The use of the analysis tool Google Analytics per se is not a violation of the EU General Data Protection Regulation. The Public Affairs working group recommends checking and adjusting the settings in consent management.
It was a bang: A few days ago, the Austrian data protection authority (DSB) came to the conclusion based on a model complaint that was filed by the Noyb association surrounding Max Schrems: The integration of Google Analytics on websites violates the General Data Protection Regulation (GDPR).
The non-final judgment in the lawsuit by data protection officer Schrems stirred up some dust and caused misleading reporting: the data protection officer’s complaint dates back to August 2020, when, among other things, the anonymization function had not yet been implemented. At that time, the contractual partner for the free Google Analytics version was still Google LLC in the United States and not the current Google Ireland Ltd. based in the European Union. In the specific case of an Austrian company, the analysis tool was poorly integrated by the website operator and no (sufficient) consent was obtained from the user for data processing, as is the standard in consent management today.
As a rule, the consent of the user is explicitly requested via Consent Banner and the consent to the further processing of the data or transmission to the USA is expressly obtained. In the Public Affairs working group, the largest advocacy group for the Austrian digital economy, it is also assumed that there will be appeals and that the Federal Administrative Court will have to decide again on the matter. It also remains to be seen whether the Austrian decision will be adapted by other data protection authorities in the EU.
The public affairs experts consider Schrems’ statement that European companies are no longer allowed to use US cloud services to be massively exaggerated and not justified in connection with the specific decision. Ultimately, this would attack the entire digital industry with the necessary analysis tools it uses and spread fears among users.
Europe isolated from global development?
Another problem: A complete ban on US cloud services would decouple Europe from technological (world) development. In addition, there are not enough (human) resources to quickly implement possible European alternatives – a point that affects small and medium-sized companies in particular.
Therefore, a pragmatic approach is needed: The general use of Google Analytics is not a problem. However, website operators and advertisers are responsible for checking the legal basis and, for example, obtaining the consent of users as part of consent management.
“The current case is a wake-up call. Companies are well advised to do their homework and to check and actively update their settings for compliance with the EU General Data Protection Regulation,” recommends Markus Fallenböck (Own360), head of the Public Affairs working group at iab austria .
In a guide for its members on the lawful use of Google Analytics, iab austria points out that data must be anonymized, which means that informative information about the number and behavior of users can still be obtained. The data protection authority regards the storage of the IP address or the device fingerprint as processing of personal data, since individual users can be specifically identified.
“Website operators must be aware that the data protection authority holds them solely responsible for the further processing of the data by third parties and not, for example, the provider of the analysis tool. Legal certainty can be established by checking and possibly updating the consent management should not be put off on the long bench,” says Fallenböck.