Several European regulators have ruled that Google’s Universal Analytics cannot accept personal data when transferred to the United States. There are two main obstacles. It is not yet clear whether the new Google Analytics 4 will provide a solution for this.
A lot has already been written about the decisions of various European regulators about Google Analytics. In certain cases, web analyticsTool The transfer of personal data to the United States is illegal. An interesting caveat to these results is that they are specifically aimed at Universal Analytics. Both the free version and the paid version should make way for the successor: Google Analytics 4 (GA4) in July and October 2023 respectively. A frequently asked question at the moment is whether GA4 will provide a solution to the issues surrounding data transfer to the US. Here you can find a complete overview of all the developments related to Google Analytics Google Analytics documentation page From DDMA.
Why is this important to you?
It is the successor to the more widely used web analyticsTool In this world. So there is a good chance that analytics can be done in your organization with this tool to improve business operations. Google has already announced that Universal Analytics will no longer be supported.
For example, starting July 1, 2023, new hits will not be measured across websites. So many companies are busy testing Google Analytics 4 (often simultaneously using Universal Analytics) so that they can fully migrate analytics functions to Google Analytics 4. If your company is also regularly using the new Google Analytics variant, you can’t ignore it. This is a legal issue.
Hurdle 1: Discovery of personal data
To answer the question of whether GA4 can provide a solution to the data transfer problem, we need to look at the judgment of various European regulators. From this we can find out which joint constraints GA4 has to deal with.
- One of the most important points: despite the technical measures taken in Universal Analytics (such as anonymized IP), it concerns personal data transferred outside of Europe.
Universal Analytics associates analytics data with a client ID (pseud Identifier) in combination with other parameters to gain insight. According to regulators, theoretically all of this data can be combined and traced back to an individual. Google says they would never do this based on their policy and contracts, but it didn’t hurt the regulators.
Four new functions have been added to Google Analytics to ensure that 1) personal data (IP addresses) are only processed in Europe, and 2) data transferred to the US is not personal data. Transfers require personal data to be adequately protected and Google believes that this is ensured. Technically, this is reflected in the following functions:
- Individual IP addresses are no longer logged or stored. A location is derived based on city-level metadata using a technique called IP-Geo Lookup.
- This IP Geo search takes place on servers in Europe, after which this data is sent to analysis servers (including the US).
- In addition, IP anonymization (the function of hashing IP addresses) is enabled by default and cannot be turned off, which is optional with Universal Analytics.
GA4 also contains several privacy-friendly changes (such as shorter storage periods for cookies), but these do not directly affect the transferability issue.
Barrier 2: Access to intelligence services
- A second obstacle: the contractual and institutional measures taken do not (adequately) limit the potential access of intelligence services.
In the Schrems-II ruling, the European Court of Justice established that European citizens have no enforceable rights when US spy agencies access personal data. Transfer without additional measures is a violation of the General Data Protection Regulation (GDPR). In the case of Universal Analytics, regulators argue that the additional measures used (contractual agreements and corporate actions) are ineffective because they cannot limit the legal powers of US intelligence services to request personal data.
This problem is difficult to solve with Google. The solution to this seems to be to fix the legal framework in the US, which needs to be decided at the political level. But when it is possible to completely deny that personal data has been sent, this obstacle disappears.
Is GA 4 the solution?
The key question now is whether Google has been able to address the above points with GA4 and improve the use of its analytics capabilities.Tool In line with GDPR. It is currently too early to say that the modified functions ensure that GA4 is the solution to the transmission problem. An open question is whether (aggregated) data sent to analytics servers in the US should still be considered personal data.
In addition, there is debate over whether storing personal data on European servers is sufficient to restrict access. At the time of the investigation it was unclear whether US authorities could request access to personal data on European servers under the CLOUD Act.
So Google is taking a step in the right direction, but it remains to be seen what the European supervisors’ view is on GA4. We only find out when complaints are submitted and regulators investigate. On the other hand, it also means that the use of GA4 is not said to be against the GDPR until then. However, please ensure that you keep abreast of all legal developments, for example via the DDMA Legal Newsletter, where you Here You can register. Are you a member of DDMA and have a legal question? Send an email to [email protected]
“Introvert. Communicator. Tv fanatic. Typical coffee advocate. Proud music maven. Infuriatingly humble student.”