Google Analytics has been de facto prohibited by the EU supervisory authorities since December 2021. In response to this, Google has announced several data protection improvements for the new Google Analytics 4 (GA4), which are to be implemented by the end of May 2022. The adjustments are described by Google under the point “EU-focused data and privacy“. In summary, the following privacy-related changes have been announced:
These measures are a step in the right direction, but completely useless, to lift the EU ban and the general obligation of consent. Both are clear and unambiguous on closer inspection for different reasons:
1. Ban EU-US Data Transfer.
According to the Patriot Act, Foreign Intelligence Surveillance Act (FISA) and Clarifying Lawful Overseas Use of Data Act (Cloud Act), US authorities have access to absolutely all data of US companies. Even if it is stored in the EU. Therefore, the location of storage in the EU does not solve the actual problem that the EU Data Protection Regulation is guaranteed for EU citizens.
2. Obligation of Consent under TTDSG: Cookies & Co.
The consent mode “analytics_storage” with the value “denied” can be used to prevent the setting of cookies, but then no conversion tracking takes place. In addition, the evaluation of the screen resolution must be deactivated which is also considered as an access to the end device with an obligation of consent. However, it is uncertain whether this already prevents the recording. Therefore, even with the corresponding Consent Mode, the access to the user’s end device – that requires consent – cannot be excluded.
A simple use of GA4 completely without cookies and thus without consent is still a long way off.
3. Obligation of Consent according to EU-GDPR
In order to ensure that the use of web analytics without consent can be justified by legitimate interest (EU-GDPR Art. 6 Para.1 lit.f) at least the following conditions must be met:
In their Guidance on the use of Google Analytics, the supervisory authorities clearly state their position with regard to commissioned processing. Here it states:
In the view of the data protection supervisory authorities, processing in connection with Google Analytics is not processing on behalf of third parties pursuant to Art. 28 GDPR.”
This means that when GA4 is used, the interests must always be weighed in favour of the
data subjects and therefore requires consent.
4. DEACTIVATION OF GOOGLE SIGNALS
The automatic anonymisation of the IP address – only after geo-localisation! – should not obscure the fact that GA4 is only allowed to collect data after consent. Because online identifiers and device data are still transmitted unencrypted. It is completely unclear at which level the deactivation of Google Signals takes effect and whether the linking with Google accounts and the creation of profiles across websites will be prevented.
In addition to the data protection issues, the considerable impairment of the functionality of GA4 through the deactivation of Google Signals should not be ignored.
Disabling Google Signals means:
Ultimately, the new measures are a step in the right direction from a data protection point of view. However, it is more than questionable whether the innovations are sufficient to lift the ban in the EU. And according to experts this could only happen at the end of this year at the earliest, if the new agreement on data transfers between the EU and the USA is in place. But so far, no final draft has been worked out.
Furthermore, despite the above functions, consent is still required to process data with GA4. Deactivation of Google Signals is not only accompanied by the loss of data, but also results in a loss of value of the remaining data, as many reporting functions are lost. At the same time, a considerable legal risk remains, as it is unclear at what level the deactivations take effect. Because in the sense of the EU-GDPR, all processing is decisive, not just the reporting.
Companies should therefore carefully consider whether it is worth switching from Universal Analytics to GA4 or whether it would be better to switch to an EU solution that is is neither dependent on EU-US agreements nor on user consent.
This document does not constitute legal advice and cannot replace individual legal advice. We work closely with lawyers specialised in data protection and are happy to arrange direct contact for individual advice.