Several European regulators have ruled that Google’s Universal Analytics is not acceptable when it comes to transferring personal data to the United States. There are two main bottlenecks. It is still unclear if the new Google Analytics 4 offers a solution to this.
Much has already been written about the decisions of the various European regulators regarding Google Analytics. In specific cases, web analyticstool illegal because personal data is transferred to the United States. An interesting caveat to these rulings is that they specifically target Universal Analytics. Both the free and the paid version are due to give way to the successor: Google Analytics 4 (GA4) in July and October 2023 respectively. A frequently asked question right now is whether GA4 will offer the solution to problems with data transfer to the United States. A complete overview of all developments around Google Analytics can be found on the Google Analytics Folder Page of DDMA.
Why is this important to you?
It is the successor of the most widely used web analyticstool in the world. So there is a good chance that analyzes will be carried out within your organization with this tool to improve business operations. Google has already signaled that Universal Analytics will eventually no longer be supported.
For example, from July 1, 2023, new hits will no longer be measured on websites. Many organizations are therefore busy testing Google Analytics 4 (often simultaneously with the use of Universal Analytics) in order to eventually migrate analytics activities entirely to Google Analytics 4. If your organization also continues to use the new variant of Google Analytics, you can’t ignore this legal issue.
Bottleneck 1: traceability of personal data
To answer the question of whether GA4 can provide a solution to the problem of data transfer, it is necessary to look at the judgment of the various European regulators. We can deduce what common bottlenecks the GA4 may need to address.
- One of the most important points: despite the technical measures taken at Universal Analytics (such as Anonymize IP), these are personal data that are transferred outside of Europe.
Universal Analytics links analytics data to a Client ID (a pseudonym identifier) to get information with other parameters. According to regulators, it is theoretically possible that all of this combined data could be traced back to an individual person. The fact that Google says it will never do this based on its policy and agreements doesn’t take away from that for regulators.
4 new features have been added to Google Analytics to ensure that 1) personal data (IP addresses) is only processed in Europe, and 2) data transferred to the United States is not personal data. Transfers require personal data to be adequately protected and Google believes this is guaranteed. Technically, this translates into the following features:
- Individual IP addresses are no longer recorded or stored. Using a technique called IP-Geo Lookup, a location is derived based on metadata down to the city level.
- This IP Geo Lookup takes place on servers in Europe, after which this data is transmitted to analysis servers (including in the USA).
- Additionally, Anonymize IP (the feature that hashes IP addresses) is enabled by default and cannot be disabled, whereas it was optional with Universal Analytics.
GA4 also offers a number of privacy-friendly changes (such as shorter storage periods for cookies), but these do not directly affect the transfer problem.
Bottleneck 2: access to intelligence services
- Second bottleneck: the contractual and organizational measures taken do not limit (sufficiently) the possible access of the intelligence services.
The European Court established in the Schrems-II judgment that European citizens have no enforceable rights when a US intelligence agency accesses personal data. This means that a transfer without additional measures violates the General Data Protection Regulation (GDPR). In the case of Universal Analytics, regulators argue that the additional measures used (contractual agreements and organizational measures) are not effective, as they do not limit the legal powers of US intelligence services to request personal data.
This problem is difficult to solve by Google itself. The solution to this seems to require an adjustment of the legal framework in the United States, which will have to be decided at the political level. But when it can be completely ruled out that personal data is transmitted, this bottleneck will disappear.
Is the GA 4 the solution?
The key question now is whether Google was able to resolve the above points with GA4 and thus improve the use of its analytics capabilities.tool in accordance with the GDPR. At the moment, it is still too early to say that the modified features ensure that GA4 is the solution to the transfer problem. The question that remains open is whether the (combined) data that is ultimately transmitted to the analysis servers in the USA should not still be considered personal data.
In addition, discussions are also underway to find out whether the mere storage of personal data on European servers is sufficient to limit access. It is unclear whether US authorities may be able to request access to personal data on European servers under the CLOUD Act in the event of an investigation.
Google is therefore taking a step in the right direction, but it remains to be seen what the opinion of European supervisors will be on GA4. We won’t know until complaints are filed and regulators investigate. On the other hand, this also means that so far it has not been said that the use of GA4 is by definition contrary to the GDPR. In any case, make sure you stay informed of all legal developments, for example via the DDMA Legal Newsletter, for which you here can register. You are a member of DDMA and you have a legal question? Send an email to [email protected].
“Devoted bacon guru. Award-winning explorer. Internet junkie. Web lover.”