Briefing

What is it?

On January 13th the Austrian Data Protection Authority (DPA) published its ruling that the medical news publisher NetDoktor was in breach of GDPR on the grounds that personal data had been transferred via Google Analytics to the US.

The data sent includes IP addresses, cookie identifiers and browser parameters that could be combined with other data to identify an individual. However, collecting this type of data isn’t automatically a breach of GDPR when explicit consent has been granted.

The ruling says that sending it to Google is a breach of GDPR because US communications service providers cannot adequately protect EU data from US intelligence services.

Why is it important?

Google Analytics relies on this type of data for much of its functionality to provide meaningful analytics.

Although this decision is in relation to Google Analytics only,  its impact should not be underestimated. The argument put forward by the DPA could be applied to any other US communications company receiving data from EU citizens. 

The UK is subject to the UK GDPR, which is the equivalent of the EU GDPR. However, the UK ICO (Information Commissioner’s Office) has not yet commented on the Austrian ruling. It’s not unlikely that the ICO and other DPAs within the EU will have different opinions on the Austrian DPAs ruling.

These landmark cases will put pressure on negotiators in the US and Europe who are trying to replace Privacy Shield with a new way for data to flow between the two.

The first likely outcome is that the US will need to introduce protections for foreign data in order to protect the interests of their tech industry.

A second possible outcome is that US tech providers like Google will be forced to host foreign data outside of the United States.

What to do next?

• We recommend continuing to periodically review the compliance of your marketing technology and your use of customer data.
• You should be implementing Google Analytics 4 (GA4) at the earliest opportunity to help mitigate loss of data from non-consenting users.
• Ensure that your Google Analytics tracking is following best practice for compliance. For example, ensure explicit consent is granted before cookies are set, enable IP anonymisation unless explicit consent is granted, disable advertising features unless consent is granted, and make use of Google’s consent mode.
• If you need help understanding this, want an audit on your compliance, or wish to migrate to GA4 then please get in touch.