GDPR risks for Google Analytics
After the Court of Justice of the European Union (“CJEU”) invalidated the Privacy Shield - a framework for transferring personal data from the European Union to the United States - Austrian non-profit organisation NOYB filed 101 complaints in all EU member states against businesses still transferring personal data to the US in connection with Google Analytics.
Since then, several supervisory authorities have found the use of Google Analytics non compliant with the GDPR. Main issue was the transfer of personal data from the EU to the United States through the use of Google Analytics.
These decisions make it clear that all organisations must have a good understanding of their data flows and how different tools and services process and protect their personal data. If your organisation is still using Google Analytics or planning to implement such, it is recommended at minimum to conduct a risk assessment or data protection impact assessment. Well prepared documentation is a key for informed decisions can be helpful if the supervisory authorities come knocking your doors.
Focus on these in your assessment
Google is a company subject to US surveillance laws. This means that even if your analytics data is stored in the EU, Google falls under the obligation to provide personal data in the EU to the US authorities. You will have to assess what US laws apply that might give US authorities access to your data. Since transfer mechanisms in the Article 46 of the GDPR are not effective to prevent US authorities from accessing your data, you will need to identify and implement effective supplementary measures. These measures may be contractual, technical or organisational.
Have you implemented a proper consent mechanism to Google Analytics? Since the use of Google Analytics involves storing of information and accessing information stored in the terminal equipment of your end users, you will need to pay special attention to ePrivacy Directive as well. It is unlikely that Google Analytics will fall under the exemptions provided in Article 5(3) so you are likely required to ask consent from your website visitors. Make sure that no cookies, javascripts or similar are loaded before consent is obtained. If you categorise Google Analytics as “strictly necessary”, make sure to document why using Google Analytics will be ‘strictly necessary’ from your end users’ perspective.
Scope of the data processing agreement. Pay attention to Google’s role in the processing. Are they operating as a processor, controller, joint-controller or in multiple roles? Google offers a data processing addendum for its customers. However, Google’s role as a processor seems to cover only “online identifies” while the actual behavioural data has been left out from the scope leaving a big question whether Google uses this data for its own purposes as a controller.
As the GDPR requires you to be transparent towards your end users, you will need to assess how to provide them with information in compliance with the Articles 12 and 13 of the GDPR. Is it enough to have a quite common phrasing “we use your personal data for analytics” or should you add more examples to ensure transparency, fairness and valid consent?
And finally, make sure you re-evaluate at appropriate intervals the risks you have identified and the measures you have implemented as things tend to change. There might be a new Google Analytics version, new supplementary measures offered by Google or a new security flaw.
Learn how you can conduct a risk assessment for Google Analytics
We at PrivacyDesigner have been helping organisations to conduct risk assessments for various products and services. We are creating sample privacy impact assessments and data protection impact assessments for our customers where they can start their assessments with pre-mapped data-flows and sample risks related to different tools and products. Apply to our pilot group and start building privacy into your products and services.