On 16 July 2020, the European Court of Justice issued the “Schrems II” judgment. This judgment invalidated the EU-US Privacy Shield, and cast doubt over the extent transfers of personal data from EU can be legitimised by the European Commission’s Standard Contractual Clauses (SCC).
From now on, businesses that relied on the EU-US Privacy Shield for transferring data to the United States regarding EU citizens, cannot do so anymore.
While SCCs are still valid, the court decided they require additional work. Companies must ensure that the recipient country has equivalent data protection to that of the EU. They cannot rely on SCCs alone.
Following this judgment, several rulings in Europe determined that Google Analytics is illegal to use on European websites – since the data collected through this service is transferred to the United States in an illegal way.
The issue at hand is that the American authorities are able to demand personal data from Google, Facebook and other United States providers, even when they are operating outside of the United States. Thus, Google cannot provide an adequate level of protection under Article 44 GDPR – a clear violation of European data protection guarantees. The standard contractual clauses invoked by the website operator do not help, as recognised in Schrems II.
So can I or can I not use Google Analytics?
As of now, if your company is registered or operates in Europe, or if you use Google Analytics to analyse information regarding EU citizens, there is no clear answer to this question. For now, we have to wait and see how the discussions to reach an information transfer agreement between Europe and the United States will develop – which are at an advanced stage but there are no final approvals yet. Therefore, until then, the use of Google Analytics in relation to European information should be treated as prohibited.
If possible, it is probably worth considering alternative services, that meet the legal EU personal data protection requirements.
That said, there are companies that for many reasons are not able to switch to different analytics services or cannot do so with an immediate effect, some of them have adopted a risk-based approach to managing their data value chain. The efforts may include limiting the type and extent of information conveyed to Google Analytics, and using configurations offered by Google to protect the data as much as possible.
Lastly it should be mentioned, that according to Israeli law, there are limitations on the transfer of information to the United States. A carve out to the limitation on transfer relies on the existence of an information transfer agreement that guarantees the protection of the information at an adequate level in accordance with the regulations in Israel.
If you have any questions in regards of the above, or need any assistance in ensuring your business is in compliance with the data protection regulation, do not hesitate to contact us.