Starting with June 2020, but mostly, in the past few months, using Google Analytics has been a prominent topic for data protection practicians and not only. In a groundbreaking move, the Austrian supervisory authority, followed by the French supervisory authority have issued several decisions stating that data transfers to US conducted via Google Analytics is not lawful, as the implemented safeguards prove to be ineffective for ensuring the security of the transferred personal data.
Thus, following the complaints filled by noyb, the above-mentioned supervisory authorities have reviewed the way Google Analytics is currently implemented and have found that, relying on Standard Contractual Clauses (“SCCs”) is, obviously, not sufficient to ensure the lawfulness of the personal data transfer.
In line with the recommendations issued by the European Data Protection Board (“EDPB”) on 01/2020 of 18 June 2021 regarding the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, the supervisory authorities have reviewed the technical and organizational measures accompanying the SCCs, meant to address the specific issue of access to data by the US intelligence services.
The supervisory authorities have concluded that the supplementary measures implemented – encryption by keeping “data at rest”, pseudonymization and optionally IP-Anonymization function – prove to be ineffective for ensuring the security of the transferred personal data.
As anticipated, these decisions have caused a stir for most organizations using Google Analytics, in a context where it is expected for similar decisions to be provided by other supervisory authorities, while the Dutch supervisory authority has expressly announced that will issue decisions on using this tool.
While the transfer of personal data via Google Analytics is unlawful in its current form, the tool has also been seen by organizations as a valued element used for improving their business techniques. As such, many organizations are now looking for solutions that will comply with data protection obligations, while also satisfying the business purposes and needs
Marketing teams, together with DPOs and legal and compliance teams have been kept very busy into establishing a search party for identifying the adequate solution that will replace Google Analytics.
Fearing a significant fine from the supervisory authorities, some SMEs have ceased using analytics tools altogether, while larger companies are now looking to assess the business risks for going one of the following roads: (i) either choosing an EU service provider that serves a similar purpose as Google Analytics or (ii) perform a risk assessment for continuing using Google Analytics and adopting additional security measures, aiming that such will be considered sufficient in case an investigation from the supervisory authorities occurs.
However, there may be a (distant) light at the end of the tunnel.
Recently, the EU and US have reached a new trans-Atlantic data transfer agreement in principle, that highlighted the commitment of the U.S. authorities for establishing “unprecedented” measures to ensure the protection of personal data belonging to individuals from the EEA when their data is subject to US transfer.
If the new trans-Atlantic data privacy framework will be adopted by the European Commission, this will constitute an adequate decision in the meaning of Article 45 of GDPR for data transfers, including those transfers carried out as a result of using Google Analytics.
EDPB remains to examine how the formal commitments of US translate into practical implementation, while also remaining to answer the concerns raised by the Court of Justice of the European Union, so at this point, it seems that there is still a long road ahead before the adoption of mentioned trans-Atlantic framework.
As such, organizations should have a practical and proactive attitude into finding the right solutions that will serve the business purposes and needs still considering compliance with correspondent data protection framework and should not wait for the new trans-Atlantic framework to be adopted.
 European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus