Google Analytics, Cookies and the transfer of personal data to the US – a dangerous combination?

Two decisions have recently resonated loudly:

• The Austrian supervisory authority (DSB). According to this decision, the use of Google Analytics on a website led to the transfer of personal data to Google LLC in the USA in violation of Chapter V of the RODO. The administrator of this website was banned from further use of Google Analytics;
• The European Data Protection Supervisor (EDPS). This authority reprimanded the European Parliament and required it to update its website concerning, among other things, the use of cookies operated by Google Analytics.

It appears that these are not the only decisions to be expected regarding the use of Google Analytics. Among others, the Dutch supervisory authority has already announced the settlement. There was published a guide on how to make Google Analytics more privacy-friendly. However, at the same time, the Dutch authority warned that the use of Google Analytics may soon be declared non-compliant.

So what happened that suddenly there was such an organized action against the administrators of sites that use the solution provided by Google?

Regulations governing the use of cookie mechanisms – which allow for “tracking” the behavior of Internet users visiting websites – have been in place in Polish law for 18 years. They can be found in the provisions of the Act of 2004. – Telecommunications Law – from the very beginning of its existence. This act in turn implements Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the so-called e-Privacy Directive). So what happened that at the turn of 2021 and 2022, after almost 20 years from the enactment of EU regulations, the subject of cookies is experiencing a renaissance and is so widely discussed again? There are several reasons for this.

The first of these was the overlap with the cookie regulations in addition to the data protection regulations.

The General Data Protection Regulation (GDPR) makes it clear that online identifiers (including cookie identifiers) can constitute personal data. Therefore, the principles applicable to the processing of personal data should be applied to them. At the same time, the case-law of the Court of Justice of the EU (CJEU) has confirmed (in Case C-673/17 Planet49) the principle of consent to the installation of cookies. Accordingly, if such consent is required, it should meet the requirements of the RODO. This means, among other things, that it must be specific and actively expressed (so it cannot be implicit).

The second important issue was the developments in recent years regarding the possibility of transferring personal data to countries outside the so-called European Economic Area (i.e. to so-called third countries).

According to the RODO, if these countries do not provide an adequate level of protection, then additional measures must be applied to make the transfer of personal data to such a country compliant. In this regard, on July 16, 2020. CJEU, in the so-called Schrems II ruling (C 311/18), ruled that the existing mechanism for data transfers to the US (Privacy Shield) does not provide an adequate level of protection, and the decision approving the mechanism should be revoked. Moreover, the court ruled that when also applying other mechanisms provided by law for data transfer, it should be examined whether the level of protection of personal data will be adequate and whether additional measures should not be applied. In practice, this means that you cannot arbitrarily send data to the US. Instead, an assessment must be made each time, among other things, whether the transfer will not result in access by US services.

The third action, which is in a way a result of the previous two, was initiated by the Austrian association NOYB headed by Max Schrems.

It sent 101 complaints to the supervisory authorities throughout the European Union concerning the use of cookies on many popular websites of entities from all over Europe. Among other things, these complaints have resulted in the current decisions of supervisory bodies.

Thus, the following conclusion emerges. It will not always be legal to use solutions on a website that require the use of cookies (or other similar mechanisms) and are provided by entities, e.g. from the USA, that may have access to data collected using cookies.

This position is confirmed not only by the decisions referred to at the outset but also by the statements of the supervisory authorities of some other EU countries concerning cookies, including:

• Spanish (AEPD),
• French (CNIL),
• Portuguese, and partially also Polish (PUODO).

The PUODO at the end of 2021 issued its decision that consent for cookies must be actively given. This decision is important for two reasons. Not only because it directly affects a website administrator from Poland. Also, it is the first one that explicitly questions the collection of consent for cookies using “appropriate settings of a web browser”. Until now, such practice has not been questioned by the Polish supervisory authority (nay, some websites of public administration bodies, e.g. Ministry of Digitalisation, use such mechanism).

On 21 January 2022, the Belgian supervisory authority (APD) also expressed its opinion on cookies. It stated, among others, that to use cookies, full information about the data processing required by the RODO should be made available.

It turns out that cookies combined with data transfer to the US are a rather dangerous mix. This may generate real risks for any website administrator using solutions provided by American companies, such as analytical tools (popular Google Analytics), payment solutions (Stripe), or even solutions for… collecting consent for cookies (Cookiebot, the use of which was recently investigated and questioned by a court in Germany).

So how to use tools such as Google Analytics? Is it even legal?

The cited decision of the Austrian supervisory authority or the EDPS was issued in specific cases and their detailed circumstances are decisive. Furthermore, it is of utmost importance that you, as a website administrator, can demonstrate that you have analyzed the legality of using the solution and the accompanying risks. Accordingly, you have made an informed decision, taking into account the interests of the data subjects whose data are processed through the solutions used on the site.

As part of this analysis:

• Check (yourself if you can, or have the person/company handling your website do it) what tools you use.
• Consider whether you need a given tool. I don’t encourage you to turn off Google Analytics right away. However, it is not the only tool working on similar principles, not everyone needs it in practice. Consider whether you need all the tools you have running on your website and turn off the ones you don’t use right away.
• Take a moment to examine what information a given tool collects and whether you need all of it. Some tools allow you to turn off collecting some unnecessary information or turn on collecting it in a purely anonymous or aggregated (collective) way. We recommend using this option if it is possible. Another option is to enable encryption of data collected through cookies. If this option is available in the tools provided to you, we encourage you to use it. This is another step towards increasing security and thus making the transfer of data acceptable.

Document the analysis performed and the measures are taken. Furthermore, if you decide that you want to use solutions that collect data with the help of cookies, also make sure that:

• Give the option to consent to cookies proactively. Don’t rely solely on the assumption that the user has knowingly set their web browser or device to accept all cookies. This requirement does not apply to cookies necessary for the very functioning of the website or the services provided with its help. As a rule, however, analytical or marketing cookies are not considered essential.
• In the banner for collecting consent for cookies, you have to make it equally easy to give or refuse consent. If consent requires one click on a clear, brightly colored button and refusal requires going through a series of choices on subsequent pages, refusal is not considered as easy as consent.
• By giving your consent inform the website user what types of cookies you use (e.g. analytical or marketing cookies). You have to provide additional information in case of data transfer to the USA. This way, before accepting cookies, the user will have a full picture of what is happening with his/her data.

These are not universal tips for compliance. Regulatory bodies emphasize the great importance of the analysis performed by the webmaster in a specific case. The use of cookies and all solutions that require the use of cookies is not easy. All the more so, taking into consideration the above guidelines and decisions cited. However, this does not mean that we can expect a “world without cookies”. However, one thing is certain – out of 101 complaints filed by NOYB, only the first ones have been resolved. In addition, on the horizon, we have an EU regulation that will comprehensively regulate the issue of cookies. Everything indicates that in 2022 we will hear about cookies more than once.

Do you want to be up-to-date? Subscribe to our newsletter!