The privacy-compliant use of analysis tools

Google Analytics function

Google Analytics is the popular and widely used web tool from Google. The tool is used to analyse the traffic of a website. It provides real-time insights into website activity such as dwell time, number of pages per session duration or number of visitors. This supplies information on things such as how a website is accessed, how frequently, how long for and by whom. These data show website operators where their website’s weaknesses and strengths lie – and how they can optimise their website accordingly.

What are the data protection issues when using Google Analytics?

In the ECJ’s Schrems II decision (2020), the Privacy Shield was declared invalid because US legislation does not provide the appropriate level of protection. The Privacy Shield has been one of the most widely used mechanisms for transferring personal data from the EU to the US. The ECJ’s decision also had an impact on SCCs, which means that additional requirements must now be met for SCCs to be valid.

Shortly after this decision, 101 complaints were filed by the non-profit organisation NOYB against EEA websites that used Google Analytics or Facebook Connect and transferred personal data to the US. Several European data protection authorities are currently dealing with these cases. Among others, the Austrian data protection authority as well as the French data protection authority (CNIL) have already issued rulings against website operators in which they consider the use of Google Analytics to be non-compliant with GDPR. The question therefore arises as to whether the use of Google Analytics complies with data protection requirements.

How can analytics tools be used in a privacy-compliant manner?

It is important to anticipate that Google Analytics can be implemented in very different ways and this can have an impact on privacy compliance. Recently, the CNIL issued an article that allows for privacy-compliant use of Google Analytics under certain circumstances. The use of a proxy server was suggested as a possible solution, since there is no direct connection between the Internet user’s terminal device and Google Analytics’ servers. However, there are a number of additional criteria to consider.

As well as the use of a proxy server as suggested by the CNIL, explicit consent to allow Google Analytics may also be an option. The following should also be considered in particular: For data transfer to a third country, the possibility exists to obtain explicit consent from the data subject. This means that – for the use of Google Analytics – in addition to consent regarding the use of Google Analytics, explicit consent is also given by each user for data transfer to the US, as well as the possibility that these data may be lawfully accessible by a state body under US law. It is important to provide comprehensive and clear information so that valid consent can be given.

If there are uncertainties on the part of website operators regarding consent as a basis for the transfer of personal data, European analysis tools can be used as an alternative. Various European analytics tools already exist, with data being stored in the EU.

What next?

Due to the numerous proceedings still pending in relation to Google Analytics, it is currently difficult to assess the extent to which Google Analytics will prove to be in compliance with data protection law. It remains to be seen whether it makes more sense to resort to an alternative European solution to avoid running the risk of having sanctions imposed.

PwC’s data protection team can assist your company in adapting data protection statements. In addition, we can show you equivalent, alternative European solutions that are available to you.