A. Google Analytics
1. The decision
In its decision, the Austrian Data Protection Authority (DSB) determined that the integration of Google Analytics (in its old version) is illegal and incompatible with the General Data Protection Regulation (GDPR). The reason was the transfer of personal data by Google Analytics to Google LLC, based in the USA. According to the DSB, the standard contractual clauses (SCC) used by Google do not provide sufficient protection against access by US intelligence services due to the Foreign Intelligence Surveillance Act (FISA). The DSB's argumentation is thus based on the prominent "Schrems II" judgment” in which the European Court of Justice (ECJ) invalidated the transatlantic "Privacy Shield" and thus one of the most important bases for the transfer of customer data, with similar argumentation, to the USA.
The Austrian decision on Google Analytics also raises questions about IP anonymisation. If this function is activated, the IP address is anonymised as soon as possible, regularly before it is transferred to the USA. Then, however, no more personal data is regularly transferred to the USA. In the case to be assessed by the DSB, however, the function was not active due to a configuration error on the part of the user, and thus the DSB did not answer the question of the extent to which IP anonymisation can be used as a way to operate Google Analytics in compliance with data protection. The question therefore remains controversial in practice, especially because in exceptional cases the IP address may be transmitted to the USA and the anonymisation only takes place on Google's servers.
Furthermore, it should be mentioned that other EU countries are already considering a ban on Google Analytics, such as the Netherlands or Norway, and a ban in the EU thus does not seem impossible, at least.
- This is merely a non-appealable decision from Austria for an individual case there.
- It remains to be seen whether the authority's decision will become final or whether legal proceedings will follow.
- The decision initially only affects the old form of Google Analytics, where contracts were still concluded with Google LLC (USA) and not with Google Ireland as in the current form.
- It is therefore not yet possible to make a general statement that the integration of Google Analytics on websites in the EU is illegal.
2. Recommendations for action
Check whether Google Analytics is really needed in your company or whether alternatives from the EU such as "eTracker" or "Matomo" come into question.
If not already done so - conclude a Data Processing Agreement (DPA) regarding Article 28 GDPR (with the standard contractual clauses) and activate the mentioned IP anonymisation.
B. Google Fonts
1. The verdict
In its final judgment on the dynamic use of Google Fonts, Munich Regional Court ordered a website operator to pay EUR 100 for transmitting a user's IP address to Google LLC, headquartered in the USA, via the font library without the user's consent. It also awarded the plaintiff injunctive relief. The problem with the use of the dynamic variant of Google Fonts is the establishment of a connection to Google and the associated transmission of the user's IP address. According to the court, this dynamic integration without the user's consent violates the GDPR, because the processing cannot be based on a legitimate interest within the meaning of Article 6(1)(f) GDPR as a justification for the transmission. The infringement leads to the plaintiff losing control over his personal data to Google, according to the ruling. In addition, the website operator could at least theoretically combine the collected data with other data and thus identify the person behind the IP address.
- The low amount of damages awarded of EUR 100 should not obscure the practical significance of the ruling, because for website operators, individual violations can quickly add up to considerable amounts.
- In addition, violations of the cease-and-desist order by retransmitting the same IP address may result in administrative fines of up to EUR 250.
- At present, it is not yet clear whether the jurisdiction will be extended in the future to comparable services such as MyFonts or AdobeFonts and thus to all US services.
2. Recommendations for action
- Carefully check whether your company's website uses Google Fonts and how they are integrated (dynamic/static).
- To be on the legally safe side at the moment, operators should host relevant content such as webfonts, images and scripts on their own server and/or obtain consent from each user via a consent form in the style of the familiar cookie banner.
C. Overall conclusion and outlook
- Both topics clearly show how great the legal uncertainty is that website operators are currently facing. Due to the sometimes considerable risks, the use of analytics tools in particular must be examined closely for compliance with data protection requirements and a balanced and comprehensive risk decision must be made.
- The first decisions on Google Analytics are also expected in Germany. The topics therefore remain highly topical and economically relevant.
Should you have any questions on this subject, please contact:
Robert Faußner, M.A.