On the 13th of January 2022, the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), effectively ruled that a medical company based in Europe has been continuously utilizing Google Analytics to collect and transfer personal and identifiable data through Google to the company’s headquarters located in the United States, where it would be subject to different surveillance laws, which EU citizens do not have control over. This, ultimately, raised concern about prevalent issues related to potential de-anonymization and privacy breaches.
Looking at the big picture
The immediate response by a majority of people is to simply pose the questions: why does that matter and is it really that important? Given the present global circumstances and the expeditive evolution of both offline and online technology, it is not surprising that issues related to privacy and security are currently more prominent than ever before. Therefore, in situations similar to this one, particularly concerned with Google Analytics in this instance, it is absolutely vital to discuss and evaluate the divergent factors and the consequences that they can have in terms of the future.
There are a number of existing issues surrounding Google Analytics. The first one being that the application can be utilized to collect user data, which can potentially be used to trace and identify a given user by their information and actions.
The second underlying problem is that such data collected from the EU is transferred over to the US, where it can be utilized in a plethora of different ways. However, the European citizens, as legitimate owners of their personal data, find themselves in a situation, where they are not capable of seizing control over their own information, which can be subjected to any actions that can be performed on said data. Additionally, their identities are also prevented from being re-traced and exposed. Consequently, this results in a violation and a breach of the European Union’s privacy law - the GDPR, short for the General Data Protection Rules.
What led to the Google Analytics violation?
This violation was reported after careful examination of the results from an investigation of an Austrian, now located in Germany, health website titled ‘netdoktor.at’. According to the Austrian Data Protection Authority, the website had not correctly set up a specific IP function, the intention of which was to anonymize users’ personal IP addresses. Moreover, additional user data was also provided through certain cookie identifiers. This is of substantial significance as the Austrian Data Protection Authority also elaborated further that the IP address, which is also the primary reference point of US intelligence services in relation the inception of a surveillance process, and the aforementioned identifiers are both data types that are private and personal due to their ability to be paired in conjunction with additional digital information, which could ultimately result in deanonymization and determining a specific user’s online and in some cases physical identity, which is a direct violation of the European GDPR.
Why does this privacy and GDPR breach matter?
The core question still remains - why is this important? The main reason behind the significance of this Google Analytics case can be boiled down to the ripples that it creates amongst the online society along with the potential future regulations, which will need to be imposed and implemented.
The US surveillance legislation allows national agencies to extract information and gain access to user data, which can result in identities undergoing a process of deanonymization. US citizens do comply with these laws, however, European citizens are not subjected to apply to this legislation by default as they are members of the European society and abide by different legislation. Furthemore, no protective measures are taken into consideration by such US companies that collect data from the EU, which consequently results in EU citizens being unable to neither express control over nor be aware of how their data is being utilized or exploited.
This violation was reported after the Austrian privacy advocacy group - nyob, short for My Privacy is None Of Your Business, filed a number of representations to the Austrian Data Protection Authority on the premise of the Schrems II decision from the European Court of Justice (CJEU). The ruling behind this aforementioned decision was that the transfer of international data from the EU to certain US companies was deemed to be regarded as a violation of the data transfer standards as defined in Chapter V of the European GDPR.
The US companies in question are those that can be regarded as an ‘electronic communication service provider’ and are legally obliged to provide their collected data to the US intelligence authorities, meaning that EU data can be easily accessed by said authorities, due to the fact that Google and their product - Google Analytics classify as such service providers. Max Schrems, the activist and chair of nyob, further stated that: “In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant”.
Moreover, these revelations surface just days after the imposed sanctions on the European Parliament issued by the European Data Protection Supervisor on the 11th of January 2022 for breaching the same Schrems II decision and Chapter V in relation to the GDPR by utilizing Google Analytics to provide data to the US-located company Stripe. This further accentuates the fact that a substantial majority of European companies are also providing their customers’ and users’ data to the US through Google Analytics, additionally fueling this current debate.
Where do the US and the EU go from here?
In the words of Max Schrems - “Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced”. The event described by Schrems refers to the Schrems II Judgement, which was already mentioned, that was processed by the EU Court Of Justice in 2020.
Previously, there have been a number of existing agreements that were designed with the intention of preventing data snooping and supporting fair information exchange between the two parties, namely the Safe Harbour agreement and the Privacy Shield. While both did attempt to provide this needed security and privacy, when the Snowden disclosures occurred in 2013, revealing the extent of the surveillance that US citizens were subjected to, the EU Court of Justice began ruling out the existing agreements in order to make a statement with regards to the fact that a new system should be implemented . Moreover, they also actively pushed for crucial reforms to take place as soon as possible in relation to the US surveillance legislation in order to protect EU citizens’ data that is being collected by US companies.
However, rather than implementing the required changes in terms of allowing EU regulations and protection to travel alongside European user data, US companies have attempted to propose a simple and ineffective solution, whilst simultaneously undermining the magnitude of the situation, which Schrems also shared: "Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options”.
Google, on the other hand, objected by stating that they did have secure and protected data centers, where user information is encrypted and pseudonymized at rest. While that might be the case, surveillance by US intelligence agencies is still possible due to the legislative obligation that the company needs to fulfil in relation to providing the acquired data to said US services, which violates the primary requirement issued by the European side in relation to the GDPR.
However, as of now, Google as a company are yet to be subjected to any repercussions with only the health website being reviewed as the Austrian Data Protection Authority will continue to investigate whether Google as a US-based company has had any direct violation of the GDPR. This is due to the fact that only Google Analytics as a platform is responsible for collecting and managing data, transferring the problem back to the EU regulation system, as Google Analytics was used as a platform for just storing the provided user data. This has, consequently, led to nyob questioning whether they should appeal this decision as Schrems states that “It is crucial that the US providers cannot just shift the problem to EU customers”. Additionally, nyob also states that if found to be guilty of breaching the GDPR, Google could still face sanctions with penalties going as high as 4% of their total global revenue.
What do these restrictions mean for US cloud services?
Giant technology companies like Google and Facebook require user data in order to operate and improve their services. However, this Google Analytics situation, combined with the Facebook case in Ireland in relation to the Schrems II decision, which is also concerned with similar issues related to the transfer of user data to the US, raises a lot of questions about the EU data provided to the US, which is potentially susceptible to surveillance.
However, Google’s Analytics and Facebook are also services that are widely utilized across the globe and Europe is no exception, meaning that deeming them as illegal could result in EU companies struggling to find locally hosted alternatives, even though a plethora of them exist.
It boils down to either prohibiting these companies from operating in Europe or expecting them to completely overhaul their business model, services and data collection and hosting locations in order to carry out the required adjustments to accommodate the European GDPR.
Regardless, it is evident that a change needs to be implemented as this could lead to potential service and product separation as Schrems also points out: “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU…I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”