It may be tempting to include the free “Google Analytics” on one’s own website, or to make use of the fonts from “Google Fonts”. However, as current developments in case law and the practice of data protection supervisory authorities show, it is not entirely risk-free. This article aims to provide an overview of what these cases are about and what data protection challenges website operators should keep in mind when integrating third-party tools such as Google Analytics, Google Fonts, and comparable offers.
I. What is – in terms of data protection law – the problem with using Google Analytics & Co.?
Anyone who operates a website commercially has an understandable interest in making it attractive and in understanding the reach of their web offer so that they can use the knowledge gained from this insight to optimise their products or to improve the website design. This should be done as cost- and time-efficiently as possible and – from a lawyer’s point of view – of course as legally watertight as possible.
In data protection, “legally watertight” means that if third-party tools are integrated for these purposes that process personal data of website visitors, this processing must be carried out in compliance with the requirements of the EU General Data Protection Regulation (GDPR) and German Telecommunications and Telemedia Data Protection Act (TTDSG). This includes, for example, the requirement that such data processing – including the transfer of data to a country outside the territory of the EU or EEA (a so-called “third country”), must be permitted under the GDPR. Accordingly, processing is permitted if, for example, there is a “consent of the data subject” or an “overriding legitimate interest of the website operator” for the data processing. In case of a transfer to third countries, the transfer may be permitted based on an EU Commission’s “adequacy decision” or it takes place on the basis of so-called “standard contractual clauses” (SCC). Furthermore, the GDPR requires that the parties involved in data processing conclude specific contracts with each other in certain cases.
II. What is the current status of decision-making practice on Google Analytics & Co.?
Several practice-relevant decisions on Google services have been published recently. In these decisions, the following statements were made on the above-mentioned data protection requirements:
1. When Google Analytics is used on a website, is personal data of the website visitors transmitted to Google?
YES, says the Austrian Data Protection Authority (DPA) in a ruling issued at the end of 2021 following a model complaint by the non-governmental organisation (NGO) “noyb” against the operator of a website with an embedded Google Analytics service. According to this decision, personal data includes the unique “online identifiers”, the IP address, browser parameters, operating system settings such as screen resolution and language, date and time of the website visit, the addresses of the pages visited (URL).
According to Google, when “IP anonymisation (or IP masking)” is used correctly, IP addresses are “shortened or masked as soon as the data are received by Google Analytics and before they are stored or processed”. This function was “not implemented correctly due to a code error” in the case submitted to the DPA for decision. In the reasoning for the decision, however, the DPA indicated that a correct implementation would not have changed the decision. This is because, according to the DPA, the IP address is only one of many “puzzle pieces” of the website visitor’s digital footprint. The identifier is linked to so many other elements that a personal reference is still likely to exist.
Google responded to the decision in a blog post with the argument that it was a fundamental misunderstanding of how Google Analytics works. The website operator can appeal within four weeks after being served with the decision.
2. Is the transfer of user data by Google to the USA lawful?
NO, says the Austrian Data Protection Authority (DPA) in the same ruling depicted above.
The background to this statement is first of all that the European Court of Justice (ECJ) in its so-called “Schrems II” judgment (ECJ, Judgment 16.07.2020, Case C-311/18) declared the USA to be an unsafe third country, in which there is no adequate level of protection for EU data, due to the far-reaching monitoring and access possibilities of the US intelligence services to EU data as well as the lack of effective legal protection options for the EU citizens concerned. Since the ECJ has thereby overturned the EU Commission’s adequacy decision on the EU-US Privacy Shield, the transfer of data to the USA requires a further special legal basis. In the case submitted to the DPA for decision, the website operator relied on the fact that it had concluded the so-called standard contractual clauses (SCC, i.e. a standardised data processing contract adopted by the EU Commission) with Google. However, the ECJ held in its “Schrems II” judgment that the legality of the data transfer to the US can be based on these Standard contractual clauses only if the parties take “additional measures” that are suitable for achieving a level of protection equivalent to that in the EU.
In its decision, the DPA stated in its ruling that the additional measures put forward by Google – such as the publication of transparency reports, the review of authority requests, “on-site security” and the use of encryption techniques – were not sufficient to ensure the effective protection of personal data transferred to the US in practice. The DPA stated that “the additional measures at issue are not effective, as they do not close the legal protection gaps identified in the context of the “Schrems II” ECJ judgment – i.e. the access and monitoring possibilities of US intelligence services”. In doing so, the DPA refers to the “Recommendations of the European Data Protection Board 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”.
The European Data Protection Supervisor (EDPS) has taken a similar decision in relation to the European Parliament’s use of Google Analytics in the context of the COVID test website operated on behalf of the EP.
3. Are there similar decisions on other third-party tools?
a) “Cookiebot” case
Following the complaint lodged by the university, the Hessian Administrative Court (VGH) has now annulled the interim injunction of the Wiesbaden Administrative Court on formal grounds (10 B 2486/21 of 17 January 2022). According to the VGH, the applicant had not sufficiently demonstrated the urgency of a decision in the interim injunction proceedings – in particular, the necessity of using the university’s website for his professional practice or other exercise of fundamental rights. Now the administrative court must decide again in a main proceeding.
b) “Google Fonts” case
Furthermore, a case decided by the Munich Regional Court (of 20 January 2022 – 3 O 17493/20) concerned the transmission of the dynamic IP address to Google servers in the USA when using the font service “Google Fonts”, which the plaintiff had not consented to. The court found that the dynamic IP address constitutes a personal data and that the disputed use of Google Fonts on a website cannot be based on an “overriding legitimate interest” of the website operator (Article 6(1) sentence 1 lit. f GDPR).
In fact, Google Fonts works in such a way that when a website that uses Google Fonts is accessed, a connection is established to Google’s servers to download the font. During this process, the browser of the website user inevitably transmits various information, including various browser and device data, and the IP address of the user. Since the servers with Google Fonts are located in the USA, personal data is transmitted to the USA through the integration of Google Fonts.
When deciding on the balancing of interests, the court justified its decision by stating that Google Fonts can also be used in such a way that no connection to a Google server is established when the website is called up and thus a transmission of the IP address of the website user to Google does not take place. What could be meant here is the local storage of the Google Fonts on the website operator’s web server and their use in “offline” mode. In this case, the required fonts are downloaded from the Google servers and stored locally on the website operator’s web server. The administration of the fonts is then possible as with any other local font. The IP address is then no longer transmitted to Google.
The court upheld the plaintiff’s claims for injunctive relief and damages.
4. What contracts must a website operator conclude with Google when using Google Analytics?
In its judgment of 15 September 2020 (3 O 762/19), the Regional Court of Rostock considers the conclusion of a Joint Controller Agreement (JCA) between Google and the Google Analytics user to be necessary within the meaning of Article 26 of the GDPR. The court justifies this judgment by stating that by integrating third-party cookies of Google Analytics, personal data can be transferred to Google and (also) processed by it for its own purposes. According to the court, this constitutes a case of joint responsibility under Article 26 of the GDPR and not mere commissioned data processing under Article 28 of the GDPR. The court granted the injunctive relief, which implies that in this case the essence of the agreement to be concluded between the joint data controllers (Google and) must be made available to website users.
The same conclusion, namely the existence of joint controllership of Google and the website operator using Google Analytics, is also reached by the German Data Protection Conference (German: DSK) in its “Notes on the use of Google Analytics in the non-public sector” from 2020. The so-called “Hamburg model” agreed between Google and the Hamburg data protection supervisory authority in 2009/2010 under the then EU Data Protection Directive, whereby Google was subject to a physically signed (!) agreement on commissioned data processing, is thus finally obsolete.
Website operators are often unable to form their own opinion about the legal pitfalls of complex data processing when using third-party tools such as Google Analytics without consulting legal advice. It has never been so difficult to analyse the use of one’s own website in a legally secure way.
Website operators using the convenient offers of the large US providers must question the technical set-up of their websites and check them for data protection risks. As a rule of thumb, one can currently only recommend processing personal data locally, i.e. on one’s own server, and operating the corresponding services there. The integration of third party-services and the associated data flow should be carefully examined – does the data really remain in the EU or the EEA? The decision of the Wiesbaden Administrative Court cited above shows that even if the data remains within the territory of the EU or the EEA, the possibility under company law of accessing these data from abroad (through influence by the parent company on the subsidiary) can also play a role.
Finally, the business models of the third-party providers are also affected. They have to question their software-as-a-service models that are common today, which often use the convenient offerings of the large US providers. At the same time, new market opportunities are opening up for smaller, independent European or even national cloud service providers.
However, knowledge of the current decision-making practice should help website operators and providers of analysis tools to get informed of certain problem points and to critically question one or the other setting of the respective tools.
Cover picture: Copyright © Adobe Stock / pickup