Google Analytics – cookies too hard to swallow

Google Analytics – cookies too hard to swallow

January 28, 2022

Cookies are often defined as “small blocks of data placed on the user’s computer or other device by the user’s web browser” (source: Wikipedia). We can categorise them according to several criteria – their function, persistence in web browser or the party that places them.

Cookies cannot access the data stored in a device, however they can collect data about online activities. For example, having once selected the language of a website display, cookies will make sure that each time we visit that website its contents are presented in the initially selected language. In this case, cookies have a task to help the website “recognize” the user upon his next visit; the website uses the data stored in a cookie and thus automatically obtains the information on previous activities of the website user.

However, cookies have by far overcome these simple technical purposes and they are being massively used for statistical analyses, for marketing purposes and notably for targeted advertising that is closely related to user profiling. The field of data subject to collection by cookies had been constantly expanded and when single identification of individuals became possible on basis of thus collected data, the use of cookies started raising serious concern from the aspect of personal data protection.

Case of the European Parliament

Recent decision of the European Data Protection Supervisor (“EDPS”) showed that even the bodies that enacted certain regulations are not immune to their breach. At the beginning of January 2022, the EDPS established that the European Parliament subsite related to MPs’ corona testing (https://europarl.ecocare.center) is not in line with the GDPR.

In the particular case, the EDPS acted upon a complaint filed by noyb, an Austrian non-government organisation, and established several breaches. Among other, it established that the illegal transfer of data to the US was carried out due to the application of Google Analytics, that the cookie notice was not clear wherefore cookies were placed without valid consent, and that the notice on data processing was not in line with transparency requirements.

In this case, the EDPS issued a reprimand and ordered the European Parliament to eliminate the detected irregularities within a month.

The case of Google Analytics

One of popular services of Google company, Google Analytics, operates on basis of cookie placement. If a website owner activated Google Analytics, when a user visits the website analytical cookies will be placed in his browser and they will track the website user’s  browsing – what pages of the website were visited, what contents were lingered on and for how long, what contents were “clicked” etc. Based on that, reports are generated that help website owners to create content and adjust it to the taste and interests of visitors, usually for the purpose of promoting and selling goods and services.

But what happens if cookies collect the IP addresses of users and other data that enable single user identification? And if such data are transferred to a state where the website visitor, whose data are subject to transfer, does not enjoy the right of protection from intelligence service surveillance?

At the end of December 2021, the Austrian Data Protection Authority – Datenschutzbehörde (“DSB”) acted upon a noyb complaint and decided that the use of Google Analytics on NetDoktor website was against the decision of the European Court of Justice from 2020 in case “Schrems II”, which annulled the “Privacy Shield” mechanism for personal data transfer between the US and the EU.

The DSB assumed a position that transfer of data from the EU, which is done because data are stored on servers of Google company in the US, is not legal because it does not ensure adequate level of protection of such data. During the procedure, Google company referred to the standard contractual clauses and the applied technical and organisational measures as supplementary measures in terms of “Schrems II” ruling. However, according to DSB findings, measures such as barriers around data centres and basic encryptions are not appropriate as it is not recognizable to what extent they would actually prevent or limit possible access by US intelligence agencies to the stored data. The fact that the transferor and recipient of data “regulated” their relations with regard to data transfer through standard contractual clauses, is not sufficient in itself to make the transfer legal, but the measures stipulated therein need to be applied so as to ensure substantial protection of data from the detected risks.

This decision only applies to Austria and it is not final at the moment, but it will be interesting to see further developments regarding the use of cookies as they will certainly follow as noyb filed 101 complaint to relevant supervision authorities in the EU following the adoption of “Schrems II” ruling, including the complaint against NetDoktor. The Dutch supervisory authority (Autoriteit Persoonsgegevens) has recently announced possible ban on the use of Google Analytics as well.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.