The recent Austrian and French DPA decisions on the use of Google Analytics in light of GDPR compliance, raise a lot of legal questions surrounding data transfers. We try to answer them in a clear and pragmatic way in this webinar
Andrea Hill Featured in Canadian Lawyer as SkyLaw Recognized as a Top Boutique
20220211 Data export after the Google Analytics decision
1. Data Export after the Google Analytics decision
How to ensure
Safe Data Export
After the Google
Analytics decision
11 February 2021
2. Data Export after the Google Analytics decision
Legal game changers with a passion for
technology, media and IT
VLAIO Partner for Cybersecurity projects
Contributors to the “ICLG to Cybersecurity”
DPO-Trainer at Data Protection Institute
Guest lecturers at Universities across Belgium & regular authors
Legal Partner of leading associations in marketing, web building, e-commerce and IT
Member of the Board at Smart Cities Law Firms
Chairman IT & Data Protection Practice Group at Consulegis Law Network
3. Data Export after the Google Analytics decision
Useful downloads
● 5 copies of our ICLG Cyber Security Guide
● The actual Google Analytics decision (in German)
● EDPB Guidelines on supplementary measures for data export (01/2020)
● EDPB Guidelines on what constitutes international data transfer (05/2021)
● EDPS Guidelines on data transfers to Russia, China and India
● Sirius Legal data export vendor assessment form
● Sirius Legal coordinated and split version(s) of new SCC’s
● Sirius Legal webinar recording on international data transfers
4. Data Export after the Google Analytics decision
On our menu today
▪ What happened?
▪ What is data export?
▪ Why all the fuzz?
▪ Data export after Schrems II
A bit of
background
▪ Now, really, what happened?
▪ GA as the canary in the coal mine
▪ But Google must have an answer to this,
right?
▪ Lessons (to be) learned
The Google
Analytics bomb
▪ DTIA’s & Vendor Assessments
▪ Encryption and pseudonymisation
▪ Looking for “safer” alternatives
▪ Key takeaways from all of this
Practical
“how to” tools
5. Data Export after the Google Analytics decision
What happened?
Austrian DSB decision 22/12/21
6. Data Export after the Google Analytics decision
What happened?
Well, to cut the story short…
80% of European online businesses use Google Analytics
Cookie based web analytics tool
Creates unique ID that is tracked over time
Shares data with Google servers in the US
One Austrian user decided to be the smart guy
IP addresses and Google ID are PII
PII export outside EU without prior consent
PII export outside EU without proper data security
This impacts almost Every non-EU cloud service
7. Data Export after the Google Analytics decision
A new and complex legal reality…
Or a witch hunt, according to some
7
9. Data Export after the Google Analytics decision
MS O365,
Facebook, LinkedIn,
Mailchimp, Hotjar,
Cloudflare, Google,
Hubspot,...
The list is endless
Offshore call
centers
outside EU
(Cloud)
Server
hosting
outside EU
Any cross
border data
movement
outside
EU/EEA
11. Data Export after the Google Analytics decision
Title Title
Until that day
(more or less) free flow
of data between EU and
US under Privacy Shield
“US can never offer
data privacy”
New Privacy Shield will
not come any time soon
Schrems II
terminated Privacy
Shield with
immediate effect
Reason?
US security laws
FISA
CLOUD Act
ECJ decision
on Schrems II
16 July 2020
12. Data Export after the Google Analytics decision
Data export after Schrems II
13. Data Export after the Google Analytics decision
Title Title
End of Privacy Shield is
not the end of EU-US
data flow
Compliance is your
responsibility
Not the cloud providers
Find a new and
appropriate legal
basis
In addition to that, always
case by case DTIA
Additional measures to
ensure data privacy
ECJ decision
on Schrems II
16 July 2020
14. Data Export after the Google Analytics decision
Adequate country
Very short list…
Switzerland
UK + Islands
Canada
Israel
Japan
South Korea
New Zealand
Argentina
Uruguay
Faroër & Andorra
Appropriate
safeguards
SCC
BCR
+
Always DTIA and
additional measures
+
Careful with new SCC’s
Alternative legal
grounds
DIY contract
Opt-in
Contractual necessity
…
But really, don’t…
Legitimate interest?
Theoretically possible
But almost impossible
to justify
…
So really, don’t…
15. Data Export after the Google Analytics decision
Looking for a practical
SCC template?
16. Data Export after the Google Analytics decision
Now really, what happened?
17. Data Export after the Google Analytics decision
Now really, what happened?
Google Analytics and the inevitable logic of GDPR
Most (all) cloud services require you to share PII
Many are not EU based ⇒ export data
Google offers EU servers, SCC and “additional measures”
Google Analytics allows for partially anonymised IP
Google does not allow you to add PII to GA accounts
But that was not sufficient
Google Analytics exports PII outside the EU
Without proper data privacy (FISA!)
Violation of GDPR by the website (no decision on Google)
18. Data Export after the Google Analytics decision
Google Analytics as the canary in the
coal mine…
20. Data Export after the Google Analytics decision
Austrian DSK
Finds company in
breach for using
GA
Dutch AP warns on
it’s website the next
day that “GA may
no longer be legal”
Norwegian Datatilsynet
announces 2 ongoing cases
and advises to look for
alternative to Google
Analytics
German DSK
expert opinion on
FISA: “it’s broader
than we think”
EDPS fines
European
Parliament over
Google Analytics
and Stripe cookies
on website
German court decision
sanctions Google Fonts
(and by extension
Google Recaptcha,
Google Tag Manager, …
It’s not just the one
decision.
Since beginning of 2022,
here’s what happened…
City of Stockholm
says no to further
use of O365
21. Data Export after the Google Analytics decision
It’s not just the one
decision.
And just yesterday this…
22. Data Export after the Google Analytics decision
CNIL
Feb 2021
MS Azure
Bavaria
March 2021
Mailchimp
Hamburg
June 2021
Zoom “On demand”
Portugal
April 2021
Cloudflare
Germany
June 2021
Facebook company page
EU Commission
January 2022
“New Privacy
Shield not for
tomorrow”
And that just
confirms what we
already knew
2021 was no different
from 2022
23. Data Export after the Google Analytics decision
But Google must have an
answer to this, right…?
24. Data Export after the Google Analytics decision
“We ask people not to enter PII in
their Google Analytics account”
“You can partially anonymise IP
addresses in Google Analytics”
“We have never had a
Google Analytics access
request before”
“We have taken
supplementary measures,
as requested by Schrems II”
“The EU should replace the
Privacy Shield with a new privacy
shield (or we’re leaving…)”
What Google says
25. Data Export after the Google Analytics decision
What Google said
earlier this week
“We are working to add additional
controls that will allow customers to
further customize the analytics data they
collect, thereby enabling them to
continue to use Google Analytics in a
manner that is consistent with their
compliance objectives”
No idea what that exactly means…
This does not say that Google Analytics
will be GDPR compliant in the near
future
Further anonymisation?
EU data residence?
Additional encryption possibilities?
When?
How?
27. Data Export after the Google Analytics decision
Microsoft
remains
vague
And Azure
(also MS)
remains a big
question
mark...
28. Data Export after the Google Analytics decision
Amazon Web
Services
(AWS) does
not mention
any additional
safeguards in
place...
29. Data Export after the Google Analytics decision
“We’re moving all EU citizen data
to EU servers exclusively”
“We will begin making changes
that allow for third party “zero
access” encryption on your data”
“We will no longer use GA
data for Google Ad
purposes”
“We will disable all non-
essential data sharing (cfr.
IP in Google Fonts”)
“The US should adapt it’s
surveillance laws to allow for proper
data privacy (or we’re leaving…)
What Google should
actually be saying
30. Data Export after the Google Analytics decision
Lessons (to be) learned...
31. Data Export after the Google Analytics decision
European
SME’s are
paying the
price
Google, FB,
e.g. are
playing high
stakes
gambling
It’s almost
impossible to
avoid data
transfers
through cloud
services
This problem
is not going
away by itself
32. Data Export after the Google Analytics decision
Data Transfer Impact Assessments &
vendor assessment
33. Data Export after the Google Analytics decision
So this is important?
Wait a moment while I write this down...
ALWAYS run a prior DTIA
Incorporate data residence and security
in Vendor assessment procedures
Also, run a full scale post factum DTIA
on current services without delay
If possible, choose EU based providers
Vendor assessments under GDPR
36. Data Export after the Google Analytics decision
Destination country
political assessment
Prior behaviour of
local authorities
Data sensitivity
Purpose of the
processing
Economic sector
Duration and
volume of data
export
Number of
actors involved
Transmission
channels
Storage
location
Intended
onward
transfers
How to DTIA?
Contractual
safeguards
put in place?
TOM’s put in
place?
High Risk?
Additional
Safeguards
possible?
If not?
Alternative
options
If not?
Stop the
partnership
41. Data Export after the Google Analytics decision
Encryption & Pseudonymisation
42. Data Export after the Google Analytics decision
Series of specific
examples of
sufficient TOM’s
Series of examples
of insufficient
TOM’s
EU based “zero access” encryption
“State of the art technology”
EU based “zero
access”
Pseudonimisation
(beware of re-ID risks
through different data
sets)
Supplier based
technology will never
suffice
“standard” measures
(staff training,
password protection,
2FA, … will never
suffice
Supplementary
measures?
EDPB guidelines 01/2020
Austrian DSK
+ others
43. Data Export after the Google Analytics decision
A few useable encryption tools
(For what it’s worth)
Boxcryptor
EU based
Works seamlessly with Google
Workspace
Full end-to end encryption
Cryptomator
Full end-to-end encryption
Add-on to Google Drive, Dropbox,
ect…
Veracrypt
Third party alternative to MS’s
Bitlocker
Interesting extra features for
enhanced security (a.o.
steganography)
Bitlocker?
MS, so perhaps not the best solution…
Apple Filevault?
Same problem…
44. Data Export after the Google Analytics decision
Looking for “safer” alternatives...
45. Data Export after the Google Analytics decision
Alternatives to Google Analytics
(For what it’s worth)
Matomo
EU based
Privacy centric
€ 19/month - € 35/month for 30 sites and 30 users
Extensive options
Rather costly in full service
Used by governments, banks, …
Piwik Pro
EU based
Privacy centric
Free up to 10 sites and 500.000 PV/month
Extesive options
Same origin as Matomo
Simple Analytics
EU based
Like the name says… simple
€ 19/month entry level - € 59/month business
1 mio page views - 10 users
May not suffice for full commercial analytics
Plausible Analytics
EU based
€ 9/month basic up to € 49/month for 1 mio PV’s
Open source
Cookieless (but that is no guarantee for compliance)
May not suffice for full commercial analytics
Fathom
Canadian
But with “EU Isolation” feature
Guarantees data residency in EU
Rather complete options
€ 14/month - € 44/month for 50 sites and
500.000 PV’s
46. Data Export after the Google Analytics decision
Alternatives to Mailchimp
(Again, for what it’s worth)
Flexmail
Belgian based
Privacy centric
Good Mailchimp alternative
Extensive options
ActiveCampaign (?)
Maybe…
US based
But with EU data processing guarantee
What else?
We’re still looking for any other reliable
alternatives, to be honest…
Emaillabs.io
(?)
EU based
But mainly focused on e-mail tracking
As far as we see not a full replacement for
Mailchimp
47. Data Export after the Google Analytics decision
Alternatives to O365 en MS Teams
(Again, for what it’s worth)
Nextcloud
EU based
Open source (free)
Host-it-yourself solution
Cloud storage + office tools + comm tools
Cryptpad
French based
Full office productivity suite
End-to-end encryption
Crypt.ee
Document storage + editing
End-to-end encryption
O365 itself?
Compliance should theoretically be possible
With full ”zero access” encryption
Google
Workspace?
Already offers
Strong Google based encryption
EU server location and back-up
With additional “zero access” encryption, compliance seems possible
Third party encryption tool for Workspace: Boxcryptor
49. Data Export after the Google Analytics decision
Title Title
There is a major issue with
all data transfers outside
the EU, including yours
You should:
List
Assess
Document
Secure
or Replace
This is part of a
fundamentally different
view on privacy between
the EU and the US, China,
Russia, …
You are liable for all data
export by cloud services,
online tools, apps, … within
your organisation.
So get and stay in control!
Key takeaways
from all of this
50. Data Export after the Google Analytics decision
Why?
Business
continuity
disturbance
Reputational
damage
Liability ico
data breach
High fines &
actual
enforcement
51. Data Export after the Google Analytics decision
And if needed, we can help…
54. Data Export after the Google Analytics decision
Our recent work in data protection...
55. Data Export after the Google Analytics decision
Any remaining questions?
www.siriuslegal.be
bart@siriuslegal.be
+32 486 901 931
+32 485 586 208
linkedin.com/company/sirius-legal-law-firm