The Finnish data protection authority (Data Protection Ombudsman) ruled against the use of Google Analytics by four libraries in the Helsinki metropolitan area. You might have heard this one already, because authorities in Austria, France, Italy, and Denmark also found that the use of Google Analytics is not compatible with the GDPR. (Update: the Norwegian authority followed, although its decision is yet preliminary)
You can read the press release here.
We will first discuss the case in a nutshell and then take a look at the bigger picture behind the decision. Let’s dive in!
The Moomins running away. Finish comic book style by Tove Jansson
The authority found several violations regarding consent and transparency, but we will set them aside and focus on the transfers of personal data.
The authority didn’t say anything new in this regard. It clarified that the US is not a safe destination for data transfers, in line with the Schrems II ruling of the EU Court of Justice. It also found that the libraries did not implement sufficient safeguards for the data transfers required by Google Analytics, which is a violation of the GDPR rules for data transfers. This is exactly what other European authorities said in similar cases, and it will set a precedent against Google Analytics in yet another EU Member State.
To be clear, this is technically a decision about a specific data controller (the libraries), but it has general implications for Finland. In theory, a different controller could implement better safeguards and use Google Analytics lawfully. But theory is the keyword here because, in practice, this is simply impossible.
Data controllers all agree to the same standardized terms from Google, including the same data protection clauses. They have no room to negotiate different terms. And they cannot implement sufficient technical safeguards on their own because they don’t exist for Google Analytics.
End-to-end encryption doesn’t work because Google Analytics needs to process cookie IDs in the clear. Non-end-to-end encryption is insufficient because the US government can require Google to provide the decryption key. Server-side implementation of Google Analytics could work in theory, but it is burdensome and would badly cripple the tool’s performance.
In a nutshell: if the Finnish authority sticks to its position, then Google Analytics is practically banned in Finland.
The bigger picture
Schrems I and II
Google Analytics already has a history of being practically banned in EU Member Countries. But the story with data transfers is an even longer, and a little recap can clarify the Finnish decision's background.
It all started in 2012 when the Snowden files revealed the existence of extensive and indiscriminate surveillance programs over foreign data in the US. One year later, Austrian citizen Max Schrems (now a well-known privacy activist) filed a complaint against Facebook Ireland. He argued that the transfer of his personal data to US parent company Facebook exposed them to US surveillance and was therefore illegal under EU data protection law. This was the start of a long legal battle: the case was referred twice to the EU Court of Justice, leading to the invalidation of two data transfer agreements between the EU and the US in the landmark Schrems I and II rulings.
Schrems II was decided in 2020 and tremendously impacted data transfers for two reasons. First, the Court invalidated the Privacy Shield framework, which previously allowed for easy data transfers from the EU to the US. Second, the Court examined standard contractual clauses, a common compliance mechanism for companies wishing to transfer data.
We need to spend a few words on standard contractual clauses (SCCs). SCCs are a set of standardized clauses drafted by the Commission and are meant to be incorporated into a binding agreement with a recipient. In other words, if you want to transfer data outside the EU, you can implement the SCCs in a contract, and the clauses will tell the other party what they can and cannot do with the data. This is a way to ensure that personal data are transferred safely and confidentially outside the Union. But there is a problem: these clauses only bind the contract parties and do nothing to prevent State surveillance.
With Schrems II the Court did not invalidate SCCs as a data transfer mechanism but ruled that they must be supplemented by additional safeguards when needed- as is the case with the US. So you can’t just copy-paste them, have the contract signed, and call it a day. You need to make sure SCCs actually work for your data transfer, and if they don’t, you need to make up for this lack of protection in some other way. The problem is that this is difficult and sometimes impossible to do when dealing with State surveillance.
The 101 complaints
Right after the Schrems II ruling, privacy NGO noyb (chaired by Schrems) filed a set of 101 strategic complaints against Google Analytics and Facebook Connect, in an attempt to nudge European authorities towards rigorous enforcement of the Schrems II ruling.
Authorities coordinated their approach to the complaints at a European level. As a result, the Austrian, French, and Italian privacy watchdogs ruled against Google Analytics when deciding noyb’s complaints, and the Danish authority embraced a similar position in a press release. The decisions are all the same, and the Finnish one is no different. All these authorities are saying the exact same thing: Google Analytics cannot keep personal data safe.
With coordination at a European level, and the influential French and Italian authorities leading the way, more authorities are likely to follow.
The issue with data transfers is broader than just Google Analytics: strict enforcement of the rationale behind Schrems II will make it difficult or impossible to rely on many US service providers. This is why the EU and the US are trying to find a political solution.
The European Union and the US negotiated a new data transfer agreement called Trans Atlantic Privacy Framework. US President Joe Biden signed an executive order to make the framework possible. The EU Commission drafted an adequacy decision- an act that makes data transfers easier. Member States must still approve the draft decision before it comes into effect.
So it’s all good? Not quite: the upcoming decision will certainly be challenged before the Court of Justice of the EU.
Under the GDPR, the European Commission cannot issue an adequacy decision for a country just because it likes it. The decision is an assessment of the legal system of a State and needs to fulfill certain criteria. The Court already invalidated two data transfer agreements in the past for this reason (Schrems I and II rulings). So a Schrems III ruling is on the horizon, and it’s hard to say how it will play out.
The new framework is quite complex. It is a step up from the past but is potentially problematic in some respects and may not survive legal scrutiny in the Court. For the time being, the future of data transfers remains uncertain.
After this long detour, we can make some final considerations of the case. First, the decision of the Finnish authority has nothing to do with the 101 complaints. So the complaints are impacting how other data transfer cases are handled- which is exactly what noyb meant to achieve with its complaints. Second, the decision comes well after US President Joe Biden issues his executive order. This suggests that the enforcement of Schrems II will not be put on hold by the political negotiations on the adequacy decision.
I can imagine you are getting tired makes sense of these legislative changes, but from a privacy standpoint, they are needed. If you want to stay clear of all this, privacy-friendly analytics options still provide you with the insights you need on your website performance. Simple Analytics is one of them. We believe the internet should be independent and a place that is friendly to website visitors. If this resonates with you, give Simple Analytics a try. It’s the easy way to respect your customers’ privacy’.