Commotion in the business world: the Austrian privacy watchdog considers the use of Google Analytics an infringement of the GDPR. Will Belgian companies no longer be allowed to use Google Analytics? And what about the consequences for the use of all other electronic communication services from the United States? It is therefore time to look at the privacy aspects of this decision and the expectations of further consequences for Belgian companies with the necessary objectivity.
Google Analytics = transfer of personal data to the USA
As a company, you set up a website for your activities. Then you are the data controller of the personal data that is processed on the website. After all, it is your company that determines the purposes of the data processing. You also choose the way in which this will be done.
The Austrian supervisory authority ruled that such a data controller infringed the GDPR by implementing Google Analytics on the corporate website. After all, this implementation involves several personal data processing activities.
Identifiable? So personal data
The precise processing that was the object of the infringement was the transfer of personal data to the United States. When visiting the website, the Google Analytics tool transfers certain data from the browser of the website visitor to the servers of Google LLC. In this case, at least the following data were involved:
- the IP address of the device used by the website visitor;
- Unique online identifiers that identify the browser or device used by the website visitor;
- Unique online identifiers of the website operator (Austrian company as data controller) (i.e. the Google Analytics account ID);
- The HTML title and address of the website, as well as the specific pages visited by the visitor on the website;
- Information about the browser, operating system, screen resolution, language choice and the date and time of the website visit.
Why are these personal data? Since these data (by themselves or at least by putting them together) can “individualize” (“singling out”) the visitor, these data make the website visitor “identifiable”. The Singling Out Principle therefore means that an individual can be “singled out” from a group. It is a concept that is not at all new for privacy experts, but it often raises quite a few eyebrows among entrepreneurs and IT professionals. In any case, the criterion of identifiability makes the data personal data, and thus the GDPR applies.
Transfer to US. Thus outside the EEA
In the Austrian case, a company acting as a data controller transferred personal data to Google LLC. This company is based in the United States. In other words: in a country outside the European Economic Area / “EEA”. In other words, a country other than an EU Member State, Norway, Iceland or Liechtenstein.
According to the GDPR, such a transfer outside the EEA is only lawful if it is accompanied by an adequate level of protection. And that seems to be the problem.
Absence of adequate level of protection is an infringement
3 ways to an adequate level of protection
The GDPR allows for an adequate level of protection to be achieved in three possible ways:
- There is an adequacy decision. This is a decision by which the European Commission confirms that a certain country outside the EEA offers an adequate level of protection. Therefore, personal data may be transferred to this third country without further ado. We once had such an adequacy decision for the United States, the well-known “Privacy Shield”. But since this was declared invalid by the Court of Justice in its Schrems II judgmentof 16 July 2020, it can no longer be invoked for transfers to the US.
- Appropriate safeguards are in place.
- One of the exceptions (“derogations for specific situations”) of Art. 49 GDPR applies. Thus, if one of these conditions is fulfilled, a transfer to this third country may also take place.
An example is that, in the absence of an adequacy decision and appropriate safeguards, the data subject has given explicit consent to the transfer to the third country AND, in addition, the data subject has been informed in advance of the risks that such transfers might entail for him or her. This implies that the data subject should receive an explanation of what constitutes a non-adequate country, what the lack of adequate safeguards entails and a justification as to why the transfer in question is appropriate. Moreover, the data subject should receive this explanation in a concise, transparent, understandable and easily accessible form and in clear and simple language. Indeed, only then will it be possible to accept that the data subject has given his or her informed consent.
In this case, however, there was no doubt that none of the exceptions of Art. 49 GDPR applied.
Lack of apropriate safeguards
So you can guess, in the absence of an adequacy decision or such an exceptional case, the question was whether appropriate safeguards were in place.
According to the GDPR, it is the obligation of the data controller to verify the existence of appropriate safeguards for the transfer to the US. If there are none, this data controller (this would also apply if it were a processor) must take the necessary appropriate measures itself.
As an indication, the GDPR specifies that such appropriate safeguards may be provided by concluding Standard Contractual Clauses (SCCs) with the data controller or processor from the third country. These are model clauses adopted and approved by the European Commission. In this case, the Austrian company had concluded SCCs with Google LLC, but for a transfer to the US although this may not be sufficient to provide an adequate level of protection for data subjects.
Is that something new? No, it is not The Court of Justice has already clarified this with its Schrems II judgment of 16 July 2020. That judgment requires that for a third country like the US, additional measuresmust be taken on top of valid SCCs. This position has also been adopted by the European Data Protection Board.
The reason is that there is legislation in the US that explicitly allows its authorities to access the personal data of EU citizens held by US electronic communication service providers, including Google LLC. As SCCs are contractual in nature and thus only bind the parties involved, they cannot provide any guarantee against access and monitoring by the US authorities themselves. Moreover, it has been proven in the Austrian case, by means of a Google transparency report, that such access requests by the US authorities are not only theoretically possible, but that they actually take place on a regular basis.
Additional measures are therefore required, which may be of an organisational, contractual or technical nature.
A possible additional technical measure could be to encrypt (or even better: anonymise) the personal data before transferring it to the processor or data controller in the third country. This means before the data are transferred to Google. Because once the personal data is at Google and Google would encrypt this data, it is in fact already too late, because authorities have the right under US law to obtain the encryption key from Google. Everything that a US provider of electronic communication services has at its disposal, the US authority can view and monitor.
The conclusion is as simple as adding up. As the Austrian company did not take such appropriate additional measures, it thus infringed the GDPR because there was no adequate level of protection for the personal data of website visitors when the data was transferred to the USA.
Possible consequences for Belgian companies
Effect in Belgium?
However, the decision was taken by the Austrian supervisory authority, to which Belgian companies are not strictly speaking subject. So shouldn’t we wait a bit?
However, it would be extremely naive to assume that the decision cannot have any consequences for Belgian companies. Every privacy expert realises that this is logically an important precedent for all other European supervisory authorities. As a matter of fact, it is already known that the Dutch Authority for the Protection of Personal Data (Autoriteit Persoonsgegevens – AP) is currently conducting two investigations concerning Google Analytics. We can of course only wait in suspense for the verdict there.
Moreover, even if the Austrian decision were open to appeal, it seems very unlikely that this reasoning would be rejected at second instance. Therefore, the Austrian decision is nothing ‘new’, but rather the result of a concrete examination of data protection legislation and its currently applicable interpretations.
And there are the cookies again
Non-necessary cookies are cookies that are not strictly necessary for a website to function. The use of these cookies requires the free, informed, purposeful, specific and explicit consentof the person concerned. The look of your cookie banner is crucial in this respect.
The EDPB set up a cookie banner task force in autumn 2021 on the initiative of the non-profit organisation NOYB(None of Your Business), the European Centre for Digital Rights based in Austria. This is the same organisation that also initiated the complaint in the Google Analytics case with the Austrian supervisory authority. The purpose of this task force is to coordinate, among other things, the decisions on cookies taken by the supervisory authorities within the EEA. The Austrian decision regarding Google Analytics as an unlawful transfer was made in consultation with this task force.
In other words, given the harmonising effect of this European initiative, there is little chance that the other privacy watchdogs in the EU, such as our Belgian Data Protection Authority (DPA), will be more forgiving of Google Analytics in the near future!
In this regard, the EDPB will also be publishing a letter very soon in which it confirms that it strives for a harmonised application of data protection rules throughout the EEA, including with regard to the consistent interpretation of consent for cookies. That our own GBA is also concerned about cookies can be seen from their decisionof last week (21 January 2022). Here, for the first time in a Belgian decision, the principles of required consent are crystal clear.
Expansion of ban to other US electronic communication services?
The elephant in the room: what about the use of other cloud services where personal data can be processed in the US? Think of services like Hubspot and Mailchimp.
Entrepreneurs do not like to hear it, but yes, a supervisory authority could legally come to the same conclusion here. After all, the logic is not complex: Is it about personal data? Is there a transfer to the US? Is the recipient subject to state control? And are there adequate safeguards for an adequate level of protection?
The answers can be given by the reader…
But practically speaking, what now?
To every thoughtful entrepreneur who already wants to be fully GDPR compliant and who does not want to wait passively until the first breach is objectively established in Belgium: don’t panic! There is a solution for every problem. Your company can opt for other European analytics alternatives. After all, there certainly are! European alternatives also exist for other types of cloud providers. It requires some preparation and implementation, and should certainly not be done head-over-heels, but now is the time.
The Austrian decision is probably also a wake-up call that will accelerate the attention for the European alternatives. In that sense, it is an opportunity for every entrepreneur to play the card of privacy-friendliness, and thus to make a clear commitment to customer centricity.
Need help assessing privacy friendly alternatives? Don’t hesitate to contact our experts at firstname.lastname@example.org.
Written by Larissa De Keyser, Legal Adviser theJurists, and Kris Seyen, Partner theJurists