French DPA latest to rule Google Analytics violates GDPR, Google pledges a response

Helpful links:

• The Ruling
• Our previous post on the Austria DPA ruling
• Helpful explainer article from IAPP

The website in question was given 30 days to either remove Google Analytics or find an alternative option.

The issue

When someone visits a website with Google Analytics enabled, Google’s script sends that data to its servers for processing, likely in the United States. This would be a data transfer to a “Third Country” under GDPR. Due to United States surveillance law, and after the striking down of a previous data sharing agreement between the EU and US (“Privacy Shield”) this past summer, data transfers require additional strict security that these rulings state Google is not meeting.

This is not about consent; these are protections given to the storage of this data after consent.

There may be little Google can do, and this may be the start of a broader crackdown on any American-based cloud services.

What makes Google services particularly vulnerable here is that their email and cloud services classify them as a Communications Provider under section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows broad surveillance authority on Non-US resident data (i.e. EU citizens not protected).

This has been the key provision that Max Schrems, the founder of the privacy group None of Your Business (NYOB), has latched onto in his actions leading to “Schrems II.”

And his sights have been set on more than GA. He recently criticized commitments Microsoft made about its cloud services, Azure, and how they would maintain privacy controls for EU customers.

“To my understanding, there would still be direct access to data and keys from the US in this new Microsoft setup. This means that any data still falls under the FISA law and is, therefore, to be given to US authorities when requested. This is window dressing when it comes to National Security Agency [NSA] surveillance,” he told The Register.

The Data Protection Authorities (DPAs) have been siding with Schrems, whose challenges have made two previous US-EU data sharing agreements invalid, and upcoming rulings are expected on broader use of American cloud services companies, which include Amazon, Microsoft and Google.

Even if Google adjusts its setup so that EU data never physically leaves the EU, it seems likely that it will still be viewed as in violation, as Google’s status under section 702 would allow the US to request access to that data—according to the EU interpretation of the statute.

So if a website removes Google Analytics and instead sends analytics data that includes IP addresses to a AWS/Azure/GCP cloud server localized in EU, would that be compliant?

We may soon find out.

Google responds to Austria ruling

For now, Google is going to try to make Google Analytics compliant. They released a statement that they would be coming out with more information on how it can protect EU data in the coming weeks.

It is a difficult situation for these companies who provide these services and the many companies who rely on them.

The real solution rests on legislative action within the US (EU has found executive orders on this front insufficient) or a new data sharing agreement. Timelines for this are difficult to predict.

Note: if you are a US-based company storing customer information on self-hosted servers, this article outlines that you would not be affected by these interpretations of section 702 of FISA.

For now, companies concerned about legal action against them in the EU may consider turning off analytics on those users in the short-term, or converting to a Cookieless version of GA.

Note: we are not lawyers, and this post should not be taken as legal advice.