Since the Data Protection Authority’s (DPA) decision of 22.12.2021, many companies have been wondering whether they now have to stop using Google Analytics. Are there ways to still use the analytics tool?
The DPA has ruled that the use of Google Analytics violates the GDPR. It reasoned that the data collected by Google Analytics is not sufficiently protected from access by the US authorities. The fact that there is no adequate level of data protection in the USA recognized by the EU Commission has already been clarified by the ECJ with the repeal of Safe Harbour and Privacy Shield.
Is Google Analytics now taboo for companies subject to the GDPR? The safest way would of course be to switch to a GDPR-compliant tool. The Anonymize IP function offered by Google is not sufficient because, according to the DPA, it does not appear to be possible to establish a personal reference.
The mere conclusion of standard contractual clauses is not sufficient for the transfer of personal data to third countries without an adequate level of data protection. It must also be examined on a case-by-case basis whether the law or practice of this third country – in this case the USA – impairs the protection guaranteed by the standard contractual clauses and whether additional measures may need to be taken to comply with this level of protection. Google would be obliged to hand over personal data at the request of the US authorities – regardless of where the server is located. At present, it is probably not yet possible to implement sufficient supplementary measures with reasonable effort, which is why the conclusion of standard contractual clauses is (still) ruled out as a basis.
Is user consent pursuant to Art 49 (1) (a) GDPR the solution?
Art 49 para 1 lit a reads: If there is neither an adequacy decision (…) nor appropriate safeguards (…), a transfer or a set of transfers of personal data to a third country (…) shall be permitted only under one of the following conditions: a) the data subject has given his or her explicit consent to the proposed transfer after having been informed of the potential risks of such transfers for him or her in the absence of an adequacy decision and appropriate safeguards (…)
Art. 49 para. 1 lit. a GDPR therefore stipulates that data transfer to the USA is legally compliant “in certain cases” if the data subject’s informed, explicit consent has been obtained. It is essential for this consent that the data subject was informed of the risk of a lack of data protection before giving their consent. However, this is not a legally secure solution, as there is no case law on this yet.
The European Data Protection Board (EDPB) does not consider Article 49(1)(a) GDPR to be a suitable basis for the use of analysis tools, as these are permanent and mass transfers. Art 49 (1) (a) GDPR is an exceptional provision and the scope and regularity of the data transfer are contrary to the exceptional nature of the provision. However, the ECJ did not rule out this possibility in its Schrems II ruling (C-311/18). It is not yet possible to predict how the data protection authority will assess Art 49 para. 1 lit a GDPR in connection with Google Analytics. There would therefore still be a risk in choosing this route. It would be desirable for the USA and the EU to conclude an agreement and thus eliminate the legal uncertainties.
Sources:
EDPB, Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under Union law
EDPB, Guidelines 2/2018 on the exemptions under Art 49 Regulation 2016/679, 5.
DSB 2021, 313; Art. 49 GDPR – The vacuum killer for third country transfers?
DSB 2021, 12; Justification of data transfers in connection with the use of cookies
Press 22.01.2022 (Open questions after Google Analytics decision)
DPO 2020/45; Data transfer to the USA: ways out of the digital lockdown?
E DSB of 22.12.2021, GZ D155.027 2021-0.586.257