Marketing Magic of Google Analytics: refrain from using or not

As none of us can imagine our lives without the phone and the Internet, no online market specialist can imagine their work without Google Analytics. The possibilities of modern marketing would hardly be so advanced if web analytics services did not exist – tools that allow you to track website visitors’ behavior, collect and process statistics. The undisputed leader among them is the free Google Analytics service, which provides perhaps the most comprehensive range of tools that allow you to track any activity on a web resource: identify the most popular content among visitors, get detailed information about traffic sources: organic, direct, social media and referral; identify search phrases that bring the most traffic and analyze the semantic core potential, consider behavioral factors and highlight the most popular among the target audience pages of the website, and finally track the effectiveness of advertising campaigns and much more.

Over 18 years of its existence, Google Analytics, and other Google services have become indispensable data processing tools for business owners and various organizations, such as educational institutions, healthcare, and sometimes even government agencies. Therefore, it was only a matter of time before Google services, including Google Analytics, came to the attention of European data protection supervisors. It happened a few years ago.

Today, we have several court and supervisory authorities’ decisions that oppose the use of Google services and, in particular, Google Analytics in Europe. Why did this happen, what are the consequences, and what should businesses that want to proceed in the European Union prepare for? Let’s take a closer look.

Background

Once upon a time, Edward Snowden revealed many secrets about the activities of the US intelligence services, including how the US spy on foreign citizens, collecting their data around the world. Shortly afterward, a then-unknown Austrian student, Max Schrems, filed a complaint with the Irish supervisory authority (DPC) against Facebook Ireland, arguing that transferring his personal data to the American company was dangerous due to the scope of its intelligence activities. Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the US government to conduct targeted surveillance of foreign persons outside the US to obtain “foreign intelligence information”: the US Attorney General and the Director of National Intelligence may issue directives obliging US electronic communications service providers (ECSPs) to provide such information.

The proceedings culminated in the EU Court of Justice judgment dated 06.10.2015 in case No. C-362/14 (known as Schrems I), which stated that Section 702 of FISA, along with the provisions of the U.S. Presidential Executive Order No. 12.333 (E.O. 12.333) and Presidential Policy Directive No. 28 (PPD-28) authorize surveillance of non-U.S. persons located outside the United States. Although PPD-28 prohibits specific bulk collections and limits how long agencies can retain information on non-U.S. persons. The CJEU reasoned that FISA 702 and E.O. 12.333, even as limited by PPD-28, allow U.S. intelligence agencies to collect more information than is strictly necessary to fulfill their missions and do not provide EU citizens with sufficient avenues for judicial redress of alleged infringements of privacy. The complainant’s claims were satisfied, and the Safe Harbor agreement, which regulated information transfer between the EU and the US since 2000, was canceled.

As the US was not either then or now included by the European Commission in the list of appropriate jurisdictions with which free data transfer could take place, in 2016, the EU and the US adopted another agreement, the so-called Privacy Shield, which applied to the commercial sector and provided that data recipients in the US had to guarantee compliance with most of the data processing principles applicable in the EU.

Meanwhile, Max Schrems continued challenging the illegality of data transfer to Facebook. In July 2020, the EU Court of Justice ruled (known as Schrems II) that the Privacy Shield was illegal, citing that this data transfer mechanism did not provide adequate protection for European data. The case also called into question another of the protective tools for international data transfers provided for in Article 46 of the GDPR (General Data Protection Regulation) – Standard Contractual Clauses (SCC) – approved by the European Commission and can be used for cross-border transfer of personal data to a country that is not included in the list of appropriate jurisdictions by the EU. Although the EU Court of Justice did not invalidate the SCC, it just emphasized the need for “adequate safeguards”, i.e., supplementary data protection measures in unsafe jurisdictions, including the United States. Thus, the court has significantly complicated the use of the SCC, obliging companies to implement supplementary measures to counteract the risks of data transfers to the United States.

Max Schrems did not stop there, and based on the Schrems II decision, an organization he founded – the European Center for Digital Rights (NOYB), filed 101 complaints with the supervisory authorities of European countries about the illegal use of Google Analytics and Facebook Connect by large companies across Europe. The European Data Protection Board (EDPB) was forced to set up a taskforce to coordinate the consideration of these complaints, and today we already have the first decisions: the supervisory authorities of Austria, France, Italy, Finland, and Hungary have already recognized the use of Google services, including Google Analytics, as illegal. But not everything is so clear.

How Google Analytics collects user data

Google Analytics tracks users using cookies containing unique identifiers for each user, which are considered personal data under the GDPR. When a user consents to marketing cookies on a website that uses Google Analytics, their personal data is sent to Google and may ultimately be processed in the United States (note that Google’s infrastructure is spread across the globe). In fact, without personal data, Google Analytics would be a useless tool.

In this context, it is worth noting that Google has declared it has taken some measures to ensure compliance with the GDPR. In particular, it has started using standard contractual clauses (SCC) to ensure the security of cross-border data transfer, updated its terms of use, introduced regional data collection (so that data from devices located in the EU is collected on servers in the EU before traffic is redirected to analytical servers for processing), set data retention periods, and allowed IP address anonymization of tracked users of websites and applications. But despite this, let’s not forget that Google Analytics 4, just like previous versions, is based on cookies (though first-party cookies). Therefore, the basic principles of Google Analytics 4 remain unchanged as the service collects personal data.

Position of European supervisory authorities on Google Analytics

The key problem with Google Analytics’ compliance with the GDPR is the fact that user data, including that of EU residents, is processed on servers located, among other things, in the United States, as well as the company’s own country of residence, which makes it the subject to the jurisdiction of US intelligence agencies and legislation.

In general, the conclusions of European supervisory authorities on the illegal use of Google Analytics are that the information about the users processed by Google in the United States is personal data within the meaning of the GDPR. Therefore, American intelligence agencies can potentially identify each person using their IP addresses and other online identifiers  (cookies, device IDs, user IDs, etc.).

For example, in justifying its decision, the French supervisory authority (CNIL) noted that “online identifiers, such as IP addresses or information stored in cookies, can commonly be used to identify a user, particularly when combined with other similar types of information. This is illustrated by Recital 30 GDPR, according to which the assignment of online identifiers such as IP addresses and cookie identifiers to natural persons or their devices may “leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” In the particular case where the controller would claim to be unable to identify the user through the use (alone or combined with other data points) of such identifiers, he would be expected to disclose the specific means deployed to ensure the anonymity of the collected identifiers. Without such details, they cannot be considered anonymous.”

The Austrian supervisory authority (DSB) also expressed the position that the supplementary security measures taken by Google are not enough to prevent access to the personal data of EU citizens by US intelligence agencies. Anonymizing the IP address does not solve the problem, as other types of data (information in cookies and device data) are still transmitted to Google in open form.

Together, these circumstances lead to a violation of the requirements of Chapter V of the GDPR. Therefore, the web resources which are defendants in the abovementioned cases must either stop using Google Analytics or take supplementary, more reliable safeguards. In other words, de jure, these decisions apply to specific data controllers, and in theory, a prohibition on the use of Google Analytics by one entity does not mean that such a prohibition applies to others who can take “more reliable additional safeguards.” But is this possible in practice?

What supplementary measures can be considered effective?

In the Schrems II judgment, the EU Court of Justice concluded that supplementary data security measures should be selected and evaluated on a case-by-case basis. Subsequently, the supervisory authorities of France (CNIL) and Denmark (Datatilsynet), as well as the European Supervisory Authority (EDPB), issued their recommendations on the conditions for the lawful use of Google Analytics and provided examples of possible technical protection measures, which, however, did not provide unambiguous answers.

According to these supervisory authorities, the application of supplementary security measures should be aimed primarily at interrupting direct contact via HTTPS connection between the user and the servers managed by Google because, as part of its security measures, Google potentially uses firewalls that register incoming traffic and their logs may contain references to information collected by Google Analytics. Thus, it is possible to obtain information, for example, about the IP address, even if Google Analytics does not collect this data.

The list of potentially applicable security measures includes the following.

• Pseudonymization. Sometimes it can be an effective way to protect personal data. In the case of Google Analytics, according to the Danish supervisory authority (Datatilsynet), pseudonymization can be implemented by establishing a reverse proxy server which acts as a hub for Internet traffic from website visitors. This way, an organization can gain control over what data is collected and what data is subsequently sent to the servers used to provide the web analytics tool, such as Google’s servers. At the same time, the risks of re-identification of the data subject in the country of import should be assessed.
• Proxy servers are widely used for anonymization on the Internet and, according to the French supervisory authority (CNIL), can serve as a way to protect the use of Google Analytics, provided that they are deployed under the recommendations of the supervisory authority.
• Encryption. Not all supervisory authorities consider encryption an effective means of protection for data transmission. The Danish supervisory authority (Datatilsynet) emphasizes that encryption can only be regarded as an effective supplementary technical measure if the encryption keys are held exclusively by the data exporter or a third party within the EU/EEA or in a secure third country.

In general, the effectiveness and practical benefits of the abovementioned technical measures should be assessed skeptically since the vast majority of web resources in the world use cloud solutions, as well as Cloudflare (a service for protecting web resources from attacks), which solves many problems when deploying projects and offer many data protection solutions.

In addition, the European Data Protection Board (EDPB), in its recommendations on supplementary data transfer safeguards, noted that in some cases, in particular when transferring data to cloud service providers or other processors that need access to data in open form, supplementary measures do not ensure an adequate level of protection for data transferred to a third country.

What can I do to continue using Google Analytics safely?

It is worth remembering that before using the service, all data controllers agree to Google’s standardized terms of use, i.e., to the same data protection provisions. Therefore, no user (the data controller) can negotiate different terms with Google.

Theoretically, companies operating in the European market can implement supplementary data protection measures recommended by supervisory authorities and continue using Google Analytics, assuming all risks. But in practice, executing them is a complex and costly process.

The only reasonable and safe solution today is to use alternative web analytics services. So far, Google has not made any statement about its intentions to transfer the processing of user data from Europe directly to the EU, unlike Microsoft, which in January 2023 began implementing the EU Data Boundary, which will allow customers of Microsoft 365, Azure, Power Platform and Dynamics 365 to store and process their data within the EU.

Instead of conclusions

In the situation with Google Analytics, it should be remembered that the legal nature of the data protection supervisory authorities’ powers is not related to the prohibition of the use of services in a specific administrative territory – their decisions are personalized to the parties of a particular case. Their powers are limited to providing a legal assessment of the legality of processing personal data in certain ways, including through specific technologies.

One thing remains unchanged: in case of any processing of personal data, the data controller is obliged to demonstrate that its activities are carried out according to data protection legislation. Therefore, even if the decision to continue using Google Analytics is made, to comply with the accountability principle of the GDPR, the controller must document it and be able to demonstrate that all appropriate protection measures have been taken.

2023-03-06