Saturday, February 5, 2022

GDPR, Austria, Schrems II, and Google Analytics

EU vs Google Analytics. EU flag and Google Analytics logo copyright of its respective owners

By now you may have learned that if you are an European company, or a company which does business with European residents, you really should not be using Google Analytics. Case in point happened in Oct 2nd 2020 when, according to The Register, the Austrian Data Protection Authority (Datenschutzbehörde or DSB) received a NOYB-sponsored complaint regarding NetDoktor, a website which offers medical knowledge and health information. It also has versions of this website in English (TLD ".uk") and Danish (TLD ".dk") languages; there may be more but I could not be bothered to look for them. Because this Hubert Burda Media-owned website is financed through advertising and licensing, it chose to Google Analytics probably (educated guess here!) to track what each of its users have done during their visit:

  • Identifiers
  • IP address
  • Browser version, operating system, and other system identifying parameters
  • Which pages were read
  • How much time was spent on each page

Per the General Data Protection Regulation (GDPR), this kind of personal data collection is not viewed as a Legitimate Purpose as defined in Article 6, so it needs to have explicit permission from the data subject. One should also notice that because of the service provided by this website, the personal data collected using Google Analytics, unless properly anonymized, may be used to infer the medical condition -- which is one of the special categories of personal data per GDPR -- of the data subject.

It gets better:

  1. Google is an American company, so it must follow the US CLOUD Act of 2018 and section 702 of the FISA Amendments Act of 2008, which allows US intelligence agencies to collect any personal data stored in servers owned by US businesses that are identified as "electronic communication service provider" by 50 U.S. Code § 1881(b)(4) without the need of a warrant.
  2. Google cannot protect the personal data being collected by Google Analytics in the NetDoktor website to satisfy the Article 44 (transfer of data to be processed on a country outside the European Union or European Economic Area).
  3. Google cannot base the data transfer on standard data protection clauses as the US does not ensure adequate protection
  4. And that means this personal data transfer between NetDoktor and Google violates the Schrems II decision of 2020, where the European Court of Justice (ECJ) declared the Privacy Shield mechanism was not a valid means of transfer data between EU/EEA and the US.

As a result, the DSB declared this data transfer illegal.

Some EU and US companies may have tried to work around these limitations by using Standard Contractual Clauses to transfer data between them. That does not satisfy Schrems II.

What can I do as a US business?

The ideal solution is for the US to adopt privacy laws that are closer to those in the EU. Until that happens,

  • What if I run a website that is not offering a product or a service specifically directed to an EU or EEA resident, like a blog? Even though technically you would not be subject to Article 3 of GDPR, you have no reason to collect any personal data. Let's use Blogger, which is owned by Google, as an example. According to google's documentation, to use analytics with blogger you must
    1. Sign up for an analytics account
    2. Add analytics tracking to blogger.

    Continuing with the Blogger theme, is Google honoring your decision not to collect data? i.e. does it collect any other additional data from the blog users it has not divulged to the blog owner? Good question; IMHO the onus here would be with Google.

  • What if I am providing services/products targeted at EU/EEA residents? You fall into Article 3, so
    1. Minimize the amount of personal data you have to collect. Remember you are still subject to the CLOUD Act.
    2. Avoid using cookies or other form of analytics to collect data you do not need to provide the service to your customers. Remember the Legitimate Purpose (Article 6).
    3. If you really need the functionality provided by Google Analytics, find a tool that transfer data outside the EU.
    4. Anonymize any data you can as soon as possible. Rememeber anonymization is not tokenization or pseudo-anonymization.
    5. Process and store any personal data in an EU server, ideally one not owned by an American company identified as "electronic communication service provider" by 50 U.S. Code § 1881(b)(4).


Don't use Google Analytics.