Google Analytics

Google Analytics

 

Recent European Practices

In the course of 2022, several decisions have been issued in Austria, France and Italy in cases concerning the use of Google Analytics.

The cases were prompted by complaints submitted by the organisation None of Your Business (“NOYB”) to a number of European supervisory authorities following the judgment of the Court of Justice of the European Union in the so-called Schrems II-case. The complaints concerned the use of the Google Analytics tool, which, in NOYB’s view, involves transfers of personal data of website visitors to Google in the US in non-compliance with data protection law.

Google Analytics is a tool that enables website owners to compile statistics about website visitors, among other things, in order to optimise the content of the website. This is done by assigning the visitor a unique identifier in order to generate statistics about website visits, page views, etc. In addition to the individual identifier, further data is collected about the visitor’s interaction with the website, the approximate time of the visit, as well as data about the visitor’s browser, operating system, etc.                

European organisations wishing to use Google Analytics enter into an agreement with Google Ireland Ltd in order to do so. As part of this contractual framework, Google offers to enter into so-called standard contractual clauses that provide data subjects with a number of safeguards and rights in relation to the transfer of personal data to Google LLC in the United States.

However, this contract cannot always in itself ensure a level of protection that is essentially equivalent to that of the EU/EEA. This is particularly true in cases where law enforcement authorities in the third country may access the transferred personal data to a disproportionate extent and in contravention to fundamental European laws.

Specifically, the central issue in the cases is that personal data transferred to the United States are – in certain cases – not guaranteed a level of protection that is essentially equivalent to that within the EU/EEA. This is because some U.S. laws – the Foreign Intelligence Surveillance Act (FISA) section 702 and Executive Order 12 333, read in conjunction with the Presidential Policy Directive-28 – do not meet the proportionality requirements of EU law in the event of interference with fundamental rights, nor do (European) data subjects have the right to an effective remedy. This has been held by the Court of Justice of the European Union in the aforementioned Schrems II-case. For the transfer of personal data to organisations in the United States within the scope of the above-mentioned legislation, it is therefore necessary to implement supplementary measures in order to bring the overall level of data protection up to a level which is essentially equivalent to that of the EU/EEA. Such measures may be of a technical, contractual, and organisational nature.

In the cases, Google indicated that the company had implemented additional contractual, organisational, and technical measures. However, the supervisory authorities considered that these measures could not ensure an effective level of protection of the data transferred as the measures were not suitable to prevent access to the transferred personal data by US law enforcement authorities.

Consequently, the transfer of personal data to the United States via Google Analytics was considered unlawful.

Questions and answers

In its replies to the European supervisory authorities, Google has stated that all data collected through Google Analytics is processed and stored in the United States.

In addition, the Danish Data Protection Agency is not aware of any changes to Google’s technical setup since the decisions which entail that Google Analytics can be provided without any transfer of personal data to the United States. For further clarity on this matter, the Danish Data Protection Agency refers the organisations that wish to use Google Analytics to reach out to Google as the provider of Google Analytics.

In essence, data protection law applies to the processing of personal data. Contrarily, data protection law does not apply when the data collected and processed are not personal data.

Following the issued decisions, there has been discussions on whether it is possible to configure Google Analytics in such a way that no personal data is collected.

Basically, Google Analytics functions by assigning a unique identifier to the website visitor. In addition to the individual identifier, additional data is collected about the visitor’s interaction with the website, the approximate time of the visit and data about the visitor’s browser, operating system, etc.

Data Sharing and Google Signals

Additionally, there are a number of settings in Google Analytics that allow the website owner to share data with Google. These are the so-called data sharing settings, which allow Google to process the data collected for, inter alia, improving Google’s products, and Google Signals, which allows Google to collect additional data, inter alia, for the purpose of targeted marketing.

However, the Danish Data Protection Agency understands that it is possible not to activate these settings.

The Danish Data Protection Agency further understands that, following the Austrian supervisory authority’s decision of January 2022, Google has started to make additional settings available to its customers, enabling Google Analytics to be configured – at least Google Analytics 4 – so that a number of additional data such as data concerning the visitor’s browser, operating system, etc. is not collected.

Unique identifier

Even if the above settings are turned off, and provided that Google Analytics is configured to collect as little data as possible, it is the Danish Data Protection Agency’s immediate opinion that the remaining data collected using the tool still constitutes personal data about the website visitors. This is because the visitor’s unique identifier continues to be collected as well as data about the visitor’s interaction with the website, the time of the visit, and the approximate location of the visitor.

This view is based on the fact that a unique identifier makes it possible to identify the individual to whom the data relates. This applies even if it is not possible to assign a specific name or identity to the person concerned.

The GDPR specifically emphasises in its preamble the fact that data which allows persons to be singled out is personal data. Thus, in general, a natural person can be considered to be identified when that individual can be singled out from all others among a larger group of persons.

The Danish Data Protection Agency recognises that this is a broad interpretation of the concept of personal data and, consequently, of when data protection law applies. However, this is not a new view, but has been a common position among the European supervisory authorities since 2007, when the Article 29 Working Party (the predecessor to the European Data Protection Board) adopted an opinion on the concept of “personal data”. The opinion can be found here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf

Additionally, one of the fundamental purposes of data protection law is to ensure an effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the right to privacy and the right to data protection.

Like all other EU laws, data protection law must be interpreted in the light of its purpose. A too narrow interpretation of, inter alia, the concept of “personal data” would lead to the risk that the law would fail to achieve its purpose of ensuring the full protection of the rights of individuals.

No, the Danish Data Protection Agency has not issued a ban on the use of Google Analytics.

The Danish Data Protection Agency does not have the power to ban certain products, but assesses – completely neutral to technology – whether the processing of personal data in one or more ways, including by means of specific technologies, is carried out in compliance with data protection law.

As with all other processing of personal data, it remains with the data controller to be able to demonstrate that the controller’s processing activities are carried out in compliance with data protection law.

If you believe that your setup and use of Google Analytics differs from the circumstances that the Danish Data Protection Agency has looked at, you must document this and be able to demonstrate how the various issues identified by the supervisory authority are not relevant to your organisation’s use of the tool.

If you have not used a different setup than the one on which the Danish Data Protection Agency’s guidance is based, but rather have a different legal assessment of the circumstances, you as an organisation will assume a legal risk.

In a specific case, the Danish Data Protection Agency will make the same assessment as is expressed here. However, as an administrative public authority, the Danish Data Protection Agency is subject to judicial review. In the end, it is the courts that will have to decide how the various circumstances should be assessed under the law.

“Pseudonymisation” is defined in the data protection rules as “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information”.

However, according to the European Data Protection Board, there are a number of conditions which must be met in order for pseudonymisation to be considered an effective supplementary measure for the transfer of personal data to third countries.

One of these conditions is that the organisation wishing to use Google Analytics can demonstrate through a thorough analysis that the pseudonymised data cannot be attributed to a natural person without the use of additional information. This analysis shall, in particular, take into account additional information that public authorities of the concerned third country may be expected to possess and use in order to attribute the pseudonymised data to a natural person.

Such data, which can be used to attribute pseudonymised data to a natural person, include IP address.

Anonymisation of IP

In terms of IP address, an often-highlighted measure for Google Analytics (Universal Analytics) is the possibility of IP anonymisation. With this measure, the last octet (192.168.1.XXX) of the collected IP addresses is set to 0 (for IPv6 addresses this occurs for the last 80 bits). In its documentation, Google states that this anonymisation takes place “as soon as technically possible” and that the IP address is never written to disk.

However, based on Google’s response to the supervisory authorities, it is unclear whether the anonymisation (by Universal Analytics) takes place prior to the transfer of the data to the United States.

Contrarily, according to Google’s own documentation, the collection of data via Google Analytics is done via regional data centres. Google will use the IP address of the website visitor to determine the location of the nearest data centre. For visitors accessing the website of a Danish organisation, this is likely to mean that visitors connect to a European server before the data is sent to Google in the USA. However, in practice, it may also mean that visitors who access a Danish organisation’s website from other countries, e.g. from Asia, are never connected to a European server, but are connected directly to a Google server in the USA if this server is closest to the visitor’s location. In other words, the IP address of the visitor may be transferred to the United States before it can be anonymised.

Google Analytics 4

As regards Google Analytics 4, it is apparent from Google’s documentation that IP addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the location of the data subject – there can be direct connection to, among others, American servers before the address is discarded.

So, what’s the problem?

The issue with direct connectivity to U.S. servers is that Google – as part of usual security measures – has presumably implemented firewalls that protect Google’s infrastructure and that these firewalls log incoming traffic.

Data from such logs may be cross-referenced with data collected by Google Analytics. In this way, information about, inter alia, IP address can be derived, even if this data is not collected in connection with Google Analytics.

There are then legal means, such as mutual legal assistance treaties, through which public authorities in the third country can obtain with the assistance of police and internet service providers, precise knowledge of the natural person to whom the IP address in question relates.

In the end, this means that the data in question is not effectively pseudonymised as law enforcement authorities in the third country can obtain access to additional information that allows the data from Google Analytics to be assigned to a natural person.

The European Data Protection Board has issued a number of recommendations for supplementary measures that an organisation can implement in connection with the transfer of personal data to third countries.

In its recommendations, the EDPB highlights, inter alia, pseudonymisation and encryption as possible technical measures that can be effective in addressing access to personal data by law enforcement authorities, and thereby bringing an inadequate level of data protection up to the required European level.

Encryption

In general, encryption can be an effective supplementary technical measure. However, this presupposes some requirements on the setup of the encryption.

Before encryption can be considered an effective supplementary technical measure, the encryption keys must be held exclusively by the data exporter or a third party within the EU/EEA or in a secure third country.

Therefore, Google’s implementation of encryption does not constitute an effective supplementary technical measure, since the encryption is carried out by Google in the United States. Here, Google may be required to provide access to the transferred personal data which is under the company’s possession, custody, or control, including the encryption keys that make the data readable. Google LLC thus has access to the personal data in clear text, and the encryption is therefore not effective in this case.

Pseudonymisation

Another possible additional technical measure that may be relevant when using Google Analytics is pseudonymisation. However, according to the European Data Protection Board, there are a number of conditions that must be met in order for pseudonymisation to be considered an effective supplementary measure.

In the case of Google Analytics, pseudonymisation can be implemented by establishing a reverse proxy server which acts as a hub for internet traffic from website visitors. This way, an organisation can gain control over what data is collected and what data is subsequently sent to the servers used to provide the web analytics tool such as Google’s servers.

Organisations wishing to establish a reverse proxy should be aware that the proxy must be configured in such a way that the conditions for effective pseudonymisation are met. In essence, this means that public authorities in the importing third country must not be able to attribute the pseudonymised data to an identifiable person, either alone or in combination with additional information.

The French Data Protection Authority has prepared detailed guidance for organisations wishing to establish a reverse proxy, which can be found here: https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr

No. Personal data transferred to countries outside the EU/EEA must enjoy a level of protection in third countries that is essentially equivalent to that within the EU/EEA.

In particular, the possibility for law enforcement authorities to access personal data under laws and practises that do not meet the minimum requirements of EU law undermines the fundamental rights and freedoms of data subjects.

In the event that such access is possible — and not only when access is likely — and the legal rules and practices governing such access do not allow data subjects to be afforded a level of protection essentially equivalent to that within the EU/EEA, it is necessary to implement supplementary technical measures to make such access impossible or inefficient.

It is therefore not possible to adopt an approach where the organisation does not implement the necessary supplementary measures, but rather only assumes that it is unlikely that the authorities of the third country will access the specific transferred personal data.

In the view of the Danish Data Protection Agency, the general conditions for the transfer of personal data to third countries are not equal, but should be assessed in the order in which they are set out in data protection law.

In this context, it follows from the law that in specific situations there may be derogations (from the general conditions for third country transfers). One of the derogations is if the data subject expressly consents to the transfer. This consent can only be given once the data subject has been informed of the possible risks of such transfers for the data subject.

In this context, the supervisory authorities consider that these derogations – such as consent – should be interpreted restrictively, so that the exceptions do not become the general rule.

The use of consent as the basis for transfers to third countries is therefore – in the view of the Danish Data Protection Agency – not compatible with the usual use of Google Analytics, where there is a general transfer of all the data collected by the tool, i.e. where it will be the general rule that data will be transferred to the USA.

Following the first decision on Google Analytics by the Austrian Data Protection Authority, Google stated that in the 15 years in which Google has offered the Google Analytics tool, the company had never received the type of request for disclosure of personal data that was the subject-matter of the case before the Austrian Data Protection Authority.

The Danish Data Protection Agency recognises Google’s openness and desire to be further transparent about the requests from law enforcement authorities that the company receives.

However, the assessment of whether “problematic” legislation in a third country effectively applies to the personal data that a European organisation wishes to transfer to that third country cannot be based solely on the data importer’s statements – in this case Google’s statements.

It follows from the recommendations of the European Data Protection Board and the Danish Data Protection Agency’s guidance on cloud that such statements must be supported by objective, reliable and accessible information.

For more details on how an organisation can demonstrate its assessment that “problematic” legislation is not applied by the authorities of the third country to the specific personal data that will be transferred, the Danish Data Protection Agency refers to the recommendations of the European Data Protection Board and the Danish DPA’s guidance on the use of cloud.

The Danish Data Protection Agency generally does not provide for grace periods for organisations to legitimise unlawful processing activities. On the contrary, judgments of the Court of Justice of the European Union in principle have effect retroactively. This is due to judgments not being new legislation, but rather interpretation and understanding of existing legislation.

However, the Danish Data Protection Agency naturally takes into account in its assessment of a case to what extent an organisation is actively taking steps in bringing its processing operations in compliance with the law. In particular situations such as this, the Danish DPA also takes into account that transfers of personal data could occur in the past on the basis of an adequacy decision by the European Commission, which, for the United States, was declared invalid with the Schrems II-judgment in July 2020. It will also be included in the assessment how soon after the judgment such a process of bringing processing activities into compliance has started.

Organisations in Denmark that use Google Analytics under similar circumstances must therefore assess whether their possible continued use of the tool takes place in compliance with data protection law. If this is not the case, the organisation must bring its use of the tool into compliance, or, if necessary, discontinue using the tool.

For possible alternative tools for the production of web statistics, the Danish Data Protection Agency can refer to the overview prepared by the French supervisory authority, CNIL (in French).

However, the Danish Data Protection Agency has not further assessed the abovementioned tools. Therefore, the responsibility for demonstrating that the use of the tool takes place in compliance with data protection law, including the requirements stemming from the Schrems II-judgment, lies with the organisations that wishes to use the tools in question.

In March 2022, the European Commission and the United States announced that a new Trans-Atlantic Data Privacy Framework would again allow the transfer of personal data between the EU and the US following the so-called Schrems II-judgment, which invalidated the Commission’s decision which previously made these transfers possible.

Naturally, the Danish Data Protection Agency welcomes the European Commission’s efforts to reach an agreement with the United States on a framework that allows the exchange of personal data across the Atlantic, and while the scheme may, over time, be of great importance, the agreement in principle is, so far, only an agreement on the overarching lines.

As such, the agreement is not yet so specific that it makes any practical difference to organisations that transfer personal data to the United States. This is because there is no new transfer basis and adequacy decision yet.

The Danish Data Protection Agency expects the European Commission – once the final details have been negotiated and the agreement has been translated into legal documents – to request an opinion from the European Data Protection Board. If so, the Danish Data Protection Agency will of course participate in this work under the auspices of the European Data Protection Board and will help to assess whether the agreement meets the requirements laid down by the Court of Justice of the European Union in its Schrems II-judgment.

Similarly, the European Data Protection Board has declared its readiness to assist the European Commission in securing, together with the US, a new framework that is fully in line with basic European data protection law.

However, a precise timeframe for the agreement remains unknown.

Both.

In March 2022, Google announced that the Google Universal Analytics tool will be sunset in July 2023 and that Google would only provide the Google Analytics 4 tool going forward.

The Danish Data Protection Agency understands that Google Universal Analytics and Google Analytics 4 work differently, both technically and methodically. However, certain fundamental similarities remain. Common to both versions is that the website visitor is assigned a unique identifier. In addition to the individual identifier, additional data is collected about the visitor’s interaction with the website, the approximate time of the visit and data about the visitor’s browser, operating system, etc.

The Danish Data Protection Agency further understands that, following the Austrian supervisory authority’s decision of January 2022, Google has started to make additional settings available to its customers, enabling Google Analytics 4 to be configured so that a number of additional data such as data concerning the visitor’s browser, operating system, etc. is not collected.

Unique identifier

Even if Google Analytics is configured to collect as little data as possible, it is the Danish Data Protection Agency’s immediate opinion that the remaining data collected using the tool still constitutes personal data about the website visitors. This is because the visitor’s unique identifier continues to be collected as well as data about the visitor’s interaction with the website, the time of the visit, and the location of the visitor.

But Google Analytics 4 does not collect IP addresses. Isn’t that enough?

It appears from Google’s own documentation that the collection of data via Google Analytics is done via regional data centres. Google will use the IP address of the website visitor to determine the location of the nearest data centre. For visitors accessing the website of a Danish organisation, this is likely to mean that visitors connect to a European server before the data is sent to Google in the USA. However, in practice, it may also mean that visitors who access a Danish organisation’s website from other countries, e.g. from Asia, are never connected to a European server, but are connected directly to a Google server in the USA if this server is closest to the visitor’s location. In other words, the IP address of the visitor may be transferred to the United States before it can be anonymised.

For Google Analytics 4, it is apparent from Google’s documentation that IP addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the location of the data subject – there can be direct connection to, among others, American servers before the address is discarded.

So, what’s the problem?

The issue with direct connectivity to U.S. servers is that Google – as part of usual security measures – has presumably implemented firewalls that protect Google’s infrastructure and that these firewalls log incoming traffic.

Data from such logs may be cross-referenced with data collected by Google Analytics. In this way, information about, inter alia, IP address can be derived, even if this data is not collected in connection with Google Analytics.

There are then legal means, such as mutual legal assistance treaties, through which public authorities in the third country can obtain with the assistance of police and internet service providers, precise knowledge of the natural person to whom the IP address in question relates.

In the end, this means that the data in question is not effectively pseudonymised as law enforcement authorities in the third country can obtain access to additional information that allows the data from Google Analytics to be assigned to a natural person.