Many websites use Google Analytics (cookies), to analyze the use of the website using statistical data. (How long) is that allowed? That is now the question. Indeed, the decision of the Austrian Data Protection Authority, which came out on Jan. 13, 2022, finds that Google Analytics does not meet the requirements of the General Data Protection Regulation (AVG). Presumably, similar decisions by data protection authorities from other member states will soon follow.
In its decision, the Austrian "Datenschutzbehörde" found that the transfer of personal data from Austria to Google in the U.S. lacked legitimacy as required under the AVG. Not only were the technical measures taken by Google (such as the use of HTTPS and encryption) found to be inadequate, the organizational measures were also insufficient. Among other things, the privacy statement was not in order and the notice to visitors was insufficiently clear.
Under the AVG, Google could be fined up to 20 million euros or 4% of global annual sales in this context. Whether a fine has been imposed or will be imposed is still unclear, however, partly because this is a public enforcement procedure. It also remains to be seen whether the European party involved that transferred the data to the U.S. will also be fined. However, this is in line with expectations.
When using Google Analytics, analytical cookies are placed and thus personal data of website visitors are processed. In addition to the AVG, the Telecommunications Act (Tw) also applies to the placement of cookies. Under the Tw, the main rule is that the website visitor must be asked for permission before cookies are placed. An exception applies to analytical cookies, if the cookies have no or only minimal impact on visitor privacy. In that case, no consent is required - not even under the AVG.
Nevertheless, under both the AVG and Tw, website visitors must be informed about the placing of cookies, for example via a cookie declaration. This should include information about the security measures taken and international transfer.
This decision is the first in a series of numerous complaints about the transfer of personal data to the United States filed by privacy foundation Noyb following the landmark Schrems II ruling on July 16, 2020. That ruling called into question the transfer of personal data from the EU to the U.S.
Following the Austrian authority's recent decision, we can expect more fining decisions of the same nature in other European member states. Indeed, the national data protection authorities of member states have worked together in the European Data Protection Board in these cases.
The use of the Google Analytics software may soon be banned, the AP says. Currently, the AP is investigating two complaints surrounding Google Analytics from the Netherlands. The regulator indicates that this investigation will be completed in early 2022. If, like the Datenschutzbehörde, it concludes that Google Analytics transfers personal data to the U.S. in a way that violates the AVG, the AP will have to look for an alternative analytics software. In that scenario, Dutch websites will risk fines if they continue to use Google Analytics.
The AP has had a guide to setting up Google Analytics in a privacy-friendly manner on its website for some time. This was updated in response to the above-mentioned development on Jan. 13, 2022. The manual can be found here.
