Is Google Analytics illegal in the EU?

Note: On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework, which changes the legal status of transatlantic data transfers. That said, multiple privacy watchdogs point out issues with the new deal. NOYB, a privacy-focused organization founded by Max Schrems, has already announced it will challenge the new framework before the Court of Justice of the European Union. Read more: Everything you need to know about the Data Privacy Framework (Privacy Shield 2.0).

At the beginning of 2022, the media were full of articles with really alarming headlines: “Is Google Analytics about to be banned in the EU?”, “Is Google Analytics legal?”, “GA declared illegal!”, “Google Analytics faces EU-wide ban”.

What set this off?

The European Center for Digital Rights (NOYB), based on the 2020 ruling called Schrems II, filed 101 complaints about the unlawful use of Google Analytics and Facebook Connect by large companies across Europe. But let’s start from the beginning.

In January 2022, European data protection authorities (DPAs) published their first decision regarding Google Analytics. What happened after filing the complaints?

So, after reviewing all those charges against it, can we say that Google Analytics is banned in Europe?

Personal data transfers to the US

The first decision, released by the Austrian Data Protection Authority (DPA) on January 13, 2022, stated that an Austrian company was in violation of GDPR because of the transfer of personal data to the US with Google Analytics.

The Austrian website operator believed that IP addresses, user IDs and browser parameters are not considered personal data. And even if so, the operator thought that Google took sufficient measures to protect this data, such as transparent reports on data requests from US authorities, data encryption, or data pseudonymization.

NOYB stated that Section 702 of the US Foreign Intelligence Surveillance Act (FISA) obligates Google to disclose personal data of EU citizens on the request of public authorities. According to Schrems II, the application of FISA makes it impossible to ensure adequate protection of EU citizens’ personal data. Thus, the transfer of personal data to the US is unlawful under GDPR.

The Austrian DPA stated that:

The information Google transferred to the US constitutes personal data under GDPR, because foreign intelligence services could identify each person using IP addresses and online identifiers.
Google’s additional security measures are insufficient to prevent US intelligence agencies from accessing personal data of EU citizens.
The above facts violate Chapter V of GDPR.

You can read more about it in our article: Is Google Analytics GDPR-compliant?

“Risk-based approach” for data transfers to the US as a solution after Schrems II

In the second part of the decision, the Austrian DPA ruled on an NOYB data protection complaint against another website operator that used the free version of Google Analytics with IP anonymization function. The company argued that it did not transmit any personal data. And even assuming that personal data existed, the transfer to the US would be appropriate because it followed the so-called risk-based approach.

After Schrems II, Big Tech lawyers advocated for a risk-based approach to data transfers. They suggested that extra safeguards should only apply when there’s a significant risk to the rights and freedoms of individuals. The standard contractual clauses should suffice in cases with a low basic risk, e.g., when data such as online identifiers or IP addresses are transferred.

The Austrian DPA has now found this approach unlawful. GDPR doesn’t recognize a risk-based approach for data transfers to third countries such as the US.

The authority’s decision was not influenced by factors such as “minimal risk” or whether US intelligence has actually accessed data. It’s sufficient that personal data is transferred to a third country without an adequate level of protection.

In the case issued by the French CNIL in February 2022, the sued company argued that data was transferred based on Art. 49.1.a of GDPR.

Art. 49 of GDPR deals with exceptions for data transfers and states:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

The respondent pointed out that thanks to the cookie consent procedure, data subjects could refuse the tracking of their visit to the website. The French DPA explicitly stated:

However, users’ consent to the storing of cookies during their visit to the website cannot be considered as equivalent to their having “explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards” within the meaning of Article 49.1.a of the Regulation.

What does this mean in practice?

Now, you need two consents – one for data analysis and the second one for data transfers to the US. This raises a number of issues: What do you do if the data subject consents to the analysis but not to the data transfer? Or they give both consents but later partially revoke them? Also, what would be the opt-in rate for two separate consents?

Additionally, Guidelines 2/2018 of the European Data Protection Board clarify that the cases described in Art. 49.1.a of GDPR are the exception rather than the rule and are not relevant for everyday transfers of personal data. Because of that, the regular data transfers with the users’ consent cannot be justified.

In March 2022, Google announced the end of Universal Analytics and introduced Google Analytics 4. On July 1, 2023, the standard Universal Analytics version stopped processing new data. Free version users will still have access to previously processed data for six months. The deadline for Google Analytics 360 users is October 1, 2023.

Google claims that Google Analytics 4 is a privacy-friendly alternative that does not collect IP addresses. That said, does it solve the problems that DPAs in Europe are pointing out?

One of the changes includes the anonymization of IP addresses. In Google Analytics 4, Google already anonymizes the IP addresses of tracked website and app users when collecting data. However, it doesn’t allow users to turn this feature off.

Google claims that it doesn’t collect personal data. That said, the Austrian DPA’s decision contradicts this statement. In April 2022 the authority stated that Google Analytics’ IP anonymization methods don’t provide sufficient protection. Why?

IP anonymization only concerns the IP address. Other kinds of data, such as online identifiers, which are set via cookies or device data, are still transmitted by Google in plain text.
IP anonymization takes place only after the data has been transferred to Google.

This means that Google Analytics still collects personal data.

The Austrian DPA already stated in its first decision that “IP address (…) is only one of many ‘puzzle pieces’ of the digital footprint (…)”.

The Austrian DPA confirmed that the use of identifiers allows Google Analytics to “distinguish website visitors and also to obtain the information whether it is a new or a returning website visitor (…).“

Google may associate the information collected by Google Analytics 4 with other data transmitted by users of this platform or other Google services. And there are tons of such data. So, there is a possibility that Google can identify individual users based on their behavior on different websites or apps. We don’t know if Google does this, but we should be aware of the risks involved.

Google Analytics 4 and data transfers – are the new privacy measures enough?

Regardless, the main problem with Google Analytics remains the same: data transfers between the EU and the US.

Google announced that Google Analytics 4 will receive and process data from EU users via domains and servers based in the EU.

That said, Google still transfers the data to the US for storage. Note that the quote above does not explicitly mention storage.

This means that no technical measure taken by Google can prevent US authorities from intercepting the data.

The only thing that could change the game for Google Analytics is a new adequacy framework between the EU and US. This process seemed to accelerate recently.

Is the new Transatlantic Privacy Framework going to fix Google Analytics’ problems?

On March 25, 2022, US President Joe Biden and EU Commission President Ursula von der Leyen announced an “agreement in principle” on a new EU-US data sharing system, called Trans-Atlantic Data Privacy Framework. The agreement is set to replace the Privacy Shield. Google commented that they are going to adjust their policies as soon as the new adequacy agreement is in effect.

But what sounds like a set action plan is only a vague promise. The joint statement by the EU Commission and the US president is still a political announcement, not a law. The lawyers have yet to find solutions to the issues that led to the invalidation of the previous framework.

Any new agreement would not be bilateral, but an executive decision of the EU Commission. It would have to be reviewed by the European Data Protection Board (EDPB). This process only starts when a legal text is available.

It will take several months before the new data protection framework takes legal effect and supports transfers from the EU to the US. Especially since the US side still needs to issue at least one implementing regulation to ensure the agreed-upon safeguards. Companies cannot use new rules until the authorities formally adopt them.

The Court of Justice of the European Union (CJEU) can quickly challenge the decision. As the EDPS has already pointed out:

“(…) a new framework for transatlantic data flows must be sustainable in light of requirements identified by the Court of Justice of the European Union“.

And Max Schrems, honorary chairman of NOYB and a man behind the “Schrems I” and “Schrems II” cases, announced:

The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.

Whatever Google’s plans for the new privacy framework are, it doesn’t look like they’ll be able to accomplish them soon.