For many companies in the EU and US, 2022 added another crisis to manage: the follow up to Schrems II declaring that Google Analytics is not GDPR compliant.
What is Schrems II
Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, also known as Schrems II, concluded on 16 July 2020. In short, the decision by the European Court of Justice voided the EU-US Privacy Shield, the agreement that specified protection requirements for the personal data of EU citizens sent to the US. This case put into question the GDPR-compliant use of any US owned and operated servers, stemming from the fact that personal data from the EU was being sent to Facebook cloud servers in the US, and - under the CLOUD Act, US Foreign Intelligence Surveillance Act, and other official policies - could then be accessed by US intelligence agencies. In brief, the personal data of EU citizens is not adequately protected in accordance with GDPR when it is transferred to the servers of US companies.
After the Schrems II decision, the non-profit noyb (European Center for Digital Rights), founded by Max Schrems, filed 101 complaints against various companies that transferred the data of EU citizens to US companies. One such complaint was against netdocktor.at, a health website that used Google Analytics to track website visitors.
Like many companies, netdoktor continued to use Google Analytics despite the decision of the European Court of Justice.
Google, as well as other US-based companies (Amazon, Facebook, Microsoft, etc.) have relied on Standard Contract Clauses (SCCs) and Technical and Organizational Measures (TOMs) to help convince EU partners that their physical and digital protection measures (fences around data centers, data encryption, pseudonymous data, etc.) were enough to protect their data.
But in the netdoktor case, the Austrian Data Protection Authority ("Datenschutzbehörde" or "DSB"), has decided that this is not enough. Google Analytics violates the GDPR.They explain:
"With regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measure] are effective in the sense of the above considerations."
"Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law."
Based on this decision, many experts believe that this is just the beginning. There are still many complaints waiting to get their day in court, and it is expected that similar decisions will be made by other EU member countries.
The DSB also stated in their decision that they will further investigate Google in regards to data transfer rules to the US government without the explicit consent of the EU data exporter.
There are no penalties given in this case yet, but if the court does decide to do so, they could be as high as 4% of a company’s global turnover.
We aren’t lawyers and we can’t offer legal advice, but it seems that any company that processes the data of EU citizens through services provided by US-based companies is at risk. In terms of web analytics, Google Analytics is number one in the world, but there are many others to be cautious of. Always check where the company is incorporated and where their data centers are located.
Long-term, this means that the US government and US providers will have to make huge changes to their current policies and infrastructure: passing legislation that protects the data of foreign citizens and hosting foreign data outside of the US. The European Commission is eager to find a replacement for the EU-US Privacy Shield, but there is no legal way forward at the current moment. Negotiations are ongoing, but still require legal changes on the US side. And based on the current political and economic climate, these things seem unlikely for the foreseeable future.
Since the court has concluded that Google Analytics is not GDPR compliant, which Google has denied in a recent statement, the question is where do companies turn to for safe, low-risk web analytics data. The first step would be to research companies based in the EU, that use IP anonymization, that do not store user data, and that are compliant with GDPR, TTDSG, CCPA, and other data privacy laws - like Visitor Analytics!
The full DSB decision, in German, can be found here.