22.02.2022
Latviešu Русский
Download Print
Other opportunities
Download Print

Can we use Google Analytics in future? 2/8/22

Legal Business Tax

The beginning of this year saw personal data experts discussing the news that the Austrian Data Protection Authority made a decision in December 2021 finding that the use of Google Analytics is contrary to the General Data Protection Regulation (GDPR). The French Data Protection Authority followed suit in February 2022. In this article we are modelling the effects of those decisions on people using the Google Analytics service across the EU, including Latvia.

What purposes Google Analytics is used for

Google Analytics is a service offered by Google and widely used by businesses that makes it possible to obtain data on user visits, so the app or website owners can analyse how people use their product, which sections are visited most frequently indicating more interest etc.

In providing this service, Google uses a set of cookies that in fact assign a unique identifier to each visitor. The European data regulators believe this contains personal data so they feel particularly cautious about Google’s practice of transferring this information to the US because the level of personal data protection there is much lower than the European standards.

Why the regulators decided so

The European Centre for Digital Rights (NOYB), with Max Schrems among its founders, has drawn up a number of complaints about inappropriate processing of personal data. Those have been filed in every EU/EEA member state against 101 European companies that transfer each visitor’s data to Google or Facebook. NOYB representatives believe that, given the Schrems II ruling passed by the Court of Justice of the European Union, personal data transfers to the US are not permissible because that data is not adequately protected.

Following the Schrems II ruling, there was a lot of talk about what safeguards should be put in place to cause personal data transfers outside the EU/EEA to be treated as adequately protected. The European Data Protection Board recommended necessary measures and new wordings were prepared for standard clauses, as well as other measures were taken and explanations offered that were supposed to help the companies transferring personal data outside the EU/EEA put adequate safeguards in place. However, NOYB believes that Google and Facebook are still breaching GDPR requirements, so there is no justification for the companies that, for instance, freely provide personal data to Google through the Google Analytics service.

The Austrian and French regulators analysed whether Google is able to adequately protect personal data obtained through Google Analytics during transfers to the US. Both regulators found that even despite the additional safeguards Google has put in place and standard clauses being used, personal data is not adequately protected so data transfers to the US have no justification. This in fact means that the companies using the Google Analytics service are in breach of GDPR requirements.

The implications

Since NOYB’s complaints have been filed in multiple EU member states, other regulators are expected to make decisions confirming similar findings soon. This is expected particularly because the French regulator worked with other European regulators before making his decision.

In all likelihood, Google will have to decide whether it can provide the same amount and quality of service in the case of Google Analytics processing anonymised or pseudonymised data. Perhaps Google will be able to put safeguards in place for this service that will allow Google to transfer personal data to the US with no worries.

Anyway, making decisions or putting additional safeguards in place is bound to take time, so companies should now begin assessing whether they should carry on using the Google Analytics service in its current format to avoid finding themselves in breach of GDPR requirements and facing fines. We also recommend that companies pay special attention to other types of personal data processing that may involve personal data going outside the EEA. This happens not only during the use of Google Analytics but also if a company, for instance, provides services to other group companies outside the EEA, or if the group companies use the same databases etc.

Share the article

If you have any comments on this article please email them to lv_mindlink@pwc.com

Ask question

Related articles

See all Flash News
08.02.2022

Why it is important to identify transfer of business 3/6/22
Legal Tax

Companies sometimes buy and sell property, plant and equipment, transfer liabilities, restructure their assets, and conduct other transactions necessary to improve their business. It is important to assess whether this gives rise to a transfer of business as a going concern (TOGC), which has specific implications for both the transferor and the acquirer.
25.01.2022

AML/CTPF officer and their duties 1/4/22
Free access Legal Tax AML

If a company finds it is governed by the Anti Money Laundering and Counter Terrorism and Proliferation Financing (AML/CTPF) Act, it has two priority steps to take: register as an entity subject to the Act after stating a type of activities governed by the Act, and appoint an officer responsible for ensuring compliance with the Act’s requirements under section 10. This appointment must be reported to the relevant supervisory authority such as the State Revenue Service or the Financial and Capital Markets Commission.
 
18.01.2022

Proposed changes to transparency of public limited companies 3/3/22
Legal Business Tax

In late 2021 the government debated and approved the Justice Ministry’s proposals for amending the Commerce Act. Although the amendments have yet to be endorsed by Parliament, they might come into force on 1 July 2023. The most important proposals relate to disclosure requirements for a public limited company’s shareholders.