The Data Protection Conference (DSK) has published “Guidance on the Use of Google Analytics in the Non-Public Sector”. This resolution supplements the “Guidance for Telemedia Service Providers from the Supervisory Authorities” also adopted by the DSK in March 2020.
The DSK consists of the independent data protection authorities of the federal government and the states. Its task is to uphold and protect fundamental data protection rights, to achieve a uniform application of European and national data protection law, and to jointly advocate for its further development.
What are the minimum requirements for using Google Analytics?
The DSK's “Guidance” outlines the minimum data protection requirements for the data protection-compliant use of Google Analytics.
This implies that a data controller failing to meet the DSK's requirements for Google Analytics implementation would likely face sanctions during an official audit. It should be noted, however, that the DSK's resolution is subject to a divergent interpretation by the European Data Protection Board and the ECJ. Conversely, there is no reference to the jurisprudence of the Federal Court of Justice (BGH).
Does joint controllership exist with Google?
The DSK holds that the deployment of Google Analytics does not constitute data processing by a processor, but rather joint controllership as defined by Art. 26 GDPR. The DSK substantiates this by asserting that a website operator utilizing Google Analytics does not unilaterally determine the purposes and means of data processing. Instead, Google, in part, exclusively possesses the decision-making authority concerning the data processing activities. Consequently, this scenario does not fall under a data processing agreement as per Art. 28 GDPR.
Consequently, in the DSK's view, any data processing agreement potentially concluded between the controller and Google is no longer applicable for the use of Google Analytics. It remains to be seen whether Google will provide a joint controllership agreement for its Google Analytics service.
Is the use of Google Analytics permissible only with prior active user consent?
Furthermore, the DSK states that Google Analytics can only be lawfully deployed under data protection law if there is active consent from the user (website visitor) in accordance with Art. 6 para. 1 p. 1 lit. a) GDPR.
According to the DSK, the use of Google Analytics generally cannot be based on Art. 6 para. 1 lit. b) GDPR, as its deployment is not necessary for the performance of a contract between the website operator and the user.
The DSK also generally considers the use of Google Analytics not to be lawful under Art. 6 para. 1 lit. f) GDPR, as data subjects do not reasonably expect their personal data to be transmitted to third parties and extensively evaluated for the purpose of creating personalized advertising and linking it with personal data obtained from other contexts.
Therefore, you should, at the very latest now, only deploy Google Analytics on your website or online shop if you do so based on the active consent of the visitor to the website or online shop.
Otherwise, you risk sanctions from the competent supervisory authority.
What are the minimum requirements for using Google Analytics?
According to the DSK, the following measures must be implemented for the legally permissible use of Google Analytics:
1. Obtaining informed, voluntary, active, and prior consent from users for the specific processing activity
Consent is only valid if the requirements under Art. 4 No. 11, Art. 7 GDPR, and possibly Art. 8 GDPR, are met.
2. Technical requirements for implementing the withdrawal of consent
When using Google Analytics, a simple and always accessible mechanism (e.g., a button) for withdrawing previously given user consent must always be implemented.
3. Transparency
Users must, in accordance with Art. 13 GDPR, comprehensively inform data subjects in their privacy policy about the processing of personal data within the scope of Google Analytics.
4. IP address anonymization
In addition to the aforementioned measures, Google Analytics users should ensure IP address anonymization through appropriate settings.
Conclusion:
In conclusion, while the DSK's resolution does not introduce substantial new content, the unified decision by all data protection authorities significantly increases the likelihood of facing sanctions from supervisory authorities if the DSK's requirements for Google Analytics implementation are not met.
GoldbergUllrich Attorneys at Law 2020
Attorney Michael Ullrich, LL.M. (Information Law)
Specialist Attorney for Information Technology Law
Update:
Following the ECJ's invalidation of the Privacy Shield Decision 2016/1250, the use of Google Analytics is currently unlikely to be legally permissible, irrespective of the aforementioned considerations.
