Three EU privacy authorities have determined Google Analytics unlawfully transfers data to the United States, leaving companies with little to no alternatives and privacy professionals debating how to react as continued similar decisions are anticipated.
“Cry and pray. I think that’s the only thing we can do — is cry and pray,” Fox Rothschild Partner Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP, PLS, said. “Companies are really in a bind with no real good solutions.”
Authorities in Austria and France ruled earlier this year that Google Analytics violates the EU General Data Protection Regulation, and just last week, Italy’s data protection authority, the Garante, followed suit deeming the transfer of Google Analytics data collected through cookies by website operators is a GDPR violation. The rulings come in response to 101 complaints filed across EU member states by advocacy group NOYB following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield — and France's data protection authority, the Commission nationale de l'informatique et des libertés, indicated that European authorities have organized to “examine the legal issues raised” in the NOYB complaints and “coordinate their positions and decisions.”
In its ruling, the Garante found users’ IP addresses, browser and operating system information, and more was transferred to the United States, “a country without an adequate level of protection.” The authority gave companies 90 days to rectify issues. Meanwhile, France’s CNIL released an undisclosed number of compliance notices to companies over data transfers carried out through Google Analytics, granting a 30-day compliance period.
In an accompanying Q&A, the CNIL said there is no way to configure Google Analytics so personal data is not transferred outside of the European Union. It also stated there are no “sufficient additional safeguards” that could be implemented to enable the use of the tool, and that standard contractual clauses established with Google by the organizations that received formal notice cannot “ensure a sufficient level of protection.”
A Google spokesperson told Euractiv, “Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organisations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.”
So, with Google Analytics being one of the most commonly used internet data analysis tools out there, what are companies impacted by these decisions left to do?
“You have a couple choices. You either use a service which doesn’t transfer to the U.S. at all, or (the CNIL) did give some sort of solution here, but even they are conceding the options would often not be workable either technologically or economically,” Kagan said. “If you are going to use an EU-based only service, are there sufficient services that do what you need and are cost-effective and what do you do if you have U.S. components to your company? Let’s say you are a multi-national and you need to access this stuff from the U.S., now what?”
In its Q&A, the CNIL offered a potential solution that Baker McKenzie Partner and IAPP Country Leader for France Yann Padova said is the first he’s seen a regulator bring forward, though he doesn’t know yet “if it’s totally and technically feasible, easily.” The CNIL said “proxyfication,” using a third party to pseudonymize data, would result in sending only “pseudonymized data to a server located outside the European Union.”
“The question becomes is this workable in real life? Number two, is it cost-prohibitive in real life? And number three, relatedly, are there decent non-cost-prohibitive options currently in the market to do this,” Kagan said. “In theory this is nice, but in practice, not so nice. It depends on the workability of this workaround.”
The CNIL also published a list of alternative “audience measurement tools,” but subsequently pointed out the “list does not currently examine the issues raised by international transfers.” It also noted data controllers cannot take a risk-based approach, clarifying, “Personal data transferred to a country outside the European union must benefit from a level of protection ‘substantially equivalent’ to that guaranteed in the EU.”
The alternative measurement tools offered by the CNIL are “a bit of a shortcoming,” Padova said, and its refusal to endorse a risk-based approach determination "questionable," as he pointed out that risk-based approaches are entrenched within the GDPR and the newest set of standard contractual clauses for international data transfers.
He said the alternative tools provided are a reaction to criticism of DPAs not providing a solution to decisions regarding Google Analytics.
“They want to say they (offer a solution), but when you read it, they do not in light of the data transfer issue, which is the very reason Google Analytics is under consideration,” he said.
Some companies are weighing their own risk-based approach anyway, Padova said, and continuing to rely on Google Analytics “because there is no other option and they’re not caught by the patrol yet.” Many are also in a “wait and see position” awaiting a replacement for the EU-U.S. Privacy Shield agreement. The agreement was released in principle in March and European Commissioner for Justice Didier Reynders has said official legal text is expected "in the next weeks" leading to a finalized agreement by the “end of the year (or) the first quarter of next year.”
“So, companies are also playing the clock, saying well in six months there’s a chance to get off the hook,” Padova said. “Since March, companies have been waiting and you see that the regulators are not really playing the same game. So, everybody’s assessing risk, that’s what I see.”
Companies who feel at risk of enforcement actions due to the Google Analytics decisions should be putting an effort into finding a solution, Padova said.
“A way to protect your company is to at least gather information and try to find solutions, document in order to be able to demonstrate your accountability to the regulator,” he said.
Having an in-depth understanding of a company’s use of Google Analytics and what information is being shared and collected through use of the tool is also important, Kagan advised.
“Google analytics is not a one-size-fits-all thing. It’s what you make of it. You need to understand it because there is literally no way to do anything unless you understand what is going on,” she said. “What is the information you are sharing? Is it bank account information, sensitive information, health information, sexual orientation? Figure out your data. You’ve got to do it for literally every single compliance possibility ever.”
From there, companies can assess their level of risk, evaluate whether there are measures to be taken that can mitigate that risk, and determine what might be the best option for them.
“Are there options that don’t collect information, or options where you don’t provide information with the server at all, like through a proxy,” she said. “Look at alternatives where the information is not shared with the provider, or a provider that is EU-based, though that’s not always workable if you have a U.S. component.”
The final option, Kagan said, “is of the cry and pray genre.”
“Be vocal about how difficult this is."
Photo by Markus Spiske on Unsplash