Implications of recent Google Analytics headlines
Over the past weeks there has been quite a bit of coverage around the ruling of Austrian Authorities "Datenschutzbehörde" (DSB) over the Google Analytics Case concerning a here undisclosed company in the health sector. Many of the headlines claiming that Google Analytics has been declared "illegal" within the EU as an effect of this ruling. Since that would in fact be surprising and major news, I was curious to look into the facts. Here is what I could find in my research, I'd be curious to get your feedback or any other references you might have come across.
Google Analytics: Illegal in EU or not?
Attached the link to the authorities statement in German language. The claim that Google Analytics is from now on illegal in Europe is factually false, especially since the court decision for this specific case has not become legal precedent (yet). However, it has certainly raised further attention to the subject of data privacy and processing data outside of the European Union when EU citizens are concerned.
What are the implications?
In my opinion, at the bottom of this matter lies the fact that large enterprises, especially ones that have existed for decades, have not had the chance to review and rebuild their data infrastructure and architecture in an optimal way to meet modern privacy first - or privacy by design principles. Which means that companies that aim to handle customer data in order to personalise experiences, need to carefully consider the type of data being processed, the purpose for processing it, as well as who has access and where it is being processed and stored.
This is nothing new but the case is yet another example of the increasing amount of attention that is given by authorities and consumers to the topic (and rightly so). So the most important implication is that anyone handling sensitive customer data, namely Personal Identifiable Information (PII), should really be alert to review whether current processes, ways of working and technical architecture are meeting latest data privacy requirements.
What to do?
We recommend to act now and audit your data strategy and architecture if there is only a sliver of doubt that latest standards and requirements are potentially not met. As there are multiple dimensions to this matter such as architecture, ways of working, employee awareness, it is best to bring key stakeholders together to begin by asking simple questions such as for example: "Are we clear on the purpose for collecting each set of customer data and PII?"... "Have we done our utmost to secure our customers' data from potential breaches (which also includes sending an Excel spreadsheet to a colleague or business partner)?"..."Are we certain that data is only accessible and being handled by the individuals that need access?". It usually does not take a certified GDPR or data privacy expert for an initial assessment to get a glimpse on potential outages. Also important to note that this is not an IT matter but should be dealt with in close collaboration with business and leadership since fines in severe outage cases can be immense.
Once done, the team can proceed ideally with external help, to run a Data Privacy Impact Assessment (DPIA) that will document in detail, which potential outages exist, in order to enable a plan to close identified gaps. Since GDPR came into effect in May 2018 authorities have been - in my opinion and experience - very fair in enabling companies to take counter measures in case of detected outages unless there has been a case of gross negligence. Meaning, up until now it has been rather sufficient to have an idea of what outages might exist and a clear plan to fix them. However I believe that after almost 4 years of GDPR being in effect and continuous new regulations and cases, it is time to act.
Not at last because any company or enterprise owes it to their customers and consumers to treat their information with highest sensitivity.
Recommended by LinkedIn
More details on the specific case
In short, the company of concern has been capturing behavioural data along with personal identifiable information (PII) in their Google Analytics instance. Although certain security and design measures were taken, not all regulatory requirements were met. As I am sure most readers are aware, regulations in regard to data privacy can differ quite significantly between certain unions namely in this case the United States and the European Union.
Accordingly, one of the key requirements in the European Union as settled in following case also referred to as Schrems II, the European court ruled that data controllers and or processors must guarantee GDPR data privacy standards when transferring PII to destinations outside of EU. While this level of protection was previously guaranteed by the "Privacy Shield Framework" it did not cover for the scenario of US Intelligence Agencies being able to request such data when running legitimate investigations concerning data transferred to and stored on servers on US soil.
In the case of undisclosed company, the above mentioned GDPR requirement was not met as data of european citizens was in transfer to and storage on US servers not (sufficiently) protected from potential access by US Intelligence Authorities such as it could have been for example by the means of ideally a pseudonymization process. So in fact for this company, the design choices made or missed as exemplified above, there was a breach which was ruled as violating EU data privacy requirements.
However this breach is not necessarily related to the use of Google Analytics itself as there is a variety of instruments or design choices that can can be utilized in order to meet said requirements.
So what is the conclusion?
Although not illegal, anyone that aims to utilize technology such as Google Analytics, that might process and store data outside of the EU should be alert to carefully review both the relevant requirements and design choices made. Since cloud technologies have become very popular across a multitude of technologies and capabilities this basically affects anyone that is in the midst of their digital transformation.
I hope this short article can shed a bit more light on the matter. For anyone that is interested in an exchange on the topic, don't hesitate to reach out to me or our team at Avaus.
Best,
Steven
P.s. As I consider myself a fan of facts and this is actually the first article I publish on Linkedin, I urge you to contact me if you find any of these statements to be incorrect or misleading.
Managing Director at Avaus
In respect of this context, I have been leading data privacy related engagements for many european clients since 2017.
