The end of Google Analytics?  - Companies

The end of Google Analytics? – Companies

Advertisements

Advertisements

In the Wild Wild West of digital data transfer, the decision by the Austrian data protection authority, the Datenschutzbehörde (hereinafter “DSB”)[1]), on December 22, 2021, seems to finally mark the beginning of the end for uncontrolled international transfers of data from the EEA to US-based tech giants, such as Google and Facebook.

The beginning of the end

Following on from the Schrems II decision[2], noyb[3], the non-profit organization headed by Max Schrems, did not sit idly by. It has thus filed 101 complaints concerning transfers of data from websites based in the EEA to the United States which it considers illegal. The first decision[4] relating to these complaints has been rendered by the DSB and it seems that things are no easier for Google, Facebook and their ilk.

A brief reminder of the decision Schrems II remind you that the Court of Justice of the European Union (hereinafter “CJEU”) has ruled that any international transfer of personal data from the EEA to suppliers based in the United States which are bound by rules mandating to provide access to certain US intelligence services, is in violation of GDPR international data transfer rules. This ruling rendered null and void the entire Privacy Shield Framework (Privacy Shield[5]), which enabled “secure” data transfers from the EEA to the US, ushering in a new era where EEA-based businesses can no longer rely on cloud service providers (clouds) based in the United States, such as Google[6].

Sweep under the rug, no more

The recent decision of the DSB shows that the stop Schrems II will not be ignored by tech giants and will be applied at all levels. It’s no secret that to this day the majority of EEA-based websites use Google Analytics as a tool of choice for analyzing the behavior of visitors to their site. This makes sense since the tool itself is free (site visitors pay with their data) and provides the site provider with one of the most comprehensive analyzes of site data on the market today. This gave Google the impression that it could continue to transfer data from the EEA to the US as if Schrems II had never taken place. The DSB’s decision finally put a first stop to this unruly behavior by the tech giant.

This decision indicates first of all that by using Google Analyticsthe website provider has sent personal information to Google in the USA. Google and the website provider attempted to argue that this was not personal information but rather anonymous information, but this argument was rejected by the DSB as Google can easily (re)identify website visitors using, among other things, their addresses IP and other unique identifiers such as cookies. The fact that Google allows its users to accept or refuse personalized ads shows that it has all the means to identify visitors to the site[7].

A losing battle

This means that the international transfer of such data from the EEA to the United States falls under the rules of the GDPR. The transfer was analyzed and found to be non-compliant with the international data transfer rules of Article 44. In addition, the measures put in place by the GDPR to ensure an adequate level of data protection were found to be insufficient. Indeed, the standard contractual clauses and the basic technical and organizational measures provided for in Article 32 of the GDPR put in place by Google do not provide additional and adequate protection against intrusion of data transferred by US intelligence services[8].

This decision, probably the first in a long series, will have serious implications for website providers in the EEA and for Googlesince the use of his tool Google Analyticsa major part of its advertising base, is de facto banned in its current state. Google responded in a statement to the DSB ruling with the same arguments that were dismissed by the ruling itself, which does not help his case any further[9]. The fact that the legal director of Google calls at the same time for the establishment of a new data transfer network between the EU and the United States also indicates that the company is not able to guarantee an adequate level of protection for the current transfer of personal data from the EEA to the United States and therefore has no measurable defense against future decisions by European data protection authorities[10].

A ripple effect

The decision has already caused a significant ripple effect among other data protection authorities. Datatilsynet (the Danish Data Protection Authority), for example, will carefully read the DSB’s decision. Others will most certainly follow and create directions based on these decisions.[11]. This trend will likely be seen in almost all other EEA countries falling within the scope of the GDPR.

Additionally, the Guernsey Data Protection Authority has removed Google Analytics of its website as a sign of support and respect for the rules of the GDPR following the Schrems II judgment and the decision of the DSB[12].

The Dutch Data Protection Authority, Authorityit Persoonsgegevenshas already published a guide on how to configure the settings of Google Analytics for Dutch website providers, clearly indicating that it is possible that the use of Google Analytics be banned in the near future, a bad omen for Google. Two investigations are currently underway on this subject. They will probably be completed in the coming months and will decide the fate of Google Analytics in the Nederlands. We hope that other data protection authorities will follow suit.

The beginning of the endFollowing on from the Schrems II decision[2]noyb[3], the non-profit organization headed by Max Schrems, did not sit idly by. It has thus filed 101 complaints concerning transfers of data from websites based in the EEA to the United States which it considers illegal. The first decision[4] relating to these complaints has been rendered by the DSB and it seems that things are no easier for Google, Facebook and their ilk. A brief reminder of the Schrems II decision will remind you that the Court of Justice of the European Union ( hereinafter “CJEU”) has ruled that any international transfer of personal data from the EEA to US-based providers who are bound by rules requiring them to provide access to certain US intelligence services, is in violation of the international data transfer rules of the GDPR. This ruling rendered null and void the entire Privacy Shield framework.[5]), which enabled “secure” data transfers from the EEA to the US, ushering in a new era where EEA-based businesses can no longer rely on cloud service providers ( cloud) based in the United States, such as Google[6].Sweep under the rug, no moreThe recent DSB ruling shows that the Schrems II ruling will not be ignored by tech giants and will be enforced across the board. It’s no secret that to date, the majority of EEA-based websites use Google Analytics as their tool of choice to analyze the behavior of their site visitors. This makes sense since the tool itself is free (site visitors pay with their data) and provides the site provider with one of the most comprehensive analyzes of site data on the market today. This gave Google the impression that it could continue to transfer data from the EEA to the US as if Schrems II had never happened. The DSB’s decision finally put a first stop to this unruly behavior of the tech giant. This decision firstly indicates that by using Google Analytics, the website provider sent personal information to Google in the USA. Google and the website provider attempted to argue that this was not personal information but rather anonymous information, but this argument was rejected by the DSB as Google can easily (re)identify website visitors using, among other things, their IP addresses and other unique identifiers such as cookies. The fact that Google allows its users to accept or refuse personalized ads shows that it has all the means to identify visitors to the site.[7]. A losing battle This means that the international transfer of this data from the EEA to the United States falls under the rules of the GDPR. The transfer was analyzed and found to be non-compliant with the international data transfer rules of Article 44. In addition, the measures put in place by the GDPR to ensure an adequate level of data protection were found to be insufficient. Indeed, the standard contractual clauses and the basic technical and organizational measures provided for in Article 32 of the GDPR put in place by Google do not provide additional and adequate protection against the intrusion of the data transferred by the American intelligence services.[8]This decision, likely the first in a long series, will have serious implications for website providers in the EEA and for Google, given that the use of its Google Analytics tool, a major part of its advertising base. , is de facto prohibited in its current state. Google responded in a statement to the DSB decision with the same arguments that were dismissed by the decision itself, which does not help its case any further.[9]. The fact that Google’s legal director is at the same time requesting the establishment of a new data transfer network between the EU and the United States also indicates that the company is unable to guarantee a level protection for the current transfer of personal data from the EEA to the United States and therefore has no measurable defense against future decisions by European data protection authorities[10]A ripple effect The decision has already caused a significant ripple effect among other data protection authorities. Datatilsynet (the Danish Data Protection Authority), for example, will carefully read the decision of the DSB. Others will most certainly follow and create directions based on these decisions.[11]. This trend will likely be seen in almost all other EEA countries falling within the scope of the GDPR. Additionally, the Guernsey Data Protection Authority has removed Google Analytics from its website as a sign of support and compliance with GDPR rules following the Schrems II ruling and the DSB decision[12].The Dutch data protection authority, Autoriteit Persoonsgegevens, has already published a guide on how to configure Google Analytics settings for Dutch website providers, clearly stating that it is possible that the use of Google Analytics be banned in the near future, a bad omen for Google. Two investigations are currently underway on this subject. They will probably be completed in the coming months and will decide the fate of Google Analytics in the Netherlands. We hope that other data protection authorities will follow suit.

.

Leave a Comment

Your email address will not be published.