- Recommendation 1 - Use the IP anonymization function offered by Google Analytics
- Recommendation 2 - Consider implementing further privacy controls
- Recommendation 3 - Obtain users’ explicit consent for the data transfer to the US
Context and decision
On January 13th, the Austrian data protection authority published a decision which seems to indicate that the use of Google Analytics violates the EU General Data Protection Regulation.
A few days later, on January 26th, the Danish data protection authority published a decision that leads to the same conclusion.
On February 10th, the CNIL issued a statement on its website announcing that the current setup of Google Analytics prevents it from being compliant.
In all cases, the data protection authorities indicate that the transfer of users’ data to the USA is unlawful.
The rationale behind these decisions is always the same:
- Google can no longer rely on an adequacy decision (that’s Schrems II); and
- Google is not allowed to base the data transfer on standard data protection clauses since the US does not ensure an adequate protection of personal data transferred; and
- The contractual, organizational and technical measures further implemented by Google are not sufficient to ensure an adequate level of protection of the personal data transferred to the US.
For the data protection authorities the concern is that US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for their surveillance activities regarding specific individuals. It notes that “it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant”.
Google has stated that it disagrees with the data protection authorities’ position and has not yet communicated on potential changes in the way Google Analytics operates in Europe. In the above post, Google is suggesting that a potential Privacy Shield 2.0 would be the best way forward.
For those of our customers who may be concerned that the current implementation of Google Analytics on their website generates a liability risk, we suggest that they follow the below recommendations.
Recommendation 1 - Use the IP anonymization function offered by Google Analytics
When using Google Analytics, the option of using an IP-anonymization feature is offered. We highly recommend activating this function as it is mentioned in the decisions.
We have reasons to believe, however, that anonymizing the IP address will not be sufficient. It’s only one step further towards compliance.
Recommendation 2 - Consider implementing further privacy controls
From disabling advertising personalisation features to disabling data collection, Google offers a series of controls that their customers can implement to limit the data collected while using Google analytics.
We recommend that you run an analysis of your use of Google Analytics to determine whether some or all of these measures are appropriate in light of the recent decisions.
Recommendation 3 - Obtain users’ explicit consent for the data transfer to the US
Article 49 of the GDPR sets out that “in the absence of an adequacy decision (...) or of appropriate safeguards (...), a transfer or a set of transfers of personal data to a third country (...) shall take place (...) if the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.”
This is not an ideal solution from a user standpoint, and as such can be considered more as a possibility than a recommendation for now.