In this year's Data Privacy Week, let's talk about the recent media scare caused by the alleged illegalization of the EU-US data transfers to Google Analytics in Austria.
Sensational headlines such as “Google Analytics Is Illegal In Europe” started appearing online after a decision was made by the Austrian Data Protection Authority regarding the use of Google Analytics on an Austria-based medical news website.
Google falls under the United Sates Foreign Intelligence Surveillance Act (FISA), which means in cases of national security, the US government can use the FISA to request non-content and content information, and use National Security Letters (NSLs) to request limited information about a user’s identity. What does it all mean? According to Google's Transparency report:
Non-content requests under FISA: non-content metadata—for example, the "from" and "to" fields in an email header and the IP addresses associated with a particular account.
Content requests under FISA: a user’s content, such as Gmail messages, documents, photos, and videos.
Requests made via National Security Letters (NSL): the FBI can seek "the name, address, length of service, and local and long distance toll billing records" of a subscriber to a wire or electronic communications service. However, the FBI can't use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses.
The Austrian Data Protection Authority stated that Google’s data privacy standards are not high enough to prevent the US government from monitoring EU citizens via their interaction with Google. According to this, personal data cannot legally be shared with Google (or any US-based companies that are subject to FISA), but there is an exception: based on GDPR Article 49 - 1a
[...] transfers to third countries can happen when “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards
This means personal data can be shared with US-based companies subject to FISA, but only if the users have given explicit consent after they have been made aware of the particular existing risks. The website in question was not collecting consent based on Article 49 at the time, therefore it was illegally collecting personal data using Google Analytics.
Even though there have not been any fines issued regarding this decision thus far, and other data protection authorities are still reviewing the issue, if you're running an EU-based organization, you might still want to ask yourself:
1. What is your purpose of using Google Analytics?
2. Are there European alternatives that you can use?
DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.