German data protection authorities published a joint position statement regarding Google Analytics already in May 2020. The European Court of Justice’s decision of 16 July 2020 increases the requirements even further. Use of Google Analytics will become more difficult in the future.
Google Analytics is a widely used tool that helps website owners analyse statistics about visits to their website. Google Analytics is free, easy to use and offers a variety of powerful features. This makes it a favourite among website owners, many of whom use it for their business.
Given that Google Analytics is so commonly used, the Conference of German Data Protection Authorities (DSK) published a statement regarding the legal requirements under data protection law involved when using Google Analytics.
These requirements are more of a technical nature and can be fulfilled with a reasonable amount of work and effort, whereas other requirements are more difficult to satisfy.
German data protection authorities take the view that the information Google Analytics collects qualifies as personal data. This has far-reaching consequences:
On the one hand, they assume that Google uses the data collected also for its own purposes. They therefore take the view that Google and the website owner jointly determine the purposes for which such data are processed and are therefore joint controllers. As a consequence, the website owner is required to enter into an agreement according to Article 26 GDPR with Google on the distribution of responsibilities between them. However, this will be difficult to realise in practice.
Google takes the view that there is no joint responsibility and offers to enter into a data processing agreement and an agreement stipulating that both parties are individually responsible. This contradicts the view of the German data protection authorities. Website owners who enter into those agreements run the risk of falling into a conflict with the competent supervisory authority. Entering into an individual agreement according to Article 26 GDPR with Google would be a better option.
The ECJ’s decision in the Schrems II case has created another problem: On 16 July 2020, the ECJ ruled in its judgment on the Schrems II case that the US Privacy Shield is invalid. The Privacy Shield was an important mechanism that allowed data to be transferred to the US. This mechanism no longer exists. In future, data exports to the US will be possible only if the data exporter and the data importer have entered into the EU’s “Standard Contractual Clauses” (SSCs).
In other words, every owner of a website that uses Google Analytics will have to enter into SSCs with Google. Google does offer standard contractual clauses as part of its data processing agreement. However, those are standard contractual clauses for processors. For website owners they are useless since the German data protection authorities take the view that Google is a “controller”. Therefore, the specific controller-to-controller standard contractual clauses would have to be agreed.
The ECJ also made it clear that it is not enough for a controller to merely entering into the relevant contractual clauses. Rather, the controller has to check whether the data importer is able to process the data appropriately in its home country. This is questionable in particular in the case of the US since, according to the case law of the ECJ, the comprehensive collection of data by national intelligence services violates EU law.
It is not easy for a website owner domiciled in the EU to check data processing activities that are carried out in the US. However, a first step would be to send a list of questions to the data importer and to ask how they handle the data and what legal rights of access the authorities of their home country have. That means that to be able to use Google Analytics, website owners will have to send such a list of questions to Google.
The new requirements will make it much more difficult for German website owners to use Google Analytics. It remains to be seen how Google will react to these challenges and how Google will satisfy the requirements of German data protection authorities and of the ECJ.
In their own interest, website owners will generally have to go along with the guidelines issued by the German data protection authorities and the ECJ case law, because their statements are clear.
An alternative would be to use website analytics tools offered by German providers. If the provider of those tools does not use analytics data for its own purposes, this spares the parties the effort of entering into a joint controllership agreement. If there is no data export, there is no need to take precautions for this.