An interim decision by Austria’s data regulator against Google Analytics may affect the ability of the search engine’s tool to be used in European countries that follow the EU’s General Data Protection Regulation (GDPR).
However, a Canadian privacy lawyer says the ruling is also a warning to companies here about the consent they need before gathering tracking data of visitors to their websites.
According to Wired, the controversy involves a just-published December interim decision by Austria’s data regulator that Google Analytics breached the GDPR because website visitor data collected by a Google Analytics cookie is sent to the U.S. for processing. Under the GDPR, personally-identifiable data sent outside the EU must have data protection. But since the EU struck down the Privacy Shield agreement with the U.S. in 2020, no such legal protection exists.
According to Google, the Austrian regulator ruled that a local web publisher’s implementation of Google Analytics didn’t provide an adequate level of protection, on the grounds that U.S. national security agencies have a theoretical ability to access user data.
The EU takes privacy seriously. In fact, according to Wired, the European Data Protection Supervisor ruled the European Parliament’s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe.
This week Kent Walker, president of global affairs and chief legal officer of Google and its parent company, Alphabet, said in a blog that the U.S. and the European Union have to agree soon on a replacement for Privacy Shield.
“Google has offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received the type of demand the [Austrian regulator] speculated about,” he added. “And we don’t expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law.”
Canadian privacy lawyers questioned by ITWorldCanada about the controversy initially saw little impact here.
“This should be a reminder to Canadian business that consent is needed to track and profile people online, including via the use of analytical tools,” said Barry Sookman of the McCarthy Tetrault law firm.
However, he added, the current federal privacy law, the Personal Information Privacy and Electronic Documents Act (PIPEDA), has yet to be determined to be equivalent to the GDPR. The EU has given countries an unspecified amount of time to bring their privacy laws close to the GDPR, or to negotiate a privacy agreement with the EU as the United States did before the Privacy Shield was struck down.
“If Canada does not update our privacy laws soon, we will lose our adequacy status and Canadian businesses may not be able to transfer data outside of the EU without getting consents,” Sookman said.
Iman Ahmad, co-head of information governance, privacy and cybersecurity at Norton Rose Fulbright Canada LLP, notes the Austrian decision can be appealed. “If held up,” he added, “it would be a major development.”
However, he also questioned the fact-finding of the Austrian regulator, which in part concluded that encryption doesn’t give enough protection of data.
Firms in Canada are in a somewhat better position since much of the concern in the Austrian case was around the transfer of personal information between the EU and the U.S. and the sufficiency of standard contractual clauses, he said. Canada benefits from an adequacy standing with PIPEDA with the EU, he said, which arguably simplifies any data transfer.
