Resolution of the German Data Protection Conference on Google Analytics

What does the data protection-compliant use of Google Analytics look like? The German Data Protection Conference (DSK) addressed this topic in May.

The resolution

On May 12, 2020, the German Data Protection Conference (DSK) passed a resolution entitled “Notes on the use of Google Analytics in the non-public sector” to again address some aspects of the data protection-compliant use of Google Analytics. The DSK resolution may be considered a continuation of the releases by various German state authorities published in November 2019 and the Guidance issued by the supervisory authorities for providers of telemedia. While DSK explicitly departs from previous notices, in particular from that of the Hamburg Commissioner for Data Protection and Freedom of Information, the contents of its positioning are largely taken as standard under data protection law now. Another observation, however, is surprising.

Joint responsibility

The statement that, in deviation from previous positioning, the legal relationship under data protection law between Google and users (i.e., website operators) should no longer be characterized by a contractual relationship under Article 28 GDPR, but by joint responsibility in accordance with Article 26 GDPR is most likely DSK’s most significant finding. The Data Protection Conference mainly argues that Google is not processing the data upon the website operator’s instructions, but sets the purposes of the processing itself. Additionally, as they affect a “uniform life situation,” the individual aspects of data processing by Google Analytics should not be considered and assessed in isolation.

Consent, revocation, and IP address shortening

Commenting on the legal basis for data processing, DSK pointed out that only the consent of website visitors could be considered such basis. A contractual relationship pursuant to Article 6(1)(b) GDPR between the relevant website visitor and the website operator would not justify data processing by Google Analytics; the same applies to weighing of interests under Article 6(1)(f) GDPR as users would neither have to expect nor accept processing by Google and its advertising partners.

DSK further states that when using Google Analytics, an easily accessible mechanism for revoking previously given user consent would have to be implemented, such as by way of an an appropriate button. In particular, it would not be sufficient to refer to the browser add-on alone to deactivate Google Analytics.

DSK also emphasizes that additional technical protection steps should be taken, such as IP address shortening with a corresponding change of the tracking code on the respective websites.

Consequences and assessment

Website operators are likely to see the biggest change in the move from contract processing to joint responsibility in accordance with Article 26 GDPR. It needs to be considered, however, that the reasons given for this change, reciting issues seen as self-evident under civil law, are not conclusive. It lies in the nature of things and applies to all contractual relationships that the purposes of data processing are largely determined by contractors’ design of their services. The same argument might well be used to reject contractual relationships with IT service providers offering software for payroll accounting.

Website operators should now conclude a contract with Google pursuant to Article 26 GDPR that contains the relevant legal minimum contents. For its part, Google has already issued “Controller-Controller Data Protection Terms” as part of user administration. It remains to be seen to what extent these terms comply with the legal requirements. In any event, the standard conclusion of contracts for processing on behalf in accordance with Article 28 GDPR will no longer be sufficient in DSK’s opinion.

While the remarks on the legal basis are not surprising in terms of the result, they are new in so far as the DSK's Guidance for telemedia still emphasized that blanket statements on the weighing of interests under Article 6(1)(f) GDPR would not be accepted since they would fail to meet legal requirements. Conversely, corresponding arguments could now be used to criticize DSK. In any event, positive emphasis should be placed on the fact that now there at least more legal certainty is given in regards to the legal basis and that documentation of the weighing of interests in relation to Google Analytics is not (or at least no longer) necessary.

Conclusion

Website operators using Google Analytics are now to be considered joint controllers with Google and should accept appropriate contracts with Google, even if the regulatory classification is not supported with convincing arguments. DSK also stresses that simply offering a browser add-on is not sufficient to revoke consent, but that specific technical revocation options would have to be provided. The own website’s Privacy Policy should also be revised, in particular with respect to the legal basis.