Google Analytics is still the most popular website tool, to spy on the behavior of users.
A few days ago came the surprising admission from Google. Since then, it is indisputable that all data collected with Google Analytics on a website is always sent to the USA and processed there.
Why did Google admit this?
The trigger was a complaint that the Privacy organization noyb made against Google to the Austrian regulatory authority. The authority then asked Google more than 20 questions.
Google answered the questions often evasive, not rarely ignorant and incomplete. That Google for Google Analytics data the exclusive data storage in the USA proclaimed, is reasonably simple to explain. For this, I have to elaborate a little.
What is the legal situation?
Since the ECJ ruling on the Privacy Shield, also referred to as the "Schrems II" ruling, the USA is considered an unsafe third country. A transfer of personal data to the USA requires consent.
On websites, there is always a transfer of personal data because the user's network address, the IP address, is personal data according to the highest court decision.
The USA is considered an unsafe third country, because there are legal remedies that allow American authorities such as intelligence services to access data of American companies. If a company from America has stored its customer data from Germans, America can access it.
The legal remedies that legitimize intelligence agencies to secretly access data are, in particular, the FISA Act as well as the Executive Order EO12333. For both regulations, Google clarified in its response to the supervisory board that they only allow access to data stored outside of the U.S.
So Google's logic is: We store all data in the USA, so there can be no access due to FISA and EO12333. Therefore, the data is safe with us.
However, this is not true, but it is probably the best possible objection that Google can raise. Probably, the creativity of this statement by Google somehow correlates with the salaries of Google's lawyers. Nevertheless, Google has admitted what was already clear to many, but could not be proven.
Is the data safe in the USA?
The better question is whether data sent to and stored in the US by Google Analytics is safe.
Apparently, analytics data is created in Europe when a European opens a website that embeds Google Analytics. Google collects this data via a so-called Collector .
A collector is a server that is located in the geographical vicinity of the user and receives the data from the endpoint. The data is then sent to the USA.
This means that a worldwide Data Collection takes place. The NSA, as the U.S. intelligence agency, has the ability, based on FISA and EO12333, to conduct a so-called Upstream Collection. This involves tapping into a transatlantic cable through which data flows into the U.S. from elsewhere.
This is obviously without consent in itself first of all unlawful, one could remark ironically. Apart from that, data subjects would have to be informed about this, which probably does not take place. In addition, according to the GDPR, every data subject must have, among other things, a Right of objection. The NSA probably does not know this term either.
Consent requirement for Google Analytics
So, simply because of the global data collection and data transfers to the USA, consent for Google Analytics would have to be requested before the tool is loaded.
- The cookies are set and read by Google Analytics
- The values of the cookies are sent to Google servers
- The cookies are not technically necessary. Proof: Google Analytics can also be operated without cookies
- According to the BGH ruling of 28.05.2020 - I ZR 7/16 ("Planet49"), the TMG is to be interpreted in accordance with the ePrivacy Directive
Additionally, it may not be possible to conclude an effective GCU with Google because the subcontractors are distributed worldwide, because Google "may" only delete data after two months upon request, etc.
All of this is sufficient to assume a general consent requirement for Google Analytics , even if no cookies were to be used.
Google Analytics details
Anyone who has taken a look at Google's privacy notices and the Google Analytics contract is probably just as smart as before. The information provided by Google is so convoluted, spread across various documents, vague and ambiguous that it does not seem possible to provide transparent information.
However, according to Article 12 GDPR, there must be transparent, understandable information provided about data processing with Google Analytics.
Obtaining effective consent for Google Analytics seems difficultThese so-called cookie popups on websites are not only annoying, they are also mostly illegal in practice..
Without consent, in turn, Google Analytics could only be operated if cookies are waived. However, the data quality is then questionable because Google Analytics is not optimized for this kind of use.
Privacy-friendly analysis of website visitors is possible with tools like Trackboxx. Without cookies and without significant fingerprinting, there is no need for a consent request. The focus here is on ease of use, which is certainly not the case with Google Analytics. Anyone who has taken a look at the Google Analytics dashboard will not have understood everything even after hours.
I also think that we should prefer German providers and stop supplying data to Google free of charge as soon as possible.
Anyone who has ever had a support case or a general question for a corporation will know the feeling of not having received a proper answer. My experience is that domestic providers are much more customer-friendly and have internalized the service provider concept better.
Über den Autor:
Dr. Klaus Meffert ist Diplom-Informatiker und Geschäftsführer der IT Logic GmbH. Er veröffentlicht als Dr. DSGVO regelmäßig Beiträge zum digitalen Datenschutz und betrachtet dabei technische und rechtliche Aspekte gleichermaßen.