Could using Google Analytics be a breach of data protection law?
A series of recent decisions by European data protection regulators have found that website owners breached European data protection laws by using Google Analytics. In this article we consider the reasons for those decisions and what they could mean for website operators in the UK.
What have the regulators decided?
In January 2021 the Austrian data protection published a decision that a website operator’s use of Google Analytics had resulted in transfers of personal data to the US, and that those transfers breached the EU General Data Protection Regulation (EU GDPR).
In January 2022, the European Data Protection Supervisor (EDPS) reached similar conclusions in a decision that the European Parliament breached data protection law by using Google Analytics to transfer personal data to the US without putting in place the safeguards required under European data protection laws.
In February 2022 the French data protection regulator decided that the use of Google Analytics resulted in transfers of personal data to the US, and that it was not possible to put in place sufficient safeguards to make those transfers comply with EU GDPR.
What is behind these decisions?
The decisions are based on the ruling of the European Court of Justice in the Schrems II case. That case established that transfers of personal data to the US are illegal under EU data protection law unless appropriate safeguards are put in place to prevent the data being accessed by the US government under the extensive surveillance laws which apply to electronic communication service providers in the US.
All three of the recent decisions by regulators noted personal data was transferred to the US through the use of Google Analytics without there being any effective measures to protect the data from surveillance by the US authorities. The decision against the European Parliament simply noted that the European Parliament had failed to provide evidence that there were effective measures. However, the French regulator considered detailed evidence about Google’s safeguards and concluded that they did not prevent the risk of surveillance.
What can we learn from the decisions?
These decisions are all based on existing law, but they offer some important illustrations of how the law applies in practice to the use of internet trackers and international transfer:
- Web analytics data is personal data if it could be used to single out a website user. In the case of Google Analytics the use of a Google-generated customer ID was enough to qualify as personal data. The combination of IP addresses and other browsing information collected by Google Analytics could also be used to single out uses. This meant that the data was personal data even if the website operators were not planning to use it to analyse the browsing habits of individual website users;
- Using a third party web developer does not excuse a website operator from its compliance obligations. The decision against the European Parliament was a reminder that organisations are responsible for compliance even where they rely on third party suppliers to design their websites. The European Parliament did not itself transfer personal data to Google Analytics; an external website designer it had employed effected the data transfer. The EDPS recognised this, but did not consider that it exonerated the European Parliament of responsibility. As far as the EDPS was concerned, the European Parliament was the data controller and should have given adequate instructions to the web designer (a data processor acting on their instructions), and taken the necessary precautions to protect the personal data;
- If your website transfers personal data internationally you have to explain that in your website privacy notice. One of the many things that the European Parliament was criticised for by the EDPS was failing to properly explain the international transfers in its privacy notice. The EDPS decision suggests that the European Parliament had not properly considered the transfers in the first place, so perhaps it is not surprising that the privacy notice was not clear about them; and
- Sometimes there is no way of making a transfer to the US compliant. One of the striking things about the decision by the French regulator is the way that Google and the website operator provided evidence of a wide range of measures that were in place to try to make the transfers compliant. The regulator concluded that none of those measures could overcome the basic fact that Google had access to the data on its US servers and the US government can (and apparently frequently does) compel Google to disclose data for surveillance purposes.
What does this mean for website operators in the UK?
Whilst none of these European data protection regulators enforces the UK data protection regime, the decisions are relevant for UK website operators for several reasons.
Firstly, many UK website operators will be subject to the EU data protection regime as well as the UK regime, because the EU regime claims extraterritorial effect in some situations. For example, EU GDPR applies to personal data processed in relation to offering goods or services to people in the EU.
Secondly these decisions were based on case law that still applies to the UK’s data protection regime. The complaints which resulted in these decisions were brought by a campaigning organisation that, so far, has not made similar complaints in the UK. The ICO has not publicly commented on the European decisions. However, if campaigners in the UK were to make similar complaints to the ICO about similar use of Google Analytics then it is hard to see how the ICO could avoid reaching the same conclusion as its European counterparts have.
The European decisions highlight the practical difficulties in putting appropriate safeguards in place when transferring data to processors in the US who are subject to the surveillance laws discussed in the Schrems II case. There is a limit to the measures that data controllers can take to protect data against surveillance once it is in the US. Many website operators will not be in a position to solve that problem. Indeed, it is the kind of problem that can probably only be solved by the UK and the US striking a new deal on data transfers.
In the meantime, website operators are faced with the prospect of deciding whether to seek alternative services based in compliant jurisdictions, or accept the risks associated with transferring data to the US. In either case, the decisions point to some basic things that website operators can and should be doing to manage the risks from international data transfers. Website operators need to identify whether they are transferring personal data internationally. They need to put in place the safeguards that they can, for example compliant international data transfer agreements. Finally, website operators need to ensure that their privacy notices are up-to-date and accurately explain what transfers are happening.