In January, the Austrian data protection authority (DPA) ruled that sites can’t use Google Analytics if the service shuttles data back to US servers. Which Google does.
The French DPA, called the CNIL, released its own judgement last week agreeing with the Austrian DPA. One decision in Austria might be considered an outlier. But with the French CNIL – the bellwether of European data regulators – backing up Austria’s ruling, this is starting to look like a consensus among European DPAs and a full-on siege of Google Analytics.
The Belgian DPA, meanwhile, ruled last week that IAB Europe’s Transparency & Consent Framework (TCF), the online advertising industry’s mechanism for conveying a person’s consent status to use data for advertising, is illegal under GDPR. The DPA gave IAB Europe six months to rework the framework so that the IDs can be audited.
IAB Europe has appealed another part of the ruling classifying it as a data controller for the TCF, which would effectively make the trade group legally responsible for how any publisher or ad tech company uses the framework to target ads.
If the ruling stands, IAB Europe would face a huge increase in costs and legal liability.
Google Analytics under fire
Google Analytics and other web infrastructure services collect data, namely IP addresses, that are considered personal information in the EU.
But the problem in this case isn’t GDPR, because the data isn’t being used for targeting ads, at least per the allegation. The issue, rather, is that the data of European citizens could be transferred to American systems – and that’s not okay as a result of the Schrems II ruling.
The Schrems II suit was against Facebook, but not anything to do with Cambridge Analytica or other ad targeting issues. Facebook lost the case because of Edward Snowden’s NSA leaks, which revealed that the US government collects user-level information from internet services. Individuals have no idea if and when their data is collected and have no legal redress regardless.
Although someone browsing an Austrian news site may not fall under NSA surveillance, in theory, it could happen – and that means the data can’t be transferred at all, even if it’s innocuous and collected legally under GDPR.
None of Your Business, Schrems’s advocacy group, brought both of the cases against Google Analytics decided by the Austrian and French DPAs. Schrems has parallel suits in practically every European country – so more dominos are likely to fall.
There’s clearly a “coordinated effort” by regulators to settle on an interpretation of the law, rather than have a hodgepodge of different inter-EU standards, said Wayne Matus, co-founder and general counsel of SafeGuard Privacy, a data privacy compliance startup.
The most straightforward solution for Google Analytics is to localize data in Europe, Matus said.
But that’s not the only consideration. If Alphabet localizes in response to DPA rulings it could set a tough new precedent, since Google might be able to derive greater economic benefits from globally consolidating data. There may also be technical difficulties that prevent setting up local data systems.
Even if Google Analytics kept data in Europe, however, there’s still a Microsoft case from 2018 to contend with, when the company was ordered via FBI warrant to hand over email data stored in Ireland, Matus said. The lower courts disagreed, and by the time the case was argued before the Supreme Court, President Trump had signed a new law granting investigators powers to compel such extraterritorial data. The previous decision – which favored Microsoft – was rendered moot.
In other words, even if Google Analytics set up local data services that never transferred to the US, the data could still be compelled by warrant.
Matus said Google would still have options, like establishing an independent business in Europe that couldn’t be compelled by the FBI – that trick only works on US companies.
A likelier solution is geopolitical. The problem could be resolved by a new US and EU data-sharing agreement. (The previous two, Safe Harbor and Privacy Shield, were both overturned in cases brought by Schrems.)
Consent on the ropes…
