News

German data protection authorities formulate strict requirements for the use of Google Analytics

08.06.2020

The German Data Protection Conference (Datenschutzkonferenz, DSK), the joint body of the German data protection supervisory authorities, recently published new guidelines on the use of Google Analytics, which could spell trouble for website operators.

In the guidelines adopted on 12 May 2020, the supervisory authorities not only jointly reaffirm the view which has recently been communicated by individual authorities that the use of Google Analytics in default settings should generally only be permitted on the basis of informed, voluntary, active and prior consent of users.

Above all, the authorities also formulate specific design guidelines for implementing the requirements placed on such consent and its withdrawal. The authorities believe, for example, that it must be made clear to users that data is stored in the USA and that both Google and state authorities have access to this data.

The authorities also consider it necessary to use additional anonymisation measures by shortening the IP address despite consent.

The DSK also states that, in the opinion of the German authorities, the use of Google Analytics should not be classified as ‘processing by a processor on behalf of a controller’, but as joint controllership by Google and the individual website operator. Consequently, according to the DSK, a contract for processing by a processor on behalf of a controller (Article 28 GDPR) is not required (as is currently offered by Google as standard), but a contract on joint controllership (Article 26 GDPR).

We recommend that website operators who use Google Analytics carefully check whether their use of the tool meets the requirements formulated by the DSK. In particular, the conclusion of a contract on joint controllership (which as far as can be seen is currently not offered as standard by Google) is likely to prove to be a greater challenge in practice.

As is well-known, if the requirements of the GDPR are not met, severe fines may be imposed, which, depending on the size of the company, can quickly run into five or six figures even for minor infringements. It remains to be seen whether the requirements formulated by the DSK will also be established at EU level and withstand any judicial review by the European Court of Justice (ECJ). We assume, however, that the German data protection authorities have certainly considered pushing the implementation of the now explicitly formulated requirements in the meantime, if necessary by imposing penalties.

Additional links:

 

Contact

Daniel Rücker
Daniel Rücker+49 89 28628457
Sebastian Dienst
Sebastian Dienst+49 89 28628457

Data Privacy
Digital Business

Share

Show all

Insights

hands bridge with pulse
News

EU merger control: European Commission takes stricter action against submission of incorrect, incomplete and misleading information

02.05.2024
focus with pulse
News

Role of the DMA for app developers

30.04.2024
hand touching led wall screen
News

Data Compliance Governance

16.04.2024
compass with pulse
News

Data Act – Scope, Impact, Implementation

16.04.2024
telescopes with pulse
News

Digital Markets Act: European Commission opens investigations against Alphabet, Apple and Meta

28.03.2024
LED field Data Protection Litigation
News

Update on the Data Governance Act

12.03.2024
street view with pulse
News

European data protection authorities start coordinated investigation into right of access

11.03.2024
EU Flag with Pulse
News

Digital consumer protection: current case law and European legislation

04.03.2024
container storage port
News

Update Commercial 2024

01.03.2024