Legal troubles for Google Analytics keep coming. The Cologne District Court ruled against the use of Google Analytics on May 10. Two days later, the Austrian Federal Administrative Court reached the same conclusion and confirmed a decision against a decision against Google Analytics from the Austrian data protection authority.
- The German decision
- The Austrian decision
- The takeaway
- The core legal issues
- Supplementary safeguards: a general problem
- What about the new data transfer framework?
- Conclusions
Let’s dive in!
The German decision
The case was brought by the consumer center of Nordrhein-Westphalen against Deutsche Telekom, the largest telecom provider on the German market.
Deutsche Telekom’s website used Google Analytics and forwarded personal information to Google’s servers in the U.S. for processing. The consumer center argued for the obvious here: in light of the Schrems II ruling, this data transfer was not compliant with the GDPR.
Unsurprisingly, the Court agreed and ordered Deutsche Telekom to stop forwarding personal information to the US for the purposes of marketing and web analytics. In practice, this amounts to an order to dismiss the use of Google Analytics.
The action also involved other privacy issues, including the confusing design of the website’s cookie banner, and the transmission of personal data to credit agencies. Only the claims related to Google Analytics were successful.
Given Deutsche Telkom’s resources and the amounts of personal data involved, we expect the company to appeal the decision.
The Austrian decision
The Austrian decision stems from one of NGO noyb’s 101 complaints which we already discussed in depth. It is an appeal against a previous decision taken by the Austrian privacy authority (DSB)- in fact, the very first decision against Google Analytics’ data transfers from a European privacy authority.
As for the facts, an individual represented by noyb complained that an unnamed website violated the GDPR’s rules on data transfer by transferring their personal data to the US through Google Analytics without sufficient safeguards. The complaint was upheld by the Austrian DPA and the decision was then appealed by the owner of the website.
The Austrian Federal Administrative Court confirmed the DSB’s decision and rejected the defenses of the website owner, including the controversial** risk-based approach** to data transfers.
According to the gdprhub, the website owner intends to challenge the decision again before the Austrian Supreme Administrative Court.
The takeaway
The two decisions add nothing new on the legal side, but they do show that the enforcement of Schrems II is not limited to privacy authorities: courts are jumping in as well.
Something similar already happened a while ago when a German administrative court ruled against the use of Google Analytics. But the decision came with a sloppy motivation and was overturned on appeal.
These two rulings are different. They come with a clear and well reasoned motivation and, in our opinion, stand good chances to be confirmed if challenged.
And of course the Austrian decision, being an appeal, suggests that the DSB’s approach to the issue with data transfers is a sound one. Then again, this was already evident. The Italian, French, Finnish, and Norwegian authorities adopted virtually identical decisions, and the Irish authority and the European Protection Board used the exact same criteria when evaluating Meta’s data transfers.
The core legal issues
The decisions are in now way new and merely apply the criteria already laid out in the notorious Schrems II ruling of the EU Court of Justice. Data transfers are a long story and one we already covered in detail, so we will keep things short here.
The GDPR requires extra-EU data transfers to be safe. However, European data (as well as all foreign data) transferred to the US are subject to extensive State surveillance, as shown by the confidential files leaked by Edward Snowden. This surveillance system makes it hard for European organizations to transfer data to the US in a lawful and safe way.
In both cases at hand the data transfers took place between Google Ireland and its US-based mother company Google LLC. In order to make this data transfer secure and lawful, Google used a specific safeguard called standard contractual clauses (SCCs).
SCCs are a data transfer mechanism set up by the GDPR. In a nutshell, they are clauses that tell companies what they can and cannot do with the personal data they receive. SCCs are incorporated in a contract and are binding on the company that receives the data. Because of their binding nature SCCs they can make up for a lack of privacy legislation for the private sector.
But the Schrems II ruling highlighted a key problem with SCCs: they are not binding for the US or any other foreign State. On their own, SCCs cannot protect personal data from State surveillance.
This is why Schrems II requires organizations to adopt supplementary measures when transferring data to the US, and other countries with extensive electronic surveillance. But this is difficult for many services and entirely impossible for Google Analytics, because Google LLC needs to access and analyze data in the clear in order to provide the service.
This lack of supplementary measures is at the core of every decision against Google Analytics’s data transfer. Whenever the issue of data transfers is brought up, privacy authorities stick to the Schrems II rules and look into supplementary measures. And they always found them to be lacking- because there are simply no measures that can keep data transfers for Google Analytics confidential.
Supplementary safeguards: a general problem
Data transfers and supplementary measures are broad problems. Implementing proper safeguards is tricky for some services and entirely impossible for others.
This is the case for Google Analytics too. Under US legislation, surveillance agencies can require US communications providers (including Google) to provide any foreign data they control.
Encryption can help, but not for Google Analytics. In order for the service to work, Google needs access to the data in the clear in order to analyze them. And under US legislation, Google can be required to provide an encryption key to the government as well. So any data Google can access in the clear, the government can access in the clear as well- it’s as simple as that.
There are supplementary measures other than encryption, but when it comes to Google, none of them really fit- as we explained here.
In a nutshell, no solution works for Google Analytics. We have seen this again and again with the decisions against Google Analytics. The rulings from the Austrian, French, Italian, Norwegian, and Finnish data protection authorities all say the same thing: Google Analytics cannot transfer data safely.
Furthermore, all these decisions result from a coordinated approach to the problem at a European level. And the very same approach recently led to a landmark decision and a record fine against Meta, for the same exact legal issues that plague Google Analytics.
The order issued against Meta is proof that for some services, there is simply no solution to make data transfer safe until the legal situation changes. Meta is one of the biggest and richest multinational companies in the world, with access to all the legal and technical expertisew it could possibly want. The company had 1.2 billion good reasons to secure its data transfers, and yet failed to do so and is now facing the risk of an EU-wide Facebook blackout as a result
Of course, you are free to try and do better than Meta. But how many millions is your compliance budget?
What about the new data transfer framework?
In July 2023 the European Commission adopted an adequacy decision for the US. An adequacy decision is a unilateral act that enables the free flow of personal data to a non-EU Country.
Is the whole data transfer drama over? Not really. Schrems (yup, the guy from Schrems I and II) will certainly challenge the new framework in the Court of Justice, and will likely win.
Adequacy decisions are not merely political decisions. The Commission cannot sanction data flows towards a Country solely because they like it, or because it is a strategic ally. They need to make sure that the data are kept safe outside the EU, and this is not the case with the new data transfer framework in place between the EU and the US.
This is not the first attempt at a trans-atlantic data transfer framework, either. Two older frameworks (Safety Harbor and Privacy Shield) were both invalidated by the Court of Justice over surveillance concerns. This will probably happen again, as the new framework does not really offer the safeguards required to keep EU data safe against US surveillance
Long story short, Schrems III will come at some point, and the EU will be back to square one.
In the meantime, European companies must live with the uncertainty or invest in localization. And by the way, Microsoft is pouring billions into its EU Data Boundary Boundary program- they expect thousands of companies to rush to their EU-based cloud after Schrems III comes around.
Conclusions
Between Google Analytics’ never-ending legal issues with data transfers, and the upcoming sunsetting of Universal Analytics, this is a good time to ditch Google Analytics in favor of another provider. And we have just the one for you!
We at Simple Analytics believe that web analytics can be both privacy-friendly and ethical. This is why we build our service to provide great insights to our customers without collecting one bit of personal data from their visitors! If this sounds good to you, feel free to give us a try.