“Google Analytics may soon be banned,” warns the Dutch agency

Share your love

The legal basis of the statistics service Google Analytics is shaking across the EU. After the Austrian data protection authority determined that the use of Google Analytics’ on websites in the European Union is not compatible with the General Data Protection Regulation (GDPR), the Dutch Authority for Personal Data (AP) now also warns: “Please note: The use Google Analytics’ may soon be banned”.

On Thursday, the Dutch authority has its own Updated ‘Google Analytics privacy-friendly setup’ guide accordingly. The AP informs about the decision of the Austrian data protection authority of December 22, 2021 (GZ D155.027, 2021-0.586.257), according to which Google Analytics violates the GDPR. At the same time, the AP announces that it is investigating two complaints about the use of Google Analytics in the Netherlands.

The AP would like to conclude this investigation in the near future, namely “early 2022”. Then she will “be able to say whether Google Analytics is allowed or not.” The AP has not withdrawn the instructions published in 2018 to date, but has issued a warning that Google’s statistics service could soon be recognized as illegal.

Meanwhile, a German supervisory authority has to deal with the result of the Austrian decision: The Austrians have asked the Bavarian state commissioner for data protection to decide whether the website at issue must be closed.

It happens like this: The reason for the Austrian procedure was a complaint from a Google user who accessed an Austrian website on health on August 14, 2020. Since this website uses Google Analytics, data about the user was transmitted to Google from which Google could draw conclusions about him. On August 18, 2020, the affected user complained using the Datenschutzorganisation NOYB at the Austrian data protection authority.

Read Also   36 tips for gifts from the c't editorial team

During the ongoing proceedings, the website in question was transferred to a Munich company. Austria’s data protection authority is responsible for deciding on the data transfers in August 2020. However, the Austrian data protection authority no longer considers itself responsible for the decision as to whether the website must be shut down now, in 2021, due to illegal behavior. Since the website is now operated by a Munich publisher, the supervisory authority responsible there is appointed.

The affected user not only complained about the operator of the website, but also about the operator Google Analytics itself, i.e. about Google. The Austrian data protection authority has determined that Google has not violated Article 44 of the GDPR because it relates to the disclosure of personal data. Although the website operator disclosed personal data to Google, Google itself, as far as is known, did not disclose the data to any third party.

So Google did not violate Article 44. However, this is expressly only a partial decision. The Austrian data protection authority is still examining whether Google is violating other provisions of the GDPR with Google Analytics.

According to the decision of the Austrian data protection authority, the use of Google Analytics on the website was illegal because the service collected personal data and transmitted it to Google. Under US law, Google is subject to surveillance by US secret services. As a result, Google cannot offer an adequate level of protection under Article 44 GDPR. The standard contractual clauses used by the website operator do not help, as the European Court of Justice (ECJ) recognized in its decision on the “Privacy Shield” (Schrems II) in 2020.

The decisive factor for the legal assessment of the use of Google Analytics is not whether a US secret service actually obtained the data or whether Google actually determined the identity of the user, but rather that this would be possible. Google users can make a setting in their Google accounts that prevents Google from evaluating their use of third-party websites in detail. But this is proof that Google is basically able to merge the usage data with the person – otherwise this setting option would be pointless.

The 2020 ECJ decision also explains the current warning from the Dutch authority. Your guide to ‘Setting up Google Analytics privacy-friendly’ is from August 2018; That was almost two years before the ECJ overturned the EU-US data protection agreement “Privacy Shield”. This decision is one of the greatest successes of data protection organization NOYB to date.


(ds)

Article Source

Share your love