German data protection authorities published a joint position statement regarding Google Analytics already in May 2020. The European Court of Justice’s decision of 16 July 2020 increases the requirements even further. Use of Google Analytics will become more difficult in the future.

Google Analytics is a widely used tool that helps website owners analyse statistics about visits to their website. Google Analytics is free, easy to use and offers a variety of powerful features. This makes it a favourite among website owners, many of whom use it for their business.

Given that Google Analytics is so commonly used, the Conference of German Data Protection Authorities (DSK) published a statement regarding the legal requirements under data protection law involved when using Google Analytics.

Website visitors' consent

For website owners to use Google Analytics lawfully, they must obtain the prior consent of visitors for Google Analytics cookies to be placed on their device. This is done using a banner that appears on the website and displays a message informing them accordingly, and by providing a detailed explanation as to how data will be processed by Google Analytics. This explanation can be included either in the privacy policy or in the cookie policy for the website.

In this context, website owners are required to use appropriate technical means to ensure that cookies are placed on a user’s device and data are collected by Google Analytics only after the user’s consent has been obtained. No data may be collected before this consent has been obtained. This reduces the validity of the analysis because generally, only a certain number of the visitors to a website consent to having cookies placed on their device.  Experience has shown that the number of website visits tracked decreases after a change in policy from an opt-out approach (under which users had to actively object to the use of cookies) to an opt-in approach (which requires active consent). However, the legal position is clear – there is no way around the consent requirement.

Another important point to note is that the consent must be voluntary. Users must still be able to visit the website even if they refuse to give their consent. Users’ consent is not only voluntary but may also be revoked by them at any time. Website owners are required to make users aware of this right and to have procedures in place that allow them to revoke their consent. This can be done, for example, by providing a button on the cookie policy page that allows users to go back to the cookie settings and revoke their consent previously given at any time.

These requirements are more of a technical nature and can be fulfilled with a reasonable amount of work and effort, whereas other requirements are more difficult to satisfy.

Responsibility for data processing

German data protection authorities take the view that the information Google Analytics collects qualifies as personal data. This has far-reaching consequences:

On the one hand, they assume that Google uses the data collected also for its own purposes. They therefore take the view that Google and the website owner jointly determine the purposes for which such data are processed and are therefore joint controllers. As a consequence, the website owner is required to enter into an agreement according to Article 26 GDPR with Google on the distribution of responsibilities between them.  However, this will be difficult to realise in practice.

Google takes the view that there is no joint responsibility and offers to enter into a data processing agreement and an agreement stipulating that both parties are individually responsible. This contradicts the view of the German data protection authorities. Website owners who enter into those agreements run the risk of falling into a conflict with the competent supervisory authority. Entering into an individual agreement according to Article 26 GDPR with Google would be a better option.

The ECJ' decision in Schrems II

The ECJ’s decision in the Schrems II case has created another problem: On 16 July 2020, the ECJ ruled in its judgment on the Schrems II case that the US Privacy Shield is invalid. The Privacy Shield was an important mechanism that allowed data to be transferred to the US. This mechanism no longer exists. In future, data exports to the US will be possible only if the data exporter and the data importer have entered into the EU’s “Standard Contractual Clauses” (SSCs).

In other words, every owner of a website that uses Google Analytics will have to enter into SSCs with Google. Google does offer standard contractual clauses as part of its data processing agreement. However, those are standard contractual clauses for processors. For website owners they are useless since the German data protection authorities take the view that Google is a “controller”. Therefore, the specific controller-to-controller standard contractual clauses would have to be agreed.

The ECJ also made it clear that it is not enough for a controller to merely entering into the relevant contractual clauses. Rather, the controller has to check whether the data importer is able to process the data appropriately in its home country. This is questionable in particular in the case of the US since, according to the case law of the ECJ, the comprehensive collection of data by national intelligence services violates EU law.

It is not easy for a website owner domiciled in the EU to check data processing activities that are carried out in the US. However, a first step would be to send a list of questions to the data importer and to ask how they handle the data and what legal rights of access the authorities of their home country have. That means that to be able to use Google Analytics, website owners will have to send such a list of questions to Google.

Outlook

The new requirements will make it much more difficult for German website owners to use Google Analytics. It remains to be seen how Google will react to these challenges and how Google will satisfy the requirements of German data protection authorities and of the ECJ.

In their own interest, website owners will generally have to go along with the guidelines issued by the German data protection authorities and the ECJ case law, because their statements are clear.

An alternative would be to use website analytics tools offered by German providers. If the provider of those tools does not use analytics data for its own purposes, this spares the parties the effort of entering into a joint controllership agreement. If there is no data export, there is no need to take precautions for this.

Arnd Böken 
Berlin