Austria Has Not Banned Google Analytics

But the product is not the subject of the ruling; the transfer of data, its use and safeguarding measures must warrant scrutiny. If Google Analytics is held to be illegal, the verdict will also have an immediate impact on all products and services that transfer data outside of the EU.

While this article is not intended to be legal advice, I intend to share potential future areas of discussion for EU-US data transfer—and immediate steps to take in light of the recent decision from Austria.

The Evolution of Privacy Regulations

Understanding how and why calls for a history lesson. Long before GDPR came into effect, there was the “Safe Harbor” agreement made between the EU and the US. The 2000 agreement allowed companies to self-certify they would protect EU citizens’ data if storing it within US data centers. The agreement stood for 15 years until it was invalidated by the European Court of Justice.

Safe Harbor was followed by the “Privacy Shield” agreement in 2016, which imposed stronger restrictions on US businesses in accessing and transferring EU citizens’ data. But in 2020, the Privacy Shield met the same fate at the hands of the Court of Justice via resolution C-11/18— colloquially called “Schrems II,” a reference to Austrian lawyer and privacy rights advocate Max Schrems.

Schrems began his privacy battle based on the testimony of Edward Snowden in 2013, regarding the PRISM program that gave the United States National Security Agency (NSA) unfettered access to data. Schrems argued that Facebook aided the NSA, violating the rights of EU citizens to have their data processed fairly.

At this time, the basic principle is that when personal data leaves the EU, the law travels with it. It’s referred to as the transfer of personal data to third countries. For example, Third Countries might be the US, Australia, the UK or anywhere outside the European Union. Recent violations of GDPR, then, are not specific to Google or even data housed in the US; it’s equally applicable to Adobe, Facebook, Amazon and all third parties who function as data collectors across geographical boundaries.

What Does This Mean for the Internet and Data?

The issue that Schrems II (PDF) raises fundamentally applies to the internet as a whole: analytics data collection uses basic internet technologies that are no different than those used when a browser loads an image. The image request still sends cookies and exposes the user’s IP address to the request endpoint.

Still, how analytics are used and how data is managed requires attention and respect for regulation. Increasingly, data protection authorities (DPAs) are ordering the suspension of personal data transfers to third countries. In March ’21, the Bavarian DPA found an unlawful transfer from Germany to the US by MailChimp. A month later, the Portuguese DPA ordered a suspension of personal data transfer to the US and other countries outside the EU by Cloudflare.

Ensure Your Data is GDPR-Compliant

How Google Analytics is used has always been subject to scrutiny and regulation. As a result, it is prudent to make sure all your data collection and activation is compliant with the most current regulations. Consider these basic steps as possible actions and repeat them at least each quarter:

1. Anonymize IP addresses in Google Analytics. This will impact geographic reporting, but is a relatively small trade-off.
2. Ensure your cloud data storage is located in the EU. This is an opportunity to review all data storage locations.
3. Make sure your consent banner is compliant. Implement an automated scanning process that runs on a regular cadence to quickly identify the setting of cookies without consent.
4. Review your cookie and privacy policies regularly for compliance.

Get third-party legal advice to ensure compliance or address any questions you have. A data partner like Media.Monks can also provide support in implementing changes to Google Analytics and providing automated solutions to measure and analyze data collection with respect to consent banner functionality.

Where Do We Go from Here?

The subject of the Austria DPA’s complaint is the transfer of personal data to the US that lacks adequate protection from US authorities who gain access to it. Standard Contractual Clauses (SCCs) have been used previously to allow data transfer, however, questions have been raised regarding the feasibility of SCCs with respect to FISA (PDF). New SCCs have been published that require supplementary measures that go beyond encryption, referring specifically to scrutiny of the destination country’s legal regime. Google maintains these measures have been met (PDF).

Currently, there appears to be difficulty where both encryption and transparency requirements seem to contradict each other. Revised SCCs or a successor to Safe Harbor and Privacy Shield appear to be the favored solution by Google, although the practicalities and timing of such solutions remain unclear. Until then, following the steps above to regularly review compliance goes a long way to ensure your brand remains in good graces.