The promise of a new year has started off a tad bit rocky for United States businesses doing business in Europe. As reported last Thursday by TechCrunch, the Austrian Data Protection Authority has ruled in a case that Google Analytics was used unlawfully by a website owner. Following the news, the Data Protection Authority for the Netherlands said it was reviewing its own case, and may find similarly in early 2022.
I am not a lawyer - American or European, however what follows is my take on the case, and what it could mean. I strongly advise anyone concerned to speak to their own legal teams and potentially even wait for additional guidance from the relevant DPAs.
So what exactly is going on?
The European General Data Protection Regulation (GDPR) protects EU users from unlawful data collection. The law has several use cases where consent prior to collection isn’t required, and many more where it is. This is particularly true when the collection of personal information is involved. GDPR Recital 30 goes on to list things like cookies, IP Addresses and so forth are personal information under GDPR.
In summer of 2020, the standing agreement between the US and EU (known as the Privacy Shield) was ruled invalid under GDPR regulations. This affected transmission of data to the USA from the EU. As the ruling wasn’t definitive in regard to contract clauses, we saw many companies shift their contracts following the ruling to have language around data protection in efforts to fend off further challenges around data collection.
Following this ruling Nyob issued 100+ US/EU transfer complaints to various data protection authorities around Europe. The ruling by the Austrian DPA is the outcome of the evaluation of some of those complaints.
What are Google’s Thoughts?
As part of the evaluation, the Austrian DPA reached out to Google with a series of questions, which Nyob has made the response to public (seen here). The 27 page document is very interesting in how Google Analytics uses data and what controls are in place to limit data access. It’s worth a review if you ever had questions about the data processes involved in Google Analytics.
Austrian DPA Verdict
Several issues were determined by the verdict, which is fairly nuanced.
- Google LLC could have access to personal data (such as IP Address) without EU user consent depending on configuration of Google Analytics.
- Due to the Surveillance laws in the USA Google could not reasonably ensure that personal data would not be accessed by the USA government despite various technical and organizational controls.
- It’s not relevant that Google may need additional information to fully identify a person, as the law doesn’t state all the information needs to be in the hands of a single party.
- Google itself can identify a person, as it can allow people to opt out of personalized ads.
Critically, this means the common belief that Standard Contract Clauses are GDPR compliant may not be sufficient to ensure reasonable data protection in light of USA Surveillance laws.
Nyob has written their own legal analysis which can be reviewed here.
What’s the worse case scenario?
If this continues to hold up in court – then businesses in the USA are going to be for a rough time to continue collecting data in Europe. It’s not clear to me if the USA laws apply to data hosted in EU data centers (given the USA, I’d be inclined to think likely – but I leave this to the courts).
Taken more broadly this could in theory impact every client based 3rd party resource loaded by a EU site, as the site exposes the IP Address of the user via the resource request load. If it is upheld that this alone is sufficient then this effectively makes loading such client side 3rd party resources unlawful without consent. We may see this result in a shift either to EU alternatives, or an spur an adoption in server side tagging.
This isn’t just a theory of mine either as we’ve seen courts begin to adopt this stance, when a German University was issued an injunction from loading Cookiebot (a consent manager) on the grounds that the script was loaded from the USA and the user didn’t consent to have their IP Address (personal information) sent to the USA. Effectively, the court decision reads like “The site didn’t have consent to transmit the IP Address to load the consent manager to ask for consent, and since the marketing pixels are not required for the site to work, it’s optional so the site can’t load the consent manager without having consent”.
So while this specific case dealt with Google Analytics specifically in this context it’s very realistic that other US based services and platforms could be impacted by this change in thinking. I strongly advise brands with a EU business presence to pay close attention to developments in the coming months.
We could (in theory) see the USA take notice and amend data privacy and surveillance laws to avoid a fallout, but given the present political climate, I find this unlikely to occur at a reasonable timeframe.
Fines
Fines and any liability that Google LLC will be determined at a future date. Fines under GDPR could be 20 Million Euro, to 4% global revenue. Given the case and the presence of Google Analytics in the industry, the fines could very well end up on the high end. We’ll need to wait and see.
[…] you do want some more insights on where this might go, have a look at this post from Cory Underwood on his own blog and this post on the Search Discovery […]