Datatilsynet (Norway) - 20/03771
Datatilsynet - 20/03771 | |
---|---|
Authority: | Datatilsynet (Norway) |
Jurisdiction: | Norway |
Relevant Law: | Article 4(16)(a) GDPR Article 4(23)(b) GDPR Article 44 GDPR Article 46(2)(c) GDPR Article 56(1) GDPR Article 56(1) GDPR Article 58(2)(b) GDPR Article 60(3) GDPR Article 80(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 18.12.2020 |
Decided: | 28.02.2023 |
Published: | 01.03.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 20/03771 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Norwegian |
Original Source: | Datatilsynet (in NO) |
Initial Contributor: | Rie Aleksandra Walle |
Following one of noyb's "101 US transfer complaints", the Norwegian DPA intends to reprimand a controller that used Google Analytics and, thus, transferred personal data to the US in violation of Article 44 GDPR, as they did not have sufficient supplementary measures in place.
English Summary
Facts
Following the Schrems II ruling of 16 July 2020 (CJEU case C-311/18) the European Center for Digital Rights (also known as “noyb”) lodged 101 complaints to several data protection authorities in the European Economic Area (“EEA”). All complaints concerned different the use of Google Analytics or Facebook Connect on websites in the EEA.
In accordance with Article 80(1) GDPR, noyb lodged a complaint on 17 August 2020 with the Austrian DPA against Telenor ASA (the controller) for their use of Google Analytics on their website and alleged transfer of a data subject's personal data to the US in violation of Article 44 GDPR. The data subject provided the DPA with a HTTP Archive format (HAR) data of the website, i.e., a JSON-formatted archive file format for logging a web browser’s interaction with a website, as proof of US-transfers being made.
As per Article 4(16)(a) GDPR, Telenor’s main establishment is in Norway. Consequently, the Austrian DPA transferred the complaint to the Norwegian DPA in accordance with Article 56(1), who proceeded to investigate the case.
The controller informed the DPA that they in late August 2020 initiated a review project to assess relevant agreements in light of the Schrems II ruling. They found this to apply to their use of Google Analytics since the agreement was with Google as a US processor of their. With the Privacy Shield now invalidated, the controller entered into standard contractual clauses (SCCs) Module Two with Google on 12 August 2020 for data transfers to the US.
However, the controller did not carry out a thorough review of potential third country legislation (a "transfer impact assessment"), as it, according to information from Google, was not possible to determine the exact location of processing. The decision, however, refers to a statement by Google informing that Google Analytics data is stored in the US.
The parties still agreed supplementary measures. First, Google has established policies and procedures and a team of qualified lawyers for handling authority requests for user data. Second, Google offers and the controller implemented the Anonymize IP feature and, finally, the controller had applied a redaction script on the website to prevent personal data unintentionally being shared with Google.
Google Analytics was implemented on the website until 15 January 2021 and collected, until then, online identifiers, including cookie identifiers, IP addresses, device identifiers and client identifiers. The controller had enabled the IP anonymization feature and therefore argued that the identifiers listed above could not be regarded as personal data as this feature had "severed any link to an invididual". Google had also informed them that it would not be possible to extract such data following a potential legally binding authority request. In conclusion, the controller thus argued that the only personal data collected by Google Analytics and subsequently processed by them were IP addresses.
Holding
The DPA investigated three main legal questions: i) Whether or not personal data was processed in the context of Google Analytics. ii) Provided that personal data was processed, whether or not this personal data was transferred to the U.S. iii) Provided that the personal data was processed and transferred to the U.S., whether or not this transfer infringed Chapter V GDPR, also considering the Schrems II judgment.
The investigation was limited to the time period from the CJEU’s Schrems II ruling to the controller's discontinuation of Google Analytics, i.e., between 16 July 2020 and 15 January 2021.
The first question The DPA's assessed the HAR file submitted by the data subject and found that the following data was processed when visiting the controller's website: • Unique identifier(s) that identifies the browser/device used to visit the website, as well as a unique identifier that identifies the website operator, in other words the Google Analytics account ID of the eebsite operator, • Address and HTML title of the website, • Information on browser, operating system, screen resolution, language settings, as well as the date and time the Website was accessed by the complainant, • The data subject’s IP address. Here, the DPA notes that the anonymization process is carried out on Google’s servers. In other words, the IP address was transferred to Google before it was anonymized.
The DPA notes that as these unique identifiers were set with the specific purpose to differentiate individuals, where differentiation was not possible before, they contribute to making the individual identifiable. They also refer to the findings of the Austrian DPA in a similar case, also referring to a decision by the European Data Protection Supervisor, that these Google Analytics identifiers in principle qualify as personal data.
The IP address and cookie identifiers were combined with, inter alia, the address of the specific website the data subject visited, the time and date of the website visit, as well as metadata about the browser and operating system, and the combination of settings and parameters of the browser and the operating system may sometimes be sufficiently unique to lead to so-called device fingerprinting.
Consequently, the DPA found that both the controller and Google have several elements that combined can enable them to single out visitors on the Website where Google Analytics was implemented. Taking all of this into account, they held that the data in question was to be regarded as personal data within the meaning of Article 4(1) GDPR.
The second question The DPA held that the controller was not able to demonstrate whether the personal data of the data subject had been transferred to the US or not, as this appeared to depend on factors such as their location and, presumably, internet traffic conditions at the time. The controller's statements suggested that at least for some website visitors in the EEA, their personal data was transferred to a Google server outside the EEA, including in the US. Furthermore, Google’s statements suggest that regardless of which Google server the Google Analytics data was sent to from the Website, Google acting as your processor would transfer GA data to the U.S. or make the data available from the U.S. in the context of their processing on your behalf.
As a result, we find that Telenor has most likely, in the context of their implementation of GA on the Website, transferred personal data to the U.S.
The third question The DPA referred to the CJEU explicitly finding that a transfer based on SCCs to companies that fall under FISA 702 violate Chapter V if appropriate supplementary measures are not in place.Though it has been argued that supplementary measures are in place, it is clear that those measures do not prevent Google from having clear text access to the personal data in question.This presumption can of course be rebutted if it is shown that there is no reason to believe that FISA 702 applies to those personal data in practice. In this regard, Telenor has argued that it would not be possible for Google to provide U.S. intelligence services with access to the IP addresses of visitors to the Website prior to anonymization.
However, our assessment above shows that the scope of personal data processed is wider than just the IP addresses. Even if it indeed should be the case that FISA 702 does not apply to the IP address in practice, the remaining information about visitors to the Website, which constitutes personal data, would presumably still be in scope of FISA 702 in practice.
Therefore, we find that Telenor’s transfer of personal data undermined the level of protection that is guaranteed pursuant to Article 44 GDPR.
Based on the above, we find that personal data of visitors to the Website was processed in the context of GA, that those personal data were transferred to the U.S., and that this transfer infringed Chapter V GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.
Notice of decision in the Google Analytics case The Norwegian Data Protection Authority's preliminary conclusion is that the use of Google Analytics is not in line with the Personal Data Protection Regulation. The parties in the cases are given the opportunity to comment on the case before we make a formal decision. The organization noyb has lodged a complaint against a number of European websites to the data supervisory authorities in the EEA. The background is that noyb believes the websites transfer personal data out of the EEA in violation of the Personal Data Protection Regulation (GDPR) by using the American analysis tool Google Analytics. One of the complained websites, telenor.com, is Norwegian and previously used Google Analytics. The Norwegian Data Protection Authority has therefore investigated this matter. Our preliminary conclusion is that the use of Google Analytics was in breach of the GDPR's transfer rules. We have now sent an advance notice to the parties in the case, so that they have the opportunity to comment on the findings before we make a decision. European coordination Since there have been so many complaints about the use of Google Analytics at the European level, the European Data Protection Board (EDPB) has set up a separate working group to coordinate the handling of complaints. The data supervisory authorities have a duty to interpret the GDPR in the same way throughout the EEA. - The EDPB does a good job in ensuring that the supervisory authorities apply the law in a harmonized way. When it comes to the use of Google Analytics, a clear European consensus has emerged, says section manager Tobias Judin in the Norwegian Data Protection Authority. The data supervisory authorities in Austria, France and Italy, as well as the data supervisory authority for the EU bodies (EDPS), have already decided that the use of Google Analytics is in breach of the privacy rules. Moreover, the Danish Data Protection Authority draws the same conclusion in a guide on the topic, and the data supervisory authority in Liechtenstein has also commented critically on the tool. Further process The next step in the case is that the parties are given three weeks to comment on our preliminary conclusions. The Norwegian Data Protection Authority must then decide on any input we receive. This case is so-called cross-border. This means that before we can make a decision, we must send a draft decision to other affected data supervisory authorities in the EEA. They then have the right to raise objections within one month if they disagree with our assessments. It is only after this that the Norwegian Data Protection Authority will make a decision on the matter. What about Google Analytics now? If the Norwegian Data Protection Authority makes a decision that the website's use of Google Analytics was in breach of the GDPR, this could also have consequences for other Norwegian websites. Therefore, we reiterate our recommendation to explore alternatives to Google Analytics. We will provide more detailed information about what applies and what our expectations are for Norwegian websites when a decision has been made. This may not come until the end of April at the earliest. Google Analytics 3 or 4? At the time of the complaint, the website in question was using Google Analytics 3, and we have therefore taken this as a starting point for the assessment. We have received several questions about whether, hypothetically speaking, we would move towards a different conclusion with Google Analytics 4. The Norwegian Data Protection Authority has not taken a position on this in the specific case, but as far as we can see, Google Analytics 4 will not necessarily correct those problems we have so far identified. In this context, it may be useful to refer to the Danish Data Protection Authority's guidance, which states exactly this (datatilsynet.dk). Contact person Tobias Judin Tobias Judin section manager, international section Office: E-mail: Published: 01/03/2023 Last modified: 02.03.2023