The latest such headline comes to us from Italy and exists in two flavours: “Italian data authorities declare Google Analytics illegal” and “Italian data authorities warn over Google Analytics.” Besides the fact that these are very different headlines yet refer to the same recent legal decision, only one of these headlines is correct. The second one: “Warns over.”
The more sensationalist headlines will also remark that other European countries (France, Austria) have also found some aspects of Google Analytics — namely, data transfer from Europe to the U.S. — to be illegal. Again, depending on the clickbaity-level of the headline, you’d read something between “is illegal” or “warns over.”
The extremely abridged summary
A 2020 European judicial decisions called “Schrems II” (after the activist who brought the case, Max Schrems) led to striking down Privacy Shield, the agreement passed between the EU and the U.S. to allow for transatlantic data transfers, guaranteeing the standards of the EU’s data privacy GDPR legislation are upheld.
Schrems II opened the door to various legal actions brought on by activist groups — usually against large targets like Google Analytics. GA is compliant within the letter of Privacy Shield. But, since Privacy Shield has been struck down, it is now no longer compliant with GDPR unless a site using GA also decides to configure their installation with tighter settings that deliberately do not collect various piece of information (making the GA information less useful to the publisher but allowing for better compliance since there is more anonymity for the end user).
Put another way, GA “out of the box” is likely not compliant, but a properly managed GA is. (I have to disclaim, again, that I am taking huge shortcuts in setting all of this up — so take this description as your CliffNotes here).
At the moment, there is only one possible outcome for this type of case being brought to a European data agency, which is to rule that using GA is likely not compliant (this is why “warned over” is the correct headline, and “is illegal” is not the correct headline). That is, GA, deployed in its “default” state, is not compliant. This is because the agreement that was giving it its compliance umbrella, Privacy Shield, is no longer in place. There is therefore nothing surprising about these activist cases finding the conclusion that they do.
But, and here’s the important thing here: We’re talking about organisations using GA without using some of the more advanced features that put GA in line with current European data requirements.
One thing you’ll notice is that these cases are often brought against smaller Web sites — presumably with fairly plain-vanilla installations of Google Analytics. My perspective is this is very deliberate on the part of the folks bringing forth these cases.
The goal here isn’t really to disrupt Web site publishers. And if activist cases were being brought against larger publisher targets, the case actually wouldn’t be as useful. A larger target, risking heavier fines, would work hard at rejiggering (overwhelming use of technical terms here, hope you appreciate it) their install of Google Analytics to be compliant in the current state where we do not have a Privacy Shield agreement.
The publisher would certainly be unhappy since their data would essentially be amputated, but, well, they’d do it.
If you want to dig deeper: The path to making GA compliant with GDPR requires deliberate steps both in terms of consent collection but also how, and what, data is collected in the first place (anonymised on entry, essentially). This post explains this very well. And, if you want to dig into the more deeply legal angles, this Q&A from the law firm Hogan Lovells is also super helpful.
Privacy Shield II, Google Analytics (and the others): Where are we headed?
In March this year, the U.S. and the EU conveyed that they had landed on the principles of a Privacy Shield replacement — the details of which are still being hammered. It’s taking a while (probably until the end of the year). Expect that any self-respecting privacy activist group would of course give a good kick in the tires of whatever agreement is proposed, and so, if you were U.S. and EU legislators, you’d make sure to leave no stone unturned on this one.
But still, there are two scenarios:
We get Privacy Shield II and activists find angles to bring to court. It will still take a few years between PS II and a new court case leading to invalidating it, so another few years with a Privacy Shield agreement. And then rinse, repeat.
We get Privacy Shield II, and it’s the world’s most perfect and final legislation. No one challenges it. It is accepted as the final law of the land for years to come.
This is not the most likely scenario because of the highly political nature of what the various parties involved may consider to be privacy for two reasons: because legislators do not historically have a great technical command of the (admittedly) complex technical ramifications of what these laws actually govern, and because gray areas are bound to continue to be created as our technical tools continue to evolve.
But anyway, my betting dollar would be on the first scenario in any event, which means: We should get used to reading fuzzy headlines that call this technical product or platform “illegal” and learn to not immediately worry that we have to replatform whatever technology.
If you’d like to subscribe to my bi-weekly newsletter, INMA members can do so here.