20220211 Data export after the Google Analytics decision

Data Export after the Google Analytics decision
How to ensure
Safe Data Export
After the Google
Analytics decision
11 February 2021

Legal game changers with a passion for
technology, media and IT
VLAIO Partner for Cybersecurity projects
Contributors to the “ICLG to Cybersecurity”
DPO-Trainer at Data Protection Institute
Guest lecturers at Universities across Belgium & regular authors
Legal Partner of leading associations in marketing, web building, e-commerce and IT
Member of the Board at Smart Cities Law Firms
Chairman IT & Data Protection Practice Group at Consulegis Law Network

Useful downloads
● 5 copies of our ICLG Cyber Security Guide
● The actual Google Analytics decision (in German)
● EDPB Guidelines on supplementary measures for data export (01/2020)
● EDPB Guidelines on what constitutes international data transfer (05/2021)
● EDPS Guidelines on data transfers to Russia, China and India
● Sirius Legal data export vendor assessment form
● Sirius Legal coordinated and split version(s) of new SCC’s
● Sirius Legal webinar recording on international data transfers

On our menu today
▪ What happened?
▪ What is data export?
▪ Why all the fuzz?
▪ Data export after Schrems II
A bit of
background
▪ Now, really, what happened?
▪ GA as the canary in the coal mine
▪ But Google must have an answer to this,
right?
▪ Lessons (to be) learned
The Google
Analytics bomb
▪ DTIA’s & Vendor Assessments
▪ Encryption and pseudonymisation
▪ Looking for “safer” alternatives
▪ Key takeaways from all of this
Practical
“how to” tools

What happened?
Austrian DSB decision 22/12/21

What happened?
Well, to cut the story short…
80% of European online businesses use Google Analytics
Cookie based web analytics tool
Creates unique ID that is tracked over time
Shares data with Google servers in the US
One Austrian user decided to be the smart guy
IP addresses and Google ID are PII
PII export outside EU without prior consent
PII export outside EU without proper data security
This impacts almost Every non-EU cloud service

A new and complex legal reality…
Or a witch hunt, according to some
7

“Data export”...?

MS O365,
Facebook, LinkedIn,
Mailchimp, Hotjar,
Cloudflare, Google,
Hubspot,...
The list is endless
Offshore call
centers
outside EU
(Cloud)
Server
hosting
outside EU
Any cross
border data
movement
outside
EU/EEA

Why all the fuzz?

Title Title
Until that day
(more or less) free flow
of data between EU and
US under Privacy Shield
“US can never offer
data privacy”
New Privacy Shield will
not come any time soon
Schrems II
terminated Privacy
Shield with
immediate effect
Reason?
US security laws
FISA
CLOUD Act
ECJ decision
on Schrems II
16 July 2020

Data export after Schrems II

Title Title
End of Privacy Shield is
not the end of EU-US
data flow
Compliance is your
responsibility
Not the cloud providers
Find a new and
appropriate legal
basis
In addition to that, always
case by case DTIA
Additional measures to
ensure data privacy
ECJ decision
on Schrems II
16 July 2020

Adequate country
Very short list…
Switzerland
UK + Islands
Canada
Israel
Japan
South Korea
New Zealand
Argentina
Uruguay
Faroër & Andorra
Appropriate
safeguards
SCC
BCR
+
Always DTIA and
additional measures
+
Careful with new SCC’s
Alternative legal
grounds
DIY contract
Opt-in
Contractual necessity
…
But really, don’t…
Legitimate interest?
Theoretically possible
But almost impossible
to justify
…
So really, don’t…

Looking for a practical
SCC template?

Now really, what happened?

Now really, what happened?
Google Analytics and the inevitable logic of GDPR
Most (all) cloud services require you to share PII
Many are not EU based ⇒ export data
Google offers EU servers, SCC and “additional measures”
Google Analytics allows for partially anonymised IP
Google does not allow you to add PII to GA accounts
But that was not sufficient
Google Analytics exports PII outside the EU
Without proper data privacy (FISA!)
Violation of GDPR by the website (no decision on Google)

Google Analytics as the canary in the
coal mine…

And many others...

Austrian DSK
Finds company in
breach for using
GA
Dutch AP warns on
it’s website the next
day that “GA may
no longer be legal”
Norwegian Datatilsynet
announces 2 ongoing cases
and advises to look for
alternative to Google
Analytics
German DSK
expert opinion on
FISA: “it’s broader
than we think”
EDPS fines
European
Parliament over
Google Analytics
and Stripe cookies
on website
German court decision
sanctions Google Fonts
(and by extension
Google Recaptcha,
Google Tag Manager, …
It’s not just the one
decision.
Since beginning of 2022,
here’s what happened…
City of Stockholm
says no to further
use of O365

It’s not just the one
decision.
And just yesterday this…

CNIL
Feb 2021
MS Azure
Bavaria
March 2021
Mailchimp
Hamburg
June 2021
Zoom “On demand”
Portugal
April 2021
Cloudflare
Germany
June 2021
Facebook company page
EU Commission
January 2022
“New Privacy
Shield not for
tomorrow”
And that just
confirms what we
already knew
2021 was no different
from 2022

But Google must have an
answer to this, right…?

“We ask people not to enter PII in
their Google Analytics account”
“You can partially anonymise IP
addresses in Google Analytics”
“We have never had a
Google Analytics access
request before”
“We have taken
supplementary measures,
as requested by Schrems II”
“The EU should replace the
Privacy Shield with a new privacy
shield (or we’re leaving…)”
What Google says

What Google said
earlier this week
“We are working to add additional
controls that will allow customers to
further customize the analytics data they
collect, thereby enabling them to
continue to use Google Analytics in a
manner that is consistent with their
compliance objectives”
No idea what that exactly means…
This does not say that Google Analytics
will be GDPR compliant in the near
future
Further anonymisation?
EU data residence?
Additional encryption possibilities?
When?
How?

In Google’s
defence

Microsoft
remains
vague
And Azure
(also MS)
remains a big
question
mark...

Amazon Web
Services
(AWS) does
not mention
any additional
safeguards in
place...

“We’re moving all EU citizen data
to EU servers exclusively”
“We will begin making changes
that allow for third party “zero
access” encryption on your data”
“We will no longer use GA
data for Google Ad
purposes”
“We will disable all non-
essential data sharing (cfr.
IP in Google Fonts”)
“The US should adapt it’s
surveillance laws to allow for proper
data privacy (or we’re leaving…)
What Google should
actually be saying

Lessons (to be) learned...

European
SME’s are
paying the
price
Google, FB,
e.g. are
playing high
stakes
gambling
It’s almost
impossible to
avoid data
transfers
through cloud
services
This problem
is not going
away by itself

Data Transfer Impact Assessments &
vendor assessment

So this is important?
Wait a moment while I write this down...
ALWAYS run a prior DTIA
Incorporate data residence and security
in Vendor assessment procedures
Also, run a full scale post factum DTIA
on current services without delay
If possible, choose EU based providers
Vendor assessments under GDPR

Destination country
political assessment
Prior behaviour of
local authorities
Data sensitivity
Purpose of the
processing
Economic sector
Duration and
volume of data
export
Number of
actors involved
Transmission
channels
Storage
location
Intended
onward
transfers
How to DTIA?
Contractual
safeguards
put in place?
TOM’s put in
place?
High Risk?
Additional
Safeguards
possible?
If not?
Alternative
options
If not?
Stop the
partnership

37

38

39

Looking for help?

Encryption & Pseudonymisation

Series of specific
examples of
sufficient TOM’s
Series of examples
of insufficient
TOM’s
EU based “zero access” encryption
“State of the art technology”
EU based “zero
access”
Pseudonimisation
(beware of re-ID risks
through different data
sets)
Supplier based
technology will never
suffice
“standard” measures
(staff training,
password protection,
2FA, … will never
suffice
Supplementary
measures?
EDPB guidelines 01/2020
Austrian DSK
+ others

A few useable encryption tools
(For what it’s worth)
Boxcryptor
EU based
Works seamlessly with Google
Workspace
Full end-to end encryption
Cryptomator
Full end-to-end encryption
Add-on to Google Drive, Dropbox,
ect…
Veracrypt
Third party alternative to MS’s
Bitlocker
Interesting extra features for
enhanced security (a.o.
steganography)
Bitlocker?
MS, so perhaps not the best solution…
Apple Filevault?
Same problem…

Looking for “safer” alternatives...

Alternatives to Google Analytics
(For what it’s worth)
Matomo
EU based
Privacy centric
€ 19/month - € 35/month for 30 sites and 30 users
Extensive options
Rather costly in full service
Used by governments, banks, …
Piwik Pro
EU based
Privacy centric
Free up to 10 sites and 500.000 PV/month
Extesive options
Same origin as Matomo
Simple Analytics
EU based
Like the name says… simple
€ 19/month entry level - € 59/month business
1 mio page views - 10 users
May not suffice for full commercial analytics
Plausible Analytics
EU based
€ 9/month basic up to € 49/month for 1 mio PV’s
Open source
Cookieless (but that is no guarantee for compliance)
May not suffice for full commercial analytics
Fathom
Canadian
But with “EU Isolation” feature
Guarantees data residency in EU
Rather complete options
€ 14/month - € 44/month for 50 sites and
500.000 PV’s

Alternatives to Mailchimp
(Again, for what it’s worth)
Flexmail
Belgian based
Privacy centric
Good Mailchimp alternative
Extensive options
ActiveCampaign (?)
Maybe…
US based
But with EU data processing guarantee
What else?
We’re still looking for any other reliable
alternatives, to be honest…
Emaillabs.io
(?)
EU based
But mainly focused on e-mail tracking
As far as we see not a full replacement for
Mailchimp

Alternatives to O365 en MS Teams
(Again, for what it’s worth)
Nextcloud
EU based
Open source (free)
Host-it-yourself solution
Cloud storage + office tools + comm tools
Cryptpad
French based
Full office productivity suite
End-to-end encryption
Crypt.ee
Document storage + editing
End-to-end encryption
O365 itself?
Compliance should theoretically be possible
With full ”zero access” encryption
Google
Workspace?
Already offers
Strong Google based encryption
EU server location and back-up
With additional “zero access” encryption, compliance seems possible
Third party encryption tool for Workspace: Boxcryptor

Key takeaways

Title Title
There is a major issue with
all data transfers outside
the EU, including yours
You should:
List
Assess
Document
Secure
or Replace
This is part of a
fundamentally different
view on privacy between
the EU and the US, China,
Russia, …
You are liable for all data
export by cloud services,
online tools, apps, … within
your organisation.
So get and stay in control!
Key takeaways
from all of this

Why?
Business
continuity
disturbance
Reputational
damage
Liability ico
data breach
High fines &
actual
enforcement

And if needed, we can help…

Want to know more?

Our recent work in data protection...

Any remaining questions?
www.siriuslegal.be
bart@siriuslegal.be
+32 486 901 931
+32 485 586 208
linkedin.com/company/sirius-legal-law-firm

20220211 Data export after the Google Analytics decision

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 20220211 Data export after the Google Analytics decision

Similar to 20220211 Data export after the Google Analytics decision (20)

More from Bart Van Den Brande

More from Bart Van Den Brande (20)

Recently uploaded

Recently uploaded (20)

20220211 Data export after the Google Analytics decision

Editor's Notes