Google Analytics is probably the world's most widely used tracking tool for analyzing website traffic. However, the monitoring of user behavior on websites of the European Union could soon come to an end. The well-known Austrian data protection activist Max Schrems recently caused a decision by the Austrian data protection authority with a model complaint. According to the authority, the fact that a website uses Google Analytics is not compatible with the EU General Data Protection Regulation. So will Google Analytics soon be banned in Europe and if so, which alternatives can website operators still use without hesitation? We took a closer look at the sensational case.
What exactly happened?
In August 2020, the data protection activist Max Schrems called up the then Austrian website netdoktor.at. This site uses Google Analytics and accordingly forwards personal data from Max Schrems to the US company. According to Schrems, Google can draw conclusions about his person from this data. However, this is not compatible with Article 44 of the General Data Protection Regulation. Article 44 regulates the provisions relating to the transfer of data to a third country - in this case the USA. The transfer of the personal data to the USA was therefore illegal. In a partial decision
Max Schrems was right - but that's it process is far from over. Because the website in question was already transferred to a German provider while the proceedings were still ongoing. The Austrian authorities no longer feel responsible here. German authorities now have to clarify whether the website has to be shut down because of violations of the General Data Protection Regulation.
The complaint leaves Google cold for the time being
Max Schrems' complaint was directed not only against netdoktor.at, but also directly against Google. According to Schrems, the operator of Google Analytics knowingly accepts user data that was obtained in violation of the GDPR. Here, however, the Austrian data protection authority saw no basis for a complaint. The regulations of the GDPR are to be complied with by the data exporter – the European website. The importer of the data sets, Google, does not disclose any data itself. Accordingly, the authority sees no specific need for action here. However, it is currently being examined whether Google is violating other provisions of the GDPR with the analytics tool.
Why can't Google Analytics be used?
For the Austrian data protection authority, the case is clear. The website should not have used Google Analytics because the tool collects personal data and forwards it to Google. This is exactly where the problems start, because Google is subject to US law - and thus to surveillance by US secret services. Since NSA and Co. in the United States are authorized to retrieve personal data, Google cannot offer an adequate level of protection under European data law, more precisely under Article 44 GDPR. Although the operator of netdoktor.at uses so-called "standard contractual clauses" on its website, these are not sufficient. The European Court of Justice has already recognized this in a decision on the so-called “Privacy Shield” in 2020. The Austrian data protection officers make one thing clear: it is irrelevant whether a US secret service actually retrieved Max Schrems' personal data. It is also irrelevant whether Google extracted the exact identity of the user from the data obtained. The only thing that counts is that both would be possible. The privacy advocates bring up another point. In the account settings of the Google accounts, users can explicitly prohibit Google from evaluating their data from third-party websites in detail. For the privacy advocates, this is proof that Google would be able, at least in theory, to merge user data with a specific person.
Why don't Google Analytics and the GDPR get along?
Depending on the statistics, Google Analytics is used on around 50% of all large and large websites worldwide. The analysis tool efficiently collects data about the visitors, which can then be processed and evaluated using any configurable parameters. Site operators receive insights into user behavior, length of stay or page views through Google Analytics. With such a comprehensive analysis, masses of data are generated – and this is where the problems with data protection begin. Because Google Analytics forwards the collected data, including the full IP address of the user, to Google in the USA. In the USA, data protection is seen a little more loosely than in Europe. In the States, for example, intelligence services or police authorities have the right to retrieve stored data and use it for investigations. As a European user, your personal data is protected by the GDPR. However, if the data is forwarded to third countries, this protection does not apply - and your data can be screened and used as you wish.
Tracking vs Privacy
Web analysis tools are used worldwide to analyze the behavior of visitors on a website. For website operators, the tools offer the possibility of optimally adapting the content to the needs of the users. Google Analytics is not the only tool, but it is certainly the most common. The legality of using tracking tools has been discussed in legal circles for many years. One starting point for operating Google Analytics in compliance with European data protection guidelines is the anonymization of the IP addresses of website visitors. Every website operator has the option to set the anonymization of the data. No transfer of personal data means that the GDPR does not apply. The netdoktor.at site reported by Max Schrems did not use this existing function. And even if the website had made the IP addresses anonymous - the Austrian data protection officers simply see far too many ways in which Google can process personal data. This begins with the recording of the operating systems used and the browser used, goes through unique online identifiers to the date and time of the website visit. Each visitor can thus be identified by many individual, small pieces of the puzzle - even with an anonymous IP address.
Am I no longer allowed to use Google Analytics?
Despite Google's efforts to increase data protection, the Austrian data protection officers do not see an adequate level of protection for the data records of European citizens. Under US law, the intelligence services there are authorized to retrieve personal data or access encrypted data using technical measures. Neither is compliant with European data protection regulations. Should the issue end up before the European Court of Justice – and it is not unlikely that the highest European judges will take up the issue – this could have serious effects on all transatlantic data traffic. Should there be a court ruling that Google Analytics cannot be used in compliance with data protection regulations, the consequences would be drastic. Both for European website operators and US companies that work with data from Europe. In this case, the EU operators would have to switch to servers in the EU - the US companies would immediately lose an entire continent as their sales market. As long as no verdict has been passed, Google Analytics may continue to be used on European sites - provided, of course, that the relevant standard clauses are observed.