Does Google Analytics comply with data protection under the GDPR?

Data protection with Google
Categories:

If Google adheres to the GDPR?

To anticipate, the answer to the initial question is yes, Google Analytics and Data protection GDPR is compatible if an informed Consent of the users is obtained. This article explains what this looks like in detail.

A little history

The times when Google Analytics The days when statistics could run silently in the background of a website are definitely over. At that time, a note in the privacy policy and, as a legal basis, the website operator's legitimate interest in statistics for the operation of Google Analytics and data protection.

With the development of Google Analytics to a marketing instrument, with the abolition of the Privacy Shield as a basis for data transfer with US companies by the ECJ and with the growing awareness of many Internet users for Privacy the situation has changed fundamentally.

This may also be due to the fact that advertisers have overdone it. Emailing a friend on vacation in Holland only to be shown ads for Dutch vacation homes shortly afterwards while surfing the web makes you wonder. The judicial bodies and data protection supervisory authorities have taken this into account and brought the GDPR and also the EU Directive 2002/58/EC, which has been partially ignored in Germany, into force in the implementation of the Telecommunications and Telemedia Data Protection Act (TTDSG).

With the result that the use of Google Analytics and data protection in full only with voluntary and informed consent. Consent is possible. What do users consent to and how does the Consent to look like?

 

The facets of the Consent

1. the Consent in the setting of Cookies
With the Consent for Cookies is not first and foremost about data protection, but about the Integrity of the terminal equipment. § Section 25 of the TTDSG states that only with a Consent of the user to write data to the memory of a PC, laptop, tablet or smartphone or to read data from these devices. We also object to someone entering our home without our consent and writing on our pinboard or reading the notes on the fridge.

2. the Consent in the user tracking
With user tracking, movements on the website are recorded, products in the shopping cart, purchases and also the pages on which the user has previously surfed are evaluated. The surfing behavior of users is also tracked across several websites and condensed into a profile. Regulatory authorities and courts require a Consent.

3. the Consent in a data transfer to the USA
This topic is complex and has not yet been fully discussed. What is clear is that the data collected via Analytics is stored on Google's US servers and is also processed there for Google's own purposes. This makes Google the controller within the meaning of the GDPR and no longer just a processor that provides analyses and statistics. Consequently, an agreement must be reached on joint Responsible persons be concluded and published in accordance with Art. 26 GDPR.

There is a second facet to the US data transfer that needs to be considered. Via Google, US security authorities also have access to the data and profiles of users who have no legal recourse if they are not US citizens. They are not even aware of this access to their data. This fact must also be taken into account for an effective Consent become clear.

We must not conceal the fact that the German supervisory authorities, unlike those in other EU countries, have a problem with the Consent in the US transfer. There is therefore a residual risk for local companies and, in the event of a decision by the authorities, the only option is to go to court. However, there are strong voices supporting the consent solution for US transfers. Thomas von Danwitz, judge at the ECJ and involved in the Schrems II ruling, stated in an interview that the exemptions in Art. 49 GDPRand this includes the Consenthave not yet been 'sounded out'. The view that the law restricts these exceptions to occasional transfers is controversial. The clear statement in Article 49 para. 1 GDPR should be given priority over the unclear statement in recital 111. And the supervisory authorities in Austria and France, in their statements on analytics, do not mention the possibility of Consent open.

So there is a lot to be said for taking this route or abandoning it altogether. Google Analytics to do without. An equivalent alternative to the Consent does not exist. It is difficult to imagine that signing the EU standard contractual clauses and supplementary measures following a Transfer Impact Assessment (TIA) can record a positive result. In addition to the Processing Google does not have enough information available. A reliable risk assessment is simply not possible.

 

Design of the Consent
The following can be effective Consent only be possible if the users are aware of all three facts, the setting of Cookiesthat Tracking with profiling and personalized Marketing and the US transfer with the possibility of access by the security authorities must be clearly explained. It is clear that this must be done when you enter the site, which is why we have introduced cookie banners, also known as comprehensive consent management platforms, because it is no longer just about Cookies goes. Where which information should be placed is still being discussed. In the opinion of data protection experts, everything should be in the first window in which consent is given and not only on a second level after a click. What is practicable here remains to be seen.

 

But one more alternative
There is an alternative: If the website operator is prepared to waive some information and the use for personalized Marketing there is a way to do without, Google Analytics to host it yourself. This would avoid the US transfer to Google. The setting of Cookies and thus the recognition of users on their next visit or on other websites could be dispensed with. If you then focus on the Tracking of data only from its own website and only works with pseudonymized data, is a Consent dispensable. Although there are also German supervisory authorities that recognize this limited Tracking with shortened IP address without Consent do not want to accept.

 

Conclusion:
Google Analytics and data protection can be operated compliantly in two scenarios:

  • Without Consent with reduced scope of services, self-hosted without Google, without Cookies and only for your own website analysis.
  • Or with a Consent in the use of Cookiesin profiling and personalized Marketing and in the transfer of data to Google with possible access by US security authorities.

Neither scenario is absolutely legally certain, because German supervisory authorities have not yet Consent to the US transfer, as well as a pseudonymous analysis of website visits without Consent in doubt.

 

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts