Google Analytics Usage Made Illegal by Austrian Data Protection Authority

The Austrian Data Protection Authority (Datenschutzbehörde) ruled in favor of nonprofit NOYB, in a landmark case against the use of Google Analytics on netdoctor.at, an Austrian website operator.

While not yet binding, the decision may provide a boost to privacy advocates in Europe who are looking to hold data-hungry tech companies accountable for their handling of people’s personal information.

NOYB is a non-profit organization dedicated to privacy rights in Europe, led by Max Schrems, (the man who successfully challenged Facebook’s use of data transfer arrangements).

Austrian DSB decided: Use of Google Analytics violates "Schrems II" decision by CJEUhttps://t.co/YJptcS9ONy pic.twitter.com/ngPz6KgAvy

— noyb (@NOYBeu) January 13, 2022

This is the first decision to NOYB’s 101 model complaints submitted in response to the CJEU’s Schrems II judgment (which had invalidated the Privacy Shield). The 101 complaints suggest that European companies continue to share visitor data with big tech companies and don’t offer an adequate level of protection to their users. So while this decision is the first of its kind, it will likely not be the last.

The European Data Protection Board (EDPB) established a task force in 2021 to investigate the situation and ensure tight coordination among all European Data Protection Authorities.

As a result, regulatory actions filed by DPAs in other EU member states are expected to accelerate (for example, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

What Does the Decision Include?

The DPA held in the decision the following:

Applicability of the GDPR

As leges speciales, the applicable requirements of Directive 2002/58/EC (e-Privacy Directive) – renamed Telecommunications and Telemedia Data Protection Act (TTDSG 2021) in Austria – take precedence over the GDPR (General Data Protection Regulation).

The e-Privacy Directive, on the other hand, has no provisions for the transfer of personal data to other countries, hence Chapter V of the GDPR applies in this case.

Data Transmitted through GA are Personal Data

Austria’s Data Protection Authority believes that by combining the huge amount of data transmitted, it is theoretically conceivable to relate the transferred data back to a natural person. As a result, a link to a person can be established (see GDPR Article 4(1)) and the GDPR applies.

In this regard, it’s worth noting that the DPA believes Google Analytics’ anonymization function to be insufficient for shifting the IP address and other identifiers outside of the GDPR’s scope. Because of the vast volume of EU data transmitted, the IP address is not relevant to the categorization of the data as personal data under the GDPR.

The Website Operator Is the Data Controller

It’s worth noting that the Austrian DPA only looked at data processing activities up until they were successfully transferred to Google. The authority makes no remark on Google’s subsequent data processing.

Data Transfer to the US Isn’t GDPR Compliant

The EU-US Privacy Shield was found illegal by the European Court of Justice in a verdict dated July 16, 2020 (Schrems II).

As a result, GDPR Article 45 was no longer applicable as a means of data transmission, and the DPA did not believe that a “derogation for specific cases” existed (in particular because consent was not obtained in the given case).

“Appropriate protections” as defined by GDPR Article 46, is the final legal transfer mechanism. Standard contractual clauses (SCCs) can serve as appropriate safeguards under GDPR Article 46(2)(c). The website owner had signed “old” SCCs (version 2010/87/EU) with Google in the matter at hand. (In June 2021, a revised set of SCCs was released.)

However, when using Google Analytics, the data transfer cannot only be dependent on the SCCs that have been completed. This is due to the fact that Google is subject to US surveillance laws (FISA 702), and contractual obligations alone are insufficient to bind authorities in a “third nation”. Only if additional technological and organizational steps (“supplementary measures”) are adopted to compensate for the lack of legal protection in the United States is a data transfer legal. The DPA concluded that Google had not offered adequate evidence of “supplementary measures” in its conclusion.

So What Was Wrong In This Specific Case?

From the analysis above, it is clear that in this specific case, the Google Analytics integration that took place at the time (08/14/2020) was flawed:

• The usage of Google Analytics was only based on the outdated SCCs.
• Data processing consent was not acquired.
• The IP address anonymization had not been activated correctly.

How Did Google Respond?

Google’s defense in the proceedings and its initial reaction afterwards aren’t very reassuring.

Google confirms that personal data is indeed being exchanged with the US when using Google Analytics because this is simply necessary for the service to function properly. More generally, Google also states that it makes great efforts to make its services privacy-friendly.

In this case, specifically, Google says that it provides the necessary “additional guarantees”, that are required on the basis of the Schrems II judgment. The DSB, however, ruled that those “additional guarantees” do not amount to much in reality.

In response, Google can’t do much more than to say that the user can choose to disable “third-party data sharing” in their account. However, third-party data sharing isn’t the main legal issue here, the issue is the potential access to sensitive data by the US government (and of course, that cannot be turned off anywhere).

In other words, Google doesn’t really have an answer for the time being. Google is right when it says that a good analytics tool should work globally, and one can also sincerely question whether potential access to analytics data by the US government really poses a real privacy threat for 99% of European websites.

What Does This Decision Mean For You?

If there is one takeaway from this case, it is that disregarding these court rulings and continuing to use Google Analytics is not an option.

If you run a website in Austria or provide services to Austrians, you should remove Google Analytics from your site immediately.

It is also strongly advised that businesses in the other European Union Member States take action before local Data Protection Authorities begin targeting more businesses.

As a European company, you can no longer entrust sensitive user data to companies like Google, which deliberately disregard European privacy legislation and risk hefty fines for their European business customers.

Possible Workarounds to Keep Using Google Analytics

Websites across Europe, however, aren’t suddenly going to stop using Google Analytics.

Until this decision becomes legally binding, you can still use GA in a GDPR compliant way by following the strictest measures below:

1. Accept Google’s DPAs: To reflect the current versions of the Standard Contractual Clauses, Google has revised the Google Data Processing Terms for all Google Products (DPAs). In the Google Analytics settings, accept the new Google DPAs (latest version September 2021).
2. Reference in the data protection regulations to a possible data transfer to third countries.
3. Obtain user consent: “This means that you can only fire Google Analytics if you have received consent to do so and can also save and provide information about it. A consent management platform (CMP) makes this process easier.
4. Use the correct configuration of Google Analytics: no personal data should flow into Analytics during setup, according to their best practices. You should therefore make use of IP anonymization.
5. Switch to server-side tracking: Server-side tracking is not only a suitable solution for increasing the lifespan of 1st-party cookies and bypassing some tracking blockers, but you also have the option of adapting the data before it is sent to Google Analytics. In concrete terms, this means, for example, that the IP addresses of the users are completely removed before the data is sent to Google Analytics.

Switch to Other Privacy Compliant Analytics Tools

Because privacy is becoming increasingly important to consumers worldwide, it is a logical step for any European business to select services that prioritize protecting their users’ privacy.

Below we present two of the most intriguing alternatives to GA in case you want to completely get rid of it.

Plausible

Give Plausible a try if you’re looking for a genuine EU alternative to Google Analytics. They are an independent, bootstrapped project based in Estonia. Their team is split between Estonia and Belgium.

All visitor data they collect is stored on servers owned by a German company in Germany (Hetzner). For their global CDN, they use a Slovenian-owned provider (Bunny).

More about their official statement on this case here.

Matomo

Matomo is another worthwhile GA alternative.

It is an open-source web analytics platform designed to provide you with full analytics capabilities as well as complete data ownership.

Matomo began as an open-source alternative to Google Analytics. It also provides important reports about your website users and their interactions with your website, similar to Google Analytics. The interesting part is that it focuses the majority of its attention on data ownership, so your data can be completely yours and the privacy of your users is protected.

More about their official statement on this case here.

Are Convert Users Impacted by This Decision?

No personal data is ever used or stored in Convert Experiences. So, your experiences and visitors are not impacted by the case above. In addition, we use European carbon neutral servers to save experience and variation data.

For transparency, here are some additional notes about data use in Convert Experiences:

• On by default
  • Session cookie ID (timeout 20 minutes on cookie and server cache). This is currently falling under performance cookies in our interpretation of GDPR / ePrivacy Directive and ePrivacy Regulations.

• Off by default
  • When cross-browser targeting is turned on by customers, we insert a unique cookie in the URL to pick up on the other domain (which could be interpreted by GDPR as personal data). This feature is off by default as part of our “privacy by default” policy.
  • When unique visitor IDs are given by the customer to replace session IDs, this could be interpreted as personal data. This feature is off by default as part of our “privacy by default” policy.
  • When geotargeting is used (not on by default), we could store country, region, and city in CDN or server cache for correct targeting.

The implications of this ruling are far-reaching and could set a precedent for how data is used by companies.

It’s important to note that this decision only affects Google Analytics usage for Austrian businesses or other companies that do business with one, but it’s possible that other countries may follow suit.

If you’re using Google Analytics, be sure to keep an eye on upcoming regulations to make sure you stay compliant. NOYB and other European privacy advocates have shown that they’re willing to fight for the rights of online users, so we can expect more similar decisions in the future.