German data protection authorities formulate strict requirements for the use of Google Analytics
The German Data Protection Conference (Datenschutzkonferenz, DSK), the joint body of the German data protection supervisory authorities, recently published new guidelines on the use of Google Analytics, which could spell trouble for website operators.
In the guidelines adopted on 12 May 2020, the supervisory authorities not only jointly reaffirm the view which has recently been communicated by individual authorities that the use of Google Analytics in default settings should generally only be permitted on the basis of informed, voluntary, active and prior consent of users.
Above all, the authorities also formulate specific design guidelines for implementing the requirements placed on such consent and its withdrawal. The authorities believe, for example, that it must be made clear to users that data is stored in the USA and that both Google and state authorities have access to this data.
The authorities also consider it necessary to use additional anonymisation measures by shortening the IP address despite consent.
The DSK also states that, in the opinion of the German authorities, the use of Google Analytics should not be classified as ‘processing by a processor on behalf of a controller’, but as joint controllership by Google and the individual website operator. Consequently, according to the DSK, a contract for processing by a processor on behalf of a controller (Article 28 GDPR) is not required (as is currently offered by Google as standard), but a contract on joint controllership (Article 26 GDPR).
We recommend that website operators who use Google Analytics carefully check whether their use of the tool meets the requirements formulated by the DSK. In particular, the conclusion of a contract on joint controllership (which as far as can be seen is currently not offered as standard by Google) is likely to prove to be a greater challenge in practice.
As is well-known, if the requirements of the GDPR are not met, severe fines may be imposed, which, depending on the size of the company, can quickly run into five or six figures even for minor infringements. It remains to be seen whether the requirements formulated by the DSK will also be established at EU level and withstand any judicial review by the European Court of Justice (ECJ). We assume, however, that the German data protection authorities have certainly considered pushing the implementation of the now explicitly formulated requirements in the meantime, if necessary by imposing penalties.
Any questions? Please contact: Daniel Rücker, Sebastian Dienst
Practice Group: Data Privacy, Digital Business