Google Analytics and EU rules
September 26, 2022
In the last few months, we have witnessed multiple European Data Protection offices weigh on the legitimacy of Google Analytics.
Back in January, I’ve published a post that touched on the topic but was not really about Google Analytics. So, let’s start looking at what happened, why Google Analytics seems to be so interesting for the European Privacy authorities, and finish with some guessing on what could happen in the next few months.
What happened so far
On 5th January 2022, the European Data Protection Supervisor (EDPS) published the decision that the European Parliament website was not compliant with GDPR due to the usage of Google Analytics.
On 12th January 2022, the Austrian Data Protection Authority (DSB) decided that an Austrian company using Google Analytics violated the GDPR since moving such data to the US has no legal basis.
On 10th February 2022, the French Data Protection Authority (CNIL) publishes a sentence where they find that Google Analytics data transfer to the USA as being non-compliant with GDPR. On 2nd March 2022, the CNIL published two other decisions (MED 2022-015 and MED 2022-016), reaffirming the same.
On 23rd June 2022, the Italian Data Protection Authority (GPDP) decided that Caffeina Media Srl, a local publisher, usage of Google Analytics was non-compliant with GDPR.
On 21st September 2022, the Danish Data Protection Agency (Datatilsynet) published a review where they concluded that Google Analytics could not be used in a way that is compliant with the GDPR.
Google Analytics issues
Why are so many Data Protection Authorities saying that Google Analytics usage is not, and probably can not be, compliant with GDPR? The main reasons are:
- Google Analytics users can share data with Google and often do so
- Google Analytics data are (potentially) stored in the US
- Google Analytics data are managed by Google, which is a company subject to the CLOUD Act
The first point is the less problematic of all since a correct configuration would allow avoid this issue.
The second problem has been confirmed by Google, and there is no way around since Google Analytics users can not configure it. Potentially Google could change its architecture and avoid this movement of data, effectively solving this problem. Although Google says that Google Analytics 4 solves the issue, the Austrian and Danish DPAs reject Google’s point of view.
The third problem is by far the biggest. All US companies are subjected to the CLOUD Act, which forces them to hand to US Authorities personal data they have access to if US Authorities ask for them. Google affirmed that in 15 years, they never received any request by US Authorities to share data deriving from Google Analytics. The issue, though, is that the CLOUD Act also forbids the company to share the information that the request (and the data transfer) occurred. So, Google can not communicate if they have received any such request, so even if they say that they have never received such a request, their statement is worthless from the DPAs point of view. Also, even if Google’s statement is true, it does not prevent the US Authorities from performing such a request in the future. This problem is enormous but very little discussed since it would impact nearly all services provided by any US company to EU citizens.
A possible solution to Google Analytics (and all other US-provided services) would be a new EU-US deal similar to Safe Harbor and Privacy Shield. The issue with this solution is that both those agreements were invalidated by the European Court of Justice (ECJ) due to the lack of local regulations (mostly in the US) that sustained the international agreement. Creating a new agreement without having changed or removed the CLOUD Act and other regulations such as the SCA, the LEADS Act, and the ICPA would result in the ECJ scrapping that agreement as it did for the previous two. The EU and the US announced that an agreement “in principle” was found in March 2022, but nothing followed it, so it is tough to say if something will ever be proposed on this, and if so, when it will happen.
So, speaking of the average Google Analytics user having no power to influence US Laws and international agreements between US and EU, I think that he should take action to mitigate his risk by substituting Google Analytics with other tools that do not have the same issues.