Google Analytics’ rulings put online brands on red alert

GDPR_2020Online businesses are being warned to tighten up their privacy notices for Google Analytics – which transfers consumers’ personal data to the US for processing – following two GDPR rulings this week that have finally enforced the ban on such activity.

The issue dates back 18 months, when the European Court of Justice ruled that the Privacy Shield agreement to transfer personal data between the EU and the US was invalid.

The move, which affected nearly 5,400 businesses including Google, Facebook, Amazon, Experian, Acxiom, LinkedIn and Microsoft, followed a seven year battle by Austrian lawyer and privacy activist Max Schrems, who had argued that the data transfer pact did not provide consumers adequate protection from surveillance by US authorities.

Schrem’s privacy organisation, NOYB, has been pursuing many of these companies ever since, although enforcement action has been thin on the ground until this week, when the European Parliament was sanctioned for implementing Google Analytics cookies on a Covid-19 testing site.

Now, the Austrian data protection authority Österreichische Datenschutzbehörde has ruled that a German website has contravened GDPR because of its use of Google Analytics.

The data being sent to the US by health website netdoktor.at includes IP addresses and cookie identifiers, which could be combined with other data to identify individuals, according to the data protection authority.

The regulator ruled that Google had not implemented sufficiently strong measures to encrypt and anonymise the data collected through Analytics and transferred to the US to prevent such reidentification.

But there is a wider issue as Google’s use of pseudonymisation and encryption to protect personal data is similar to arrangements made by other US tech firms that transfer data to the States.

Max Schrems commented: “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.

“This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 18 months since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

NOYB has also made official complaints against more than 400 companies – including major brands – for using unlawful cookie banners to gain online consent, they are now facing GDPR investigations across Europe.

By law, users must be given a clear yes/no option on whether to accept tracking and analytical cookies when visiting a website.

However, NOYB insists most banners do not comply with the requirements of GDPR, so it has developed software that recognises various types of unlawful cookie banners and automatically generates complaints.

Amazon, Twitter, Google and Facebook, which rely heavily on the amount of data that they can acquire from visitors and were among those fingered by NOYB, have made no changes to their cookie banners. In response, NOYB says that it will file no less than 36 complaints about those websites.

Over the course of a year, NOYB claims it will use its software to ensure compliance of up to 10,000 of the most visited websites in Europe.

Related stories
European Parliament slapped down for GDPR breach
Top brands face official probe for illegal consent cookies
Facebook nemesis targets sites over consent cookies
Apple cut to the core by new unlawful tracking claims
Decision Marketing at 10: How GDPR changed the world
US tech giants rocked as Privacy Shield gets the chop
Transatlantic data transfers torpedoed once again
Facebook ‘still using illegal safe harbour agreement’

Print Friendly