On 12.05.2020, the German Data Protection Conference (Datenschutzkonferenz/DSK), issued certain guidelines regarding the use of Google Analytics in the non-public sector (‘the Guidelines’).
Google Analytics is one of the most popular tools used by website operators, as it offers numerous insights on how many users visit and search their website.
Among its Guidelines, DSK points out several issues related to the data processed through Google Analytics and lays down further requirements for its use.
The most significant remarks of the DSK’s Guidelines could be outlined as follows:
– Interpretation of the “personal data” definition
Article 4(1) of GDPR sets the criteria for the identification of a person by defining the term of “personal data”. Google sets out in its Google Analytics homepages that the usage data it collects do not qualify as “personal data”, in the sense that they do not allow the identification of persons. However, the DSK argued that Google’s position creates ambiguity and points out that the collection of such usage data should fall within the scope of Article 4(1) of GDPR.
As a result, the DSK asserts that the use of Google Analytics should be only permitted provided that a prior consent of users enabling Google Analytics cookies to be placed on their devices, has been given. It also endorses the application of additional anonymization measures such as IP address shortening.
– Joint responsibility of Google Analytics and website operators
According to Article 4(7) and (8) of the GDPR, the controller, alone or jointly with others, determines the purposes and means of the processing of personal data whereas the processor processes data exclusively within the framework defined by the controller.
Pursuant to these articles, the DSK argued that Google is not acting on behalf of the website operator’s instructions as far as the purposes and means of data processing are concerned but determines exclusively the purposes of the processing itself.
Moreover, even though Google provides a contract for data processing, it additionally states in its “Google Measurement Controller-Controller Data Terms” that Google and the user/website operator are separately responsible for certain data processing operations.
Based on the above information, the DSK concludes that the contractual framework governing the relationship between Google and website operators, should not be considered as “processing by a processor on behalf of a controller” as stipulated in Article 28 of the GDPR, but as a joint controllership where “two or more controllers jointly determine the purposes and means of processing” (Article 26 of GDPR).
Apart from the above, a possible implication linked to DSK’s Guidelines on the contractual relationship of Google Analytics and website operators, stems from the ECJ’s decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited & Maximilian Schrems (Schrems II), where the EU-US Privacy Shield was declared invalid. As a result, any future data exports from the EU to the US will be possible only if both the data exporter and the data importer have entered into the EU’s “Standard Contractual Clauses” (SSCs).
In Google’s case, this implies that each website operator using Google Analytics will have to enter into SSCs with Google. Even though Google provides contractual clauses within the context of its data processing agreements, these are only addressed to data processors. However, according to the DSK’s opinion, Google should be considered as a “controller”, which signifies that these contracts would lack of legal standing. Subsequently, the invalidity of such contracts will possibly create the need for a new type of contractual agreement governing the relationship between two data controllers.
Overall, it remains to be seen if the requirements set by the DSK can really have an impact towards the Data Protection Authorities of other EU Members and any GDPR related forthcoming rulings of the judicial authorities of European Court of Justice (ECJ).
The editorial team