Google Analytics and GDPR: When will businesses have legal certainty?

Users of Google Analytics have experienced a real rollercoaster ride in recent years. This is due, not least, to the lack of legal certainty within the context of GDPR and Schrems II.

A new data agreement between the EU and the US, called the EU-US Data Privacy Framework (DPF), is set to provide the long-awaited relief this year. Transatlantic data transfers, and thus using US tools such as Google Analytics, should be made easier again.

But can it also provide long-term legal certainty?

In this article, we explain the data protection implications of Google Analytics, the effects of the new agreement, and how businesses can best respond.

Transatlantic data transfers: A never-ending story

The transfer of personal data from the EU to the US has been a challenge in data protection since the nineties. Legislators faced the question of how to reconcile citizens’ privacy interests with the legitimate interests of businesses in ensuring smooth transfers.

In this regard, the Safe Harbor data transfer framework came into force in 2000, allowing US companies to receive personal data from the EU while complying with the EU’s strict data protection requirements.

This significantly eased data transfers and the use of US tools. Safe Harbor was widely used by US companies for transferring personal data from the EU, including data collected through services like Google Analytics.

In 2015, however, the European Court of Justice declared Safe Harbor invalid, as it did not sufficiently protect the data protection rights of EU citizens.

Suddenly, businesses and organisations on both sides of the Atlantic faced massive legal uncertainty, as the basis for facilitated data transfers was withdrawn.

Due to this pressure, a successor to Safe Harbor was hastily created: The Privacy Shield.

Second attempt: Privacy Shield

However, the Schrems II ruling of the European Court of Justice in July 2020 also declared Privacy Shield invalid. The ruling has implications for all businesses and organisations that use Google Analytics, as Google’s servers are located in the US, and the personal data processed by the service can be transferred to the US.

Following Schrems II, data protection authorities from Austria, France, and Denmark, among others, stepped in. They found the data protection features implemented by Google in Google Analytics to be insufficient to ensure the protection of personal data in the US.

The data protection authorities declared the use of Google Analytics in its current form to be unlawful and urgently recommended discontinuing its use and switching to alternatives. Legal uncertainty for businesses, therefore, continued to increase.

Third attempt: Data Privacy Framework (DPF)

Cue the third attempt to provide relief and legal certainty for businesses concerning data transfers.

In the autumn of 2022, the Biden administration published an executive order on new US data protection measures concerning personal data from the EU.

The new agreement will be called the EU-US Data Privacy Framework (DPF) and is expected to come into force by mid-2023.

For many businesses that utilise US tools or otherwise rely on data transfers to the US, the implementation of the new framework would mean a relief.

However, there remains a great deal of uncertainty as to whether these improvements will be long-lasting.

Will history repeat itself?

Data protection activists have already announced their plan to take legal action against the new framework. The big question is whether the concessions made by the US government will be sufficient for the European Court of Justice.

The data protection NGO NOYB, led by well-known activist Max Schrems, believes that they will not be. According to NOYB, the ECJ will declare this agreement invalid as well. NOYB plans to challenge the DPF shortly after it comes into effect.

The legal uncertainty surrounding transatlantic data transfers and the use of Google Analytics will likely persist for the time being.

So, what can businesses do to cope with this uncertainty and best prepare for all eventualities?

What businesses should be aware of with Google Analytics

Using Google Analytics is still considered critical for EU-based businesses. Therefore, businesses should inevitably engage with the risks of using the service and potential alternatives in order to meet the data protection requirements of the GDPR. In the following, we want to focus specifically on the risks associated with the continued use of Google Analytics and the impact of any decisions related to the DPF.

What potential risks are associated with data processing by Google Analytics, regardless of the DPF?

Data processing by Google Analytics carries some potential risks, irrespective of the DPF. One possible danger lies in the creation of profiles that could be created without the user’s consent and without proper consideration of information obligations due to incorrect cookie banner settings.

What measures should businesses take to be prepared for a potential rejection of the DPF?

To be prepared for a possible rejection of the DPF, companies should take specific measures for legally compliant international data transfers, even if the legal situation remains the same. However, the legal uncertainty would continue.

What happens next if the DPF does not provide a solution?

Is this the end for Google Analytics, and to what extent should companies consider alternatives?

If the DPF does not provide a solution, it is conceivable that the agreement will be put to the test by the CJEU after it comes into force. It would then be necessary to wait and see how the CJEU assesses the level of data protection in the US.

This does not inevitably mean the end for Google Analytics. For many companies that are not familiar with alternatives, Google Analytics remains indispensable and will continue to be used regardless of data protection concerns. Nevertheless, companies should urgently consider alternatives, regardless of the DPF.

Even if the DPF is accepted, what should companies consider?

What steps should they take to meet the requirements arising from it?

Even if the DPF is accepted, there are certain steps companies should consider to meet the requirements arising from it. The goal is to harmonise the security interests of the US and the high data protection standards of the European Union. Firstly, the US needs to catch up and raise its data protection standards. Companies initially have no need for action in this regard until the exact requirements are known.

On 13 December 2022, the EU Commission initiated the process of adopting the adequacy decision. Should the Commission issue the adequacy decision, the US will no longer be considered an unsafe third country under the GDPR. Data transfers between the EU and the US would then be possible without standard data protection clauses, which is one aspect that needs to be taken into account.

How should the current situation surrounding the EU-US data exchange and the DPF be assessed?

How can the future of data transfers to third countries be estimated?

The current situation surrounding the EU-US data exchange and the DPF is uncertain. It remains to be seen whether and when the Commission will issue an adequacy decision in favour of the US. Both parties are clearly striving for a consensus. Nonetheless, there is a simultaneous risk that the efforts will result in a “Schrems III” ruling by the CJEU and will need to be significantly revised again.

A major challenge for US companies will be to implement the data protection standards of the EU. The average US service provider is currently far from meeting the data protection requirements of the GDPR. There will be a great need for action in this area. However, the Presidential Order 14086 of 7 October (Executive Order) generally represents a step in the right direction. Other third countries could follow the example of the US and create a legal basis for data transfers.

Automate Data Protection

To prepare yourself and your company for potential changes to the DPA, you should first stay up to date or catch up. This applies not only to external events but primarily to the existing measures for transatlantic data transfers. For example, you should have an overview of which data is processed how and for what purpose, and with whom and for what purpose it is shared. Likewise, you should know whether and, if so, which cookies are used on your website.

One way to keep you informed and automate your data protection at the same time is to use a data protection platform. This combines personal consultation with automated processes under the hybrid approach “Data Protection-as-a-Service”. With DataGuard‘s data protection platform, you can keep track of open and completed data processing activities, always knowing the current status of your compliance with national and international data protection laws and requirements.

Moreover, you can continue to use Google Analytics with the correct server-side tracking in a sustainable and privacy-compliant manner.

The tips in this article are provided by Inessa Meckler. She is a legal expert (Dipl. Jur.) and a certified data protection officer at DataGuard, advising clients primarily in the fields of marketing, advertising, PR, industry, and manufacturing. In addition, she supports the internal legal department as a legal expert. During her studies, she delved deeply into the areas of European law, international law, and human rights protection.

Update: In July 2023, the EU Commission approved the new EU-US Data Privacy Framework (DPF), removing many of the restrictions of Schrems II and making it much easier for organisations to transfer EU personal data to the US. However, the new framework will be challenged legally by NGOs (possible “Schrems III”). Therefore some legal uncertainty will remain until the Court of Justice of the EU (CJEU) rules on the matter. JENTIS Data Capture Platform enables future-proof GDPR-compliant tracking, regardless of the data privacy framework and potential challenges.