What are the consequences of using Google Analytics in the Netherlands?
According to a decision of the Austrian privacy regulator DSB dated January 13, 2022, Google Analytics is in violation of GDPR legislation. The Dutch Data Protection Authority, the Dutch supervisory authority, is currently investigating two complaints about the use of Google Analytics. However, the impact of such a statement is much broader than just Google Analytics. Europe may open up the attack to a much larger group of American tech companies.
Legal context of the ban on Google Analytics
On January 13, Austrian privacy regulator DSB issued a ruling in a case brought by NOYB (None of Your Business, a privacy organization founded by privacy activist Max Schrems), against the organization behind an undisclosed website and Google LLC. In this judgment, it was concluded that Google Analytics is really violating Chapter 5. the art. 44 of the General Data Protection Regulation. 
The statement can be explained as follows.
Google Analytics transfers personal data to the United States. This includes user identification data, IP addresses, and browser data. According to the DSB, the Standard Contractual Clauses (SCC) that Google uses to transfer personal data do not provide adequate privacy protection. However, this judgment has little to do with the technical operation of Google Analytics, or the site where the data is extracted. This is precisely why the impact of the European adoption of this Austrian ruling is potentially so influential, and therefore it should be seen in a much broader context than just that of Google Analytics. The judgment is based on two important findings:
- As a provider of electronic communications services, Google is governed by Title 50 USC § 1881(b)(4). This legislation in turn gives US Federal Intelligence agencies the ability under USC 50 § 1881a (“FISA 702”) to require Google (and thus “other electronic communications service provider(s)” to provide them with access to the data)..
Whatch out: Previous rulings in, for example, FBI vs. Microsoft has already shown that it is not appropriate here where the data is stored geographically.
- Measures taken in addition to Google’s Standard Contractual Clauses (SCC) to its users have been assessed as inadequate, as they do not exclude the possibility of monitoring and access to data by US intelligence services.
The DSB decision can also be read that since no other legal grounds were applied in this case that legalize the transfer of data to the US, the Austrian privacy supervisor believes there has been a violation of the General Data Protection Regulation (GDPR). This means that:
- Data processed by Google is considered personal data, even when it comes to IP anonymization, and;
- The processing of this data in the United States as a result of the legislation in force there is a violation of the General Data Protection Regulation, because ‘third parties’ (read: US intelligence services) can access this data without the user’s prior consent.
Violation of GDPR / AVG, despite furnishing in accordance with privacy guidelines
As in all member states of the European Economic Area, the Dutch Data Protection Authority has provided a guide for setting up Google Analytics in a privacy-friendly way. So one would expect that if these guidelines are followed, which also include IP anonymization, the design will adequately protect the privacy of site visitors. At the time of writing, this is still legit as well. But when the DSB ruling is adopted by the Dutch data protection authority and/or other European privacy regulator, that will change.
The Austrian privacy supervisor’s opinion states that even when privacy-friendly measures are taken, including IP anonymization, personal data is still contained and not anonymised. For example, it will still be possible to combine the remaining data into a unique profile and then refer to a normally identifiable person. Certainly in combination with the data that Google possesses when the user logs into a Google account while browsing. Would you like to learn more about the ruling of the Austrian DSB privacy supervisor? Then read:
What are the consequences of using Google Analytics in the Netherlands?
It seems likely that other European supervisors will agree and adopt the DSB ruling. However, it is not far away yet. The Dutch data protection authority is currently investigating two complaints about the use of Google Analytics in the Netherlands, which were also filed by Max Schrems’ NOYB. After this investigation is completed, the Dutch Data Protection Authority can determine whether Google Analytics is prohibited or permitted in its current form. The ruling is expected in early 2022. In light of the fact that the complaints on which the case is based in Austria were already lodged in the middle of 2020 and the importance that the Dutch Data Protection Authority also attaches to the previous ruling, we (traffic builders) may already expect this ruling within A few days to weeks.
The age of ban can have a much broader impact
Never before has the use of Google Analytics been so strongly condemned in the context of the General Data Protection Regulation (GDPR) as in the aforementioned ruling by the Austrian privacy regulator. This is certainly cause for concern. But what should be of greater concern is the fact that the basis under the decision may have implications beyond Google Analytics alone. after all; It is not the technical performance of Google Analytics or the lack of privacy measures by Google itself that leads to this ruling, but the fact that Google LCC is considered an ‘Electronic Communications Services Provider’ and is therefore subject to the above legislation. Legislation that gives US intelligence agencies license to access the data of all parties covered by the same legislation. So we are not only talking about Google, but also about Adobe, Hubspot, Salesforce, etc. So the far-reaching effect is many times more than (Google) analytics alone if you consider the services that US ESPs offer to offer European companies.
How concerned should we be about this?
But how concerned should we be about that? Of course, everyone has the right to decide for themselves with whom to share sensitive privacy information. It is also clear that limiting the capabilities of tech giants such as Google and Facebook is part of this, and in the author’s opinion a good thing. But isn’t it naive to think that the (US) intelligence services need a law for that? If the NSA or the FBI wanted to know who I am, wouldn’t they actually find ways to do it, willingly or in bad faith? of course it is. It was recently announced that the head of the Danish intelligence service had been imprisoned because agreements were apparently made with the United States to read data from telegrams operated between Denmark and the United States. Legitimate or true? No definitely not. But it does show that legislation plays only a limited role in actually protecting your privacy and mine.
It’s nice that our privacy is monitored in this way, and even a crusade from privacy advocates like NYOB is admirable. But there comes a time when principles and a literal reading of the law must be weighed against the economic impact. With this statement, which takes almost smear-like forms, this moment is getting closer and closer. After all, wasn’t the GDPR primarily intended to prevent the (commercial) abuse of privacy sensitive data?
What can we expect?
It seems only a matter of time before other supervisory authorities, including the Dutch data protection authority, reach a ruling similar to that of the DSB. However, in theory, it could also end with a wheeze.
For example, agreements can be entered into between the European Economic Area and the United States that limit the scope of 50 USC § 1881a (“FISA 702”) or are at least consistent with it with respect to residents of Europe. Such agreements were previously applicable to, among others, the EU-US Safe Harbor Agreements and EU-US Privacy Shield Agreements.
It may also be possible to include explicit warnings about the possibility of US intelligence services examining privacy-sensitive data in the website’s privacy statement. After all, in this case, the visitor whose data might be shared would have given explicit permission for it, assuming correct implementation and reference to the privacy statement.
In any case; There is a lot at stake and it is not yet clear at the end of the game. So a statement like this could certainly be used as leverage in negotiations between the United States and the European Union, with the goal of attracting European clients from American tech companies. He follows.
The following steps are recommended
For now, my advice from TrafficBuilders is to at least ensure that you configure Google Analytics in line with the previously issued guidelines as mentioned in the Google Analytics setup guide in a privacy-friendly way from the Dutch Data Protection Authority. In addition, it is recommended to make an inventory of software that originated in the United States and are used that includes the processing of personal data and to obtain legal advice on this subject. Finally, be sure to follow developments in this matter closely. Of course we do that too.
Zombie specialist. Friendly twitter guru. Internet buff. Organizer. Coffee trailblazer. Lifelong problem solver. Certified travel enthusiast. Alcohol geek.