In essence, data protection law applies to the processing of personal data. Contrarily, data protection law does not apply when the data collected and processed are not personal data.
Following the issued decisions, there has been discussions on whether it is possible to configure Google Analytics in such a way that no personal data is collected.
Basically, Google Analytics functions by assigning a unique identifier to the website visitor. In addition to the individual identifier, additional data is collected about the visitor’s interaction with the website, the approximate time of the visit and data about the visitor’s browser, operating system, etc.
Data Sharing and Google Signals
Additionally, there are a number of settings in Google Analytics that allow the website owner to share data with Google. These are the so-called data sharing settings, which allow Google to process the data collected for, inter alia, improving Google’s products, and Google Signals, which allows Google to collect additional data, inter alia, for the purpose of targeted marketing.
However, the Danish Data Protection Agency understands that it is possible not to activate these settings.
The Danish Data Protection Agency further understands that, following the Austrian supervisory authority’s decision of January 2022, Google has started to make additional settings available to its customers, enabling Google Analytics to be configured – at least Google Analytics 4 – so that a number of additional data such as data concerning the visitor’s browser, operating system, etc. is not collected.
Even if the above settings are turned off, and provided that Google Analytics is configured to collect as little data as possible, it is the Danish Data Protection Agency’s immediate opinion that the remaining data collected using the tool still constitutes personal data about the website visitors. This is because the visitor’s unique identifier continues to be collected as well as data about the visitor’s interaction with the website, the time of the visit, and the approximate location of the visitor.
This view is based on the fact that a unique identifier makes it possible to identify the individual to whom the data relates. This applies even if it is not possible to assign a specific name or identity to the person concerned.
The GDPR specifically emphasises in its preamble the fact that data which allows persons to be singled out is personal data. Thus, in general, a natural person can be considered to be identified when that individual can be singled out from all others among a larger group of persons.
The Danish Data Protection Agency recognises that this is a broad interpretation of the concept of personal data and, consequently, of when data protection law applies. However, this is not a new view, but has been a common position among the European supervisory authorities since 2007, when the Article 29 Working Party (the predecessor to the European Data Protection Board) adopted an opinion on the concept of “personal data”. The opinion can be found here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf
Additionally, one of the fundamental purposes of data protection law is to ensure an effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the right to privacy and the right to data protection.
Like all other EU laws, data protection law must be interpreted in the light of its purpose. A too narrow interpretation of, inter alia, the concept of “personal data” would lead to the risk that the law would fail to achieve its purpose of ensuring the full protection of the rights of individuals.