Cloud Hosting

Recent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines.

At issue was the transfer of personal data from the EU to the US through the use of Google Analytics.

These decisions, like the Schrems decisions, make it clear that organizations must have a technical understanding of their data flows, with an emphasis on: (1) where the data is going; (2) who is receiving the data; and (3) how the data is protected. Many of our clients are using the firms technical tool suite, NT Analyzer, to assist with their data protection and privacy efforts.

It is important to remember that the analysis should not end with just cookies and Google Analytics. Cookies are only one of many ways to collect/transfer data, meaning Google Analytics and similar services can receive personal data through other means.

For example, even if a website or app is not utilizing these types of cookies/technologies, the website or app could still send personal data to Google via HTTP parameters, which are sent as part of query string (e.g., http://www.website.com/pg1/?name=John_Smith (emphasis added)). Additionally, the website or app operator could also use browser/device fingerprinting or other means to track users across web properties. Therefore, it is important to conduct a technical analysis to determine if and how a website or app utilizes these types of services to determine if mitigations are needed.

[For a useful primer and additional background on the Data Transfer schemes and Schrems II, please scroll down to the end of this article]

Like the Schrems cases, the recent Austrian NOYB case reviewed the transfer of personal data to the US. The NOYB complaint was aimed at Netdokter.at (Netdokter), an Austrian health website operator that uses Google Analytics and relies on Standard Contractual Clauses (SCCs) to govern transfers of personal data to Google in the US. NOYB argued that Google qualifies as an electronic communications service provider and is therefore subject to Section 702 of FISA, meaning that it can be ordered by public authorities to disclose personal data of EU citizens. Therefore, in light of the Schrems II decision, adequate protection of EU citizens personal data cannot be ensured, resulting in an unlawful transfer of personal data to the US.

Netdokters Austrian publishing company and Google, however, argued that the data provided to Google, which included IP addresses, other user identifiers, and browser parameters did not qualify as personal data and, even if it did, sufficient supplemental measures were put in place to safeguard the personal data. Safeguards taken by Google included: (1) transparency reporting on data requests from US authorities, (2) encryption at rest in the data centers and (3) pseudonymization of the data.

Ultimately, the Austrian DPA sided with NOYB over Netdokter and Google.

The Austrian DPA held that data transfers to Google in the US in the context of Google Analytics results in a breach of Chapter V of the GDPR, which may make it difficult for EU business and non-EU business having an EU facing website or app to use Google Analytics going forward. Specifically, according to the Ruling:

The French CNIL, through a press release, published a similar case last week. Although the CNIL has not yet made its decision public, the press release adopted similar reasoning as the Austrian DPA and ordered an unnamed French website operator to stop using Google Analytics.

In the meantime, there are several steps those impacted by these decisions should consider.

These decisions, like the Schrems decisions, make it clear that organizations must have a technical understanding of their data flows. Specifically: (1) where is the data going; (2) who is receiving the data; and (3) how is the data protected. As such, organizations should consider:

There are a few things to consider with respect to the decisions.

As was the takeaway from the Schrems II decision, any data transfer outside of the EEA should be assessed on a case-by-case basis. Therefore, the impact of these first European decisions on other US analytics services, and any kind of US data importer for that matter, should be reviewed in light of the specific additional safeguards taken by those companies to supplement the SCCs. By no means should these decisions be interpreted to mean that all personal data transfers to the US result in a breach of the GDPR.

The Austrian and French decisions are the first of many. This is not surprising given that NOYB filed 101 complaints with various EU DPAs in 2020 regarding EU companies use of Google Analytics and Facebook Connect integrations. Following these complaints, the European Data Protection Board (i.e. the European body in which the EU DPAs are represented and whose purpose is to ensure consistent application of the GDPR and to promote cooperation among the EU DPAs) formed a taskforce to coordinate the work with respect to the complaints.

Additionally, other privacy activists are following NOYBs approach. For example, InterHop issued a referral to the French CNIL asking it to consider the use of Google Analytics in the context of e-health.

Stay tuned, more to come.

Norton Rose Fulbrights Information Governance, Privacy and Cybersecurity team stands ready to assist with your data transfer needs.

If youre interested in learning more about NT Analyzer and the Data Transfer Scanner, please visit https://www.ntanalyzer.com or feel free to request a demo by clicking here.

By way of background, under the GDPR data may flow freely within the EEA, consisting of the EU countries and Iceland, Lichtenstein and Norway. Personal data may also be freely transferred to countries outside the EEA (i.e. so-called third countries) that received an adequacy decision from the European Commission. Examples are New Zealand, Japan and the UK that recently received an adequacy decision following its departure from the EU.

Transfers to other third countries are subject to the more burdensome requirements of Chapter V of the GDPR, meaning that the transfer should be subject to appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Reasons for this is that the protection provided by the GDPR should be upheld wherever in the world the personal data is being transferred to. Appropriate safeguards may be provided by various means indicated in the GDPR, and these include the Standard Contractual Clauses (SCCs) adopted by the European Commissions and approved certification mechanisms, such as the EU US Privacy shield that was valid until the Schrems II decision of the Court of Justice of the European Union (CJEU).

The Schrems II decision, which related to the transfers of personal data from Facebook Ireland to Facebook US, also impacted the use of SCCs. The CJEU ruled that US surveillance laws, in particular section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, do not limit or effectively oversee public authorities access to EU personal data. Given that the SCCs only bind the parties who have entered into them, public authorities are still able to mandate the data importer to provide personal data, or obtain personal data without the cooperation of the data importer.

Based on the Schrems II judgment it is clear that, in order to transfer personal data to third countries that did not receive an adequacy decision, including the US, it is necessary to:

These supplementary measures can either be contractual, organizational and technical, but the technical measures (such as encryption or pseudonymization) are considered the most effective.

Special thanks to Nicole Sakin for her assistance in the preparation of this content.

Read the original post:
European rulings on the use of Google Analytics and how it may affect your business - Data Protection Report