Google Analytics, a popular tool for analyzing website visitation and what users are most frequently engaging with, may be off-limits to foreign organizations that collect the data of European Union (EU) web users. Under the terms set by the Schrems II ruling, the Austrian data protection authority (DPA) has determined that the data it collects is sufficient to potentially identify individuals and thus constitutes a General Data Protection Regulation (GDPR) violation.
Google Analytics, thought to be an anonymous tool, found inadequate by Austrian DPA
The Schrems II ruling established that the personal data of EU residents cannot be transferred to foreign countries unless those countries have data privacy laws considered equivalent to the protections offered by the GDPR.
Google Analytics collects a number of granular data points that are specific to individuals; for example, what search terms they might have used to reach the webpage or what series of pages they clicked on while visiting. However, the Google Analytics panel is not supposed to tell the site administrator anything that identifies those users (beyond an extremely general location). Thus, use of it was widely considered to not be a risk for a GDPR violation.
However, the Austrian DPA found that the IP addresses and identifiers in cookie data were sufficiently personal to constitute a GDPR violation. The IP addresses can be anonymized, but this must be proactively requested by the Google Analytics user. The Austrian DPA said that the website it was examining, a health site based in Austria called netdoktor.at, had apparently attempted to enable anonymization but did not configure it correctly.
Cookies are also an issue as they are an option for Google Analytics users to identify an individual user across multiple sessions on the website. They do not have access to other identifiers that Google stores, nor can they use this information to track a user across other sites or devices, but the collected cookie information from their site is passed on to and used by Google in the United States.
Because all of this information is transferred to Google overseas, the Austrian DPA found in favor of a GDPR violation. While an individual website in the EU would not be able to identify individual users by using the information Google Analytics provides, the information they pass on to Google overseas constitutes “puzzle pieces” that could be put together by the tech giant to identify someone.
As Chris Olson, CEO at The Media Trust, notes: “Moving forward, CMPs, encryption-at-rest and other workarounds for data privacy laws just won’t cut it. Businesses have only one way to guarantee their visitors’ privacy and avoid costly fines: understand the code that is executing on your website, continually scan for violations, and vet your third parties for data privacy practices.”
GDPR violation stems from US government interception of overseas data
The Schrems II ruling directly stems from a combination of laws on the books that authorize the US government to intercept incoming foreign data, and the Edward Snowden leaks of 2013 indicating the bulk harvesting of this type of data by the country’s intelligence agencies. While the ruling applies to all organizations and all countries, it came about due to the practices of US tech giants.
Google is not the only company dealing with this issue, and many have tried legal workarounds since the ruling was handed down (such as “encryption at rest” schemes and pseudonymization). The Austrian DPA examined the methods used by Google and said they were inadequate. All of the measures are invalidated by the fact that Google itself, based in the US, eventually has the ability to combine and view all of this data in plain text. A specific US law, Section 702 of the Foreign Intelligence Surveillance Act (FISA), grants the government broad access to the data of foreign parties stored by tech giants in this way. However, though Google is the party ultimately seen as putting the data at risk, the onus of not transferring it to them is on the individual website making use of Google Analytics.
The Schrems II ruling came down from the EU’s highest court in 2020, and both Europe and the US are still grappling with how to satisfy the new legal requirements. Overseas data transfers continue, but participating parties generally must hammer out a special type of contract that guarantees methods are used to prevent applicable data from being made available to third parties (usually via encryption or anonymization). These arrangements are also subject to scrutiny by regional data authorities. Some organizations have simply moved data processing to the EU given lack of better options for avoiding repeated GDPR violations.
The only surefire answer to the issue would be for the US to pass a GDPR-equivalent data protection law, something that seems to move in fits and starts in Congress but never manages to get anywhere. The legal tests of tools like Google Analytics will continue as noyb, the privacy group behind the Schrems II decision, still has 101 complaints of GDPR violations in the pipes that apply to the practices of Silicon Valley tech giants.
As Elizabeth Wharton, VP Operations at SCYTHE, observes: “Legal clashes between US and foreign privacy policies have been ongoing since the Reagan era. Although we’re seeing more privacy concerns in the US, evidenced by CPRA and proposed federal legislation in 2021 among others, a consistent resolution isn’t imminent. The overlaps between security and privacy mean that more business models need to take that into consideration, especially companies who profit from user data. This is another reminder that security and privacy are not equal to compliance, and companies collecting personal information need to go beyond the bare minimum requirements.”
The Austrian DPA’s ruling follows a similar recent ruling by the European Data Protection Supervisor (EDPS), which determined that the European Parliament’s use of Google Analytics was a GDPR violation.