Austria’s data protection authority finds that European websites’ use of Google Analytics violates the GDPR. The impact of the ruling is unclear but could be significant.
Websites using Google Analytics are violating the GDPR. That’s what the Austrian data protection authority thinks. Currently, it is not allowed to export Europeans’ personal data to the US. This is only allowed if companies can offer guarantees that European data is protected from government spying in the U.S., and the far-reaching spying laws in that country make such guarantees impossible. The European Court of Justice already confirmed that situation twice in the Schrems I and Schrems II judgments.
Google Analytics
Until now, the rulings have mainly played an important role with data transfers from Facebook, for example, which are quite clearly in violation of the applicable law. The Austrian authority now finds that the use of Google Analytics also violates the GDPR.
Google Analytics is a standard tool used by Web site operators worldwide to keep track of what is happening on their site (how many visitors get to a page, do those visitors stay long or not, do they click through to other pages…).
The ruling is notable, since Analytics does not aim to identify individuals. Visitor data is processed to monitor a site’s performance, but that can be done using anonymized IP addresses if desired.
Unique IDs as personal data
The Austrian regulator now finds that transfers of personal data do occur when a European-operated website uses Analytics. Anonymizing IP addresses would not suffice as a solution. Google argues that the data is not personal data, but the Austrians do not follow suit. In addition to IP addresses, the ruling also describes unique identifiers and browser parameters as problematic.
A unique ID is used, among other things, to determine whether a Web site visitor has visited a specific site before. This is relevant for the publisher to optimize Web sites and content. The ID is not linked to any further information, but still counts as personal data according to the regulator. For the purposes of Article 4 of the GDPR, however, it does not matter whether a unique ID is linked to an identifiable person. The fact that such a thing is theoretically possible is sufficient.
Possible impact
The ruling came after a complaint by privacy advocacy group Noyb. That organization is led by Maximilian Schrems of the judgments of the same name. The complaint was against an unnamed Web site, examining the specific situation.
It is unclear to what extent this ruling will resonate on the broad use of analytics. Noyb has filed about 100 more similar complaints, spread across most member states. As part of the GDPR, data protection authorities are coordinating their rulings, so future rulings will basically be in line with this first Austrian ruling.
Transfers and continued use of analytics
The bottom line seems to be that Google Analytics assigns visitors an anonymous but unique identifier. That allows Web site operators to track how people visit their sites. The codes are personal data according to the Austrian interpretation of the GDPR. When using Analytics, the codes end up on Google’s U.S. infrastructure, and thus an exchange of personal data takes place for which there is currently no adequate legal framework. The exchange is therefore illegal. As a result, the use of Google Analytics in this case becomes impossible.
To see the real impact, we must await further statements from other regulators. In any case, the Austrian view is problematic for websites large and small across the EU. After all, Google Analytics is the standard for website analytics. It is further notable that privacy group Noyb is no longer targeting technology giants with this crusade, but wants to have an impact on European organizations large and small.