Google’s recent announcement that it’s winding down Universal Analytics in favour of Google Analytics 4 follows whirlwind decisions, rulings, and complaints at EU level. The outcome of major decisions made by the French and data protection authorities, along with other European regulators, was that the previous version of Google Analytics was deemed an unlawful transfer of personal data from the EU to the US.
So, what changes and effects will this new version have on website operators’ ability to use Google Analytics? Will it, as hoped, ultimately lower the risk of fines like those recently issued in France and Austria?
Why the update was needed
With all the decisions and discussions surrounding Google Analytics, it’s important to know how the issues arose. So, before we dive into the latest version, GA4, here’s some background information to explain what led us here.
The European Court of Justice’s landmark Schrems II decision of 2020 invalidated the Privacy Shield data sharing agreement. This meant it was no longer a valid mechanism for transferring personal data to the United States from the EU. This resulted in Standard Contractual Clauses, supplementary measures and transfer impact assessments being introduced and implemented for EU-US transfers of personal data.
Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the US through the use of the Google Analytics cookie is unlawful. However, both these complaints related to single website operators. So, they looked in detail at their individual configurations in how they used Google Analytics.
Personal data or not?
The Austrian regulator, the DSB, addressed the issue of whether the data transferred from the website operator to Google through Google Analytics constituted personal data under Article 4(1) of the GDPR. In particular, the DSB highlighted that the following four items were sufficient to identify a data subject:
- Unique online identifiers that identify both the user’s browser or device and the first respondent (through the first respondent’s Google Analytics account ID as website operator)
- The address and HTML title of the website and the subpages visited by the user
- Information on the browser, operating system, screen resolution, language selection, date and time of the website visit
- IP address.
In the Austrian case, such data was transferred from the website operator to Google through Google Analytics. It concluded that such data was sufficient to identify the data subject, and therefore it was considered personal data under GDPR.
Google Analytics 4: What’s new?
Following the debate around Google Analytics, Google introduced GA4 as an attempt to mitigate the issues at hand. GA4 will no longer store IP addresses thereby limiting the data transferred to the US. IP addresses have been anonymised in Google Analytics 4 since it launched. With this new announcement, Google is removing IP addresses altogether. In the Austrian decision in particular, the website operator failed to properly implement the IP anonymisation controls available. This indicates that EU data protection authorities would look favourably on the removal of any logging of IP addresses.
Additionally, GA4 will offer country-level controls that allow for customised use according to local and state-level regulations. It will allow users to minimise the collection of user level data such as cookies and metadata.
However, there’s debate surrounding whether or not it is a sufficient solution to remove the IP address. This removal may not satisfy the concerns of European data protection authorities. There may still be personal data being transferred to Google even without the storage of IP addresses.
What should my organisation do?
Companies should consider making the transition Google Analytics 4 and ensure they configure it correctly to collect the minimum of personal data in compliance with GDPR. Companies should also perform Transfer Impact Assessments and Data Protection Impact Assessments when using new systems and to assess their transfers of personal data. If they don’t have the in-house resources to carry out these assessments, they should engage with a reputable independent consultancy to help them with this. The removal of IP addresses is not yet a confirmed solution for ensuring that the data transferred to the US is no longer considered personal data.
However, using Google Analytics 4 and the advent of the Trans-Atlantic Data Privacy Framework in 2022 should lead to less risk of fines from Data Protection Authorities for companies who migrate to the new platform.