of Europe is the fact that this information is being passed back to Google’s US servers. That creates an unresolvable conflict with the Schrems II decision, one that would require Google to change how the service fundamentally works.
noyb, the privacy group behind the Schrems II decision, has also been the driving force behind the campaign against Google Analytics. The group has 101 complaints open involving the service’s international data transfers, across 27 EU member states.
International data transfers strike again
The two prior decisions, made in Austria and France, at this point only apply to residents of those countries. The way CNIL worded its description of the investigation process made it sound as if Europe’s DPAs have considered the issue and are generally in agreement about Google Analytics and its international data transfers, however. The service could find itself gradually unavailable to other countries as they complete their own investigations and rulings on relevant GDPR complaints.
The immediate impact to EU websites will likely be the need to switch to an analytics service that hosts data within the EU, or within a foreign country that has “trusted partner” status for data transfers. Unless Google is willing to make big changes to Google Analytics in the near term, the only hope is in the US hammering out a GDPR-equivalent federal data privacy law at some point.
These decisions can also reach beyond Google Analytics, applying to other services that engage in similar transfers. Essentially, any service that assigns individual identification numbers to users and then sends that information overseas could be looking at GDPR trouble no matter how anonymized that process has been made.
Some analysis raises the question of how necessary it is to regulate analytics services, which do not allow website operators to identify their visitors. The Schrems II case against Google Analytics essentially boils down to the theoretical possibility of Google combining analytics IDs with the other advertising information it collects, and then the US government requesting this information be turned over for some reason or intercepting it in transit.
Regardless, the dominos seem to be falling in the EU and companies are looking at a move away from Google Analytics to keep their data transfers GDPR-compliant, at least in the near term. There are a number of localized analytics services operating in the EU, but they will likely cost money. In addition to being free, Google Analytics may well offer a greater range of features than these upstart services. There are efforts afoot to cobble together a “version 3” of Privacy Shield, the prior trans-Atlantic agreement for data transfers that Schrems II invalidated, but there is simply no quick fix to get around the GDPR terms that were established by that ruling.
In the meantime, CNIL has told the media that it has similar complaints out about Facebook Connect data transfers that are currently being reviewed.