Is the usage of Google Analytics within the EU illegal from now on?

In recent days and weeks, various articles have circulated through the media stating that the use of Google Analytics is “illegal according to authorities” or “violates the General Data Protection Regulation (GDPR)”. But what is the truth behind this? Is the use of Google Analytics truly illegal in the EU as of now?

In fact, the data protection association “NOYB” has filed more than 100 complaints in almost all EU member states, whereby the Austrian data protection authority (“DPA”) as well as the French data protection authority (“CNIL”) have also dealt with the compatibility of Google Analytics and the GDPR in the context of two such complaints. As part of this, the DPA in a – not yet final – decision dated January 13, 2022, and the CNIL on February 10, 2022, ruled, that website operators cannot use Google Analytics in compliance with the GDPR. The Dutch data protection authority has announced that a a similar decision can be expected. Here you can find the corresponding press releases of the DPA and the CNIL containing follow-up links.

Before we look at the decisions in detail, we will first provide you with an overview on Google Analytics and its mode of operation for better understanding:

  1. What is Google Analytics and how does it work?

Google Analytics is a tracking tool of the US company Google LLC (“Google”), with the help of which the usage behavior of website visitors is analyzed. It is one of the most widespread tools of this kind, which analyzes the origin of website visitors, their time spent on various websites and the use of search engines. It is used by a large number of website operators (especially in the EU) to adapt the services and content they offer to visitor behavior and to place targeted advertisements.

When a website accessed, a visitor’s browser is assigned an (online) identification number, which can also be combined with other browser data or the website visitor’s IP address, creating an individual “digital footprint” of this person. This is what makes it possible to distinguish a website visitor from others and to also find out, for example, whether it is a new or a returning visitor. This “digital footprint” is subsequently also transmitted to the Google Analytics servers in the US.

In addition, data about the visit to the website is retrieved and transmitted to the Google Analytics server. This data and information, for example from the visitor’s “http request” (host name, browser type, referrer and language) and from detailed system and browser information (e.g. Java and Flash support as well as screen resolution), is further processed by Google Analytics and also used to read and set (first-party) cookies on the website visitor’s browser. These subsequently make it possible to measure the visit and generate reports, which the website operator can ultimately retrieve via his Google Analytics account.

If the visitor is additionally logged into his Google account when calling up the website, Google is also enabled to find out, that a certain Google account user has visited a certain website at a certain time.

  1. The decisions of the DPA and the CNIL in the specific cases:

Based on the aforementioned complaints, the DPA and the CNIL had to decide whether an adequate level of protection within the meaning of Article 44 of the GDPR is ensured for the transmission of the website visitor’s data to Google servers in the US, which occurred due to the use of Google Analytics. In this context, however, the authorities had to decide in advance whether the transmitted data of the website visitor constituted personal data and whether the GDPR was applicable at all.

The authorities affirmed this on the grounds, that it could be established that the cookies used and stored on the end device of the website visitor contained unique Google Analytics identification numbers, on the basis of which the specific user can be individualized by the website operator and Google. However, it is irrelevant whether an identification actually takes place subsequently. This all the more, since the website visitor was additionally logged into his Google account when accessing the website in the specific case.

In addition, the authorities emphasized in their decisions that the fact that the above-mentioned identification numbers can be combined with other elements (e.g. browser data or IP address) makes the “digital footprint” of a specific website visitor even more unique and facilitates its identifiability. Accordingly, both the website operator and Google are able to identify the website visitor.

However, the particular relevance of these decisions is not the fact that a website operator or Google have the possibility to identify website because of the use of Google Analytics. Rather, it is about the corresponding possibility of US authorities and in particular US intelligence services due to the currently applicable legal provisions in the US.

Unsurprisingly, Google is a US “provider of electronic communications services”. What may not be generally known, however, is that such providers (but not other US corporations that do not offer telecommunications and/or internet services) are subject to applicable US surveillance laws, which can (or even must) result in the disclosure of personal data of EU data subjects, in particular to US intelligence services. In this context, the authorities have also determined that such US services take certain online identifiers (e.g., IP address or unique identification numbers) as a starting point for the surveillance of individuals, and that this is not a purely theoretical danger, but that it was precisely for this reason that the EU-US adequacy decision (“Privacy Shield”) was ultimately declared invalid by the ECJ.

In the specific cases, the website operators and Google have concluded standard protection clauses, which, however, cannot bind authorities in third countries – and thus neither US intelligence services – due to their contractual (bilateral) nature. Therefore, the ECJ has already stated in its decision C-311/18 (“Schrems II”) that additional measures may be necessary to ensure an adequate level of protection within the meaning of the GDPR, and especially in countries such as the US (due to the legal situation) only standard protection clauses are not sufficient, especially since they cannot prevent the disclosure of website visitors’ data to US authorities or US intelligence services.

This decision of the ECJ from 2020 also prompted Google and the website operator to implement additional measures in the specific cases. Specifically, the following additional measures were taken:

  • Notification of the data subject about data requests (if permitted in the individual case),
  • Publication of a transparency report disclosing such data requests,
  • Introduction of a “policy for handling government requests” at Google,
  • Careful review of each data access request by Google,
  • Protection of communication between Google services,
  • Protecting data in transit between data centers,
  • Protection of communication between users and websites,
  • “On-Site Security”,
  • Various encryption technologies (e.g. encryption of “data at rest”),
  • “Pseudonymization” of data;

In assessing these additional measures, especially the DPA refers to the recommendations of the European Data Protection Committee (“EDSA”), which state that such additional measures have to be a combination of contractual measures with technical and/or organizational measures, which together ensure that access by authorities in third countries does not undermine the effectiveness of the “appropriate safeguards” required under the GDPR (Art 46). In other words, according to the EDSA, such measures are only effective if they close the existing “legal protection gaps” and thus prevent access and monitoring by US authorities and US intelligence services.

In the opinion of the authorities, however, the above-mentioned additional measures taken in the specific cases were not sufficient or effective, since it can still not be prevented (or restricted) that US intelligence services can access the data. Therefore, no adequate level of protection as defined by Art 44 GDPR can be ensured by these measures.

In addition, the DPA also briefly dealt with the IP address anonymization function offered by Google Analytics (even though this was not implemented correctly in the specific case and therefore irrelevant). Nevertheless, the DPA decided, that this is not an effective additional measure anyway, especially since the IP address is “only one of many pieces of the puzzle of the digital footprint” of a website visitor, but as such – and this is also in line with the view of the other European data protection authorities – it is a personal data in any case.

Accordingly, in the opinion of the authorities, no adequate level of protection was ensured by instruments in the meaning of Chapter V of the GDPR for the transmission of the website visitor’s data to the Google Analytics servers in the US.

  1. Summary and consequences:

As a result, the authorities have decided, that

  • the general principles of data transfer – specifically Art 44 GDPR, which regulates the transfer of personal data to a third country – are violated by the use of Google Analytics, as
  • the standard protection clauses concluded between Google and the website operator do not provide an adequate level of protection, and
  • even the measures taken in addition to the standard protection clauses do not prevent or restrict the monitoring and access options of US authorities or US intelligence services.

Despite all this, the use of Google Analytics in the scope of the GDPR is not “illegal” per se simply because of the decisions now issued. In principle, it is possible that Google and the website operators set additional measures that would comply with Art 44 GDPR and thus also enable the lawful transmission of data. In practice, however, it is doubtful whether and, if so, when this would be possible at all.

In addition, the authorities – in particular the CNIL – have already emphasized that they will continue to enforce the aforementioned ECJ ruling “Schrems II” (which overturned the Privacy Shield) and strive for EU-wide coordination of data protection authorities – and thus of their decisions – in this context.

In principle, it therefore remains to be seen how the authorities of the other EU member states will decide on similar complaints. However, it would be very surprising if they were to assess the legal situation differently than the DPA and the CNIL have already done. Rather, it can therefore be assumed that the two aforementioned decisions are only the beginning of a series of homonymous decisions throughout the EU.

Furthermore, the CNIL has already urged other website operators in France to assure compliance with the GDPR when using Google Analytics legally or to stop the usage, if GDPR-compliance cannot be established.

It is, however, true that appeals against these decisions are possible and it is likely that some time will pass before a legally binding decision is reached. Nevertheless, in view of the dimensions, companies should already start looking for possible solutions.

In any case, website operators that are subject to the GDPR and use Google Analytics (or similar tools of other (US) providers that are subject to (US) monitoring laws) are now required to check whether the safeguards taken ensure an adequate level of protection and whether the way these services are used is lawful, or not. The latter would result in EU companies no longer being allowed to transmit data to the servers of these providers (in the US).

  1. Use of web analytics tools in the future:

In the future, special caution is required in any case. Especially for international website operators.

The theoretically easiest way to make the use of Google Analytics legally compliant would be to implement further or other additional measures to close the legal loopholes mentioned for data transfer to the US. However, this seems unlikely at present, at least in the short term.

If it is not possible to ensure legal compliance for the use of Google Analytics, which is more likely to be the case at present, the data protection authorities recommend using services that work with anonymous statistical data to measure and analyze the number of visitors to a website. In practice, however, it should be noted that complete anonymity seems hardly feasible insofar as, on the one hand, IP addresses alone are already qualified as personal data by the authorities. On the other hand, without at least indirectly personal data, there is often a lack of visible analysis information.

Therefore, the most probable solution – currently feasible in practice – with respect to such web analytics tools (and possibly other tools offered by electronic communications service providers) is to look for other providers located in the EU or in “safe third countries” (e.g., the UK).

Insofar as Google Analytics is used, it must, however, be assumed, that at this point in time its use is not lawfully possible and must therefore be stopped.

Written by Alexandra Prodan.

For questions and inquiries, do not hesitate to contact Árpád Geréd and Alexandra Prodan.

Status: 17.02.2022

Disclaimer: This article has been carefully researched and prepared, but is for information purposes only and is in no way a substitute for legal advice. Liability for correctness and completeness is excluded.