In a privacy complaint against Google Analytics, Datatilsynet, the Norwegian DPA (data protection authority), has reached the preliminary conclusion that “the use of Google Analytics was in violation of the GDPR’s transfer rules.” Norway joins a list of countries to support efforts to ‘nudge’ DPAs to stricter enforcement of the GDPR’s data transfer rules.
Context
- In the blog of privacy-first analytics firm Simple Analytics, Carlo Cilento, writes that Google Analytics’ legal issues with the GDPR are nothing new. The Norwegian DPA is one of several – Austrian, French and Italian – that have already sided, to a greater or lesser extent, with a coordinated set of complaints made by privacy NGO noyb.
- Noyb’s complaints center on the fact that the use of Google Analytics requires the transfer of personal data – IP addresses and cookies – to Google LLC in California. The complaint contends that websites transfer personal data out of the EEA in violation of the Personal Data Protection Regulation ( GDPR ) by using the American analysis tool Google Analytics.
- In 2020, in the judgment on the Schrems II case, the European Court of Justice ruled that businesses must institute ‘robust due diligence’ before transferring personal data outside of the European Economic Area. Noyb’s complaint is based on the claim that Google Analytics lacks the privacy safeguards established by the judgment and does not therefore comply with GDPR legislation.
State-wide bans
- Cilento says that every DPA decision practically amounts to a state-wide ban. Complaints and DPA decisions relate to specific websites and in theory a different website could use it lawfully by applying better safeguards. But, he said ‘in theory’ is the key point:
Ensuring the safety of the data transfer is difficult for many services and practically impossible for Google Analytics, because it’s built around cookies and needs to process cookie identifiers in the clear in order to work.
- Norwegian DPA Datatilsynet is treating the complaint as a cross-border case meaning other European authorities could raise objections. However, in 2022, the French authority submitted its decision against Google Analytics to other authorities without any objections being raised.
Better data protection
- With authorities coordinating their approach at a European level, the Norwegian authority is likely to rule against the use of Google Analytics. Cilento said every country taking a stance against Google Analytics strengthens the case for better data protection. But he stresses, the issue with data transfers is bigger than Google Analytics.
- Many US-based services require transfers of personal data and may come under fire next and while there are privacy-friendly alternatives to Google Analytics, services like AWS would be difficult to replace.
- It is hoped that the solution lies in a new data-transfer framework negotiated by the US and the European Commission last year. The decision is pending Member States’ approval and will certainly be challenged in Court and no one would be comfortable predicting the outcome of a potential Schrems III case.