Stricter requirements for the use of Google Analytics

Are you using Google Analytics? As a website operator you need to conclude a Joint Controller Agreement immediately. Here we explain what that means exactly and why it is necessary.

Background:
On 12th May 2020 the German Data Protection Conference (DSK) published notices regarding the use of Google Analytics as a supplement to its ”Orientation Guide from the Supervisory Authorities for Providers of Telemedia”. 

The most important result: With immediate effect, Google Analytics may only be used with a Joint Controller Agreement.

The DSK also points out that the data processed with Google Analytics are personal data in the sense of the GDPR. 

Google explains in its Google Analytics homepages that usage data is not “personal data”.

However, from the DSK’s point of view this position not only contravenes the definition of the term “personal data” in Article 4 No. 1 of GDPR but is also ambiguous because Google goes on to write:

“Please note that data which Google does not regard as personal data may be regarded as such in accordance with GDPR.” 

According to Article 4 No. 7, Art. 28 Paragraph 10 GDPR, the responsible parties are to determine the purpose and means of processing themselves, the data processor may only process the data exclusively according to the responsible party’s instructions. In this case the processing would be in accordance with Article 28 GDPR.

However, when using Google Analytics the website operator does not by himself determine the purposes and means of data processing. On the contrary, it is more or less exclusively determined by Google.

Google makes it clear in its terms of usage that Google uses the data for its own purposes, especially for the purpose of making its web analysis and tracking services available. Data is merged with personal data obtained from other contexts, passed on to third parties and comprehensively evaluated by Google with the purpose of generating personalised advertising. 

Although Google provides a contract for contracted data processing, it also makes clear in its “Google Measurement Controller-Controller Data Terms” that Google and the user (website operator) are separately responsible for certain processing operations. 

⇨ This means: Data processing in the context of Google Analytics does not represent contract data processing as stipulated in Article 28 GDPR. From now on it will be a joint responsibility to ensure that requirements of Article 26 GDPR are observed.

*The implementations apply for the case that the user of Google Analytics uses the standard settings currently recommended by Google. 

⇨ The responsible party must explicitly agree to the “Google Measurement Controller-Controller Data Protection Terms”.

Please undertake the following steps:

1. 1. Log in to your Google Analytics Account.
   2. Select “Account Settings” in the Admin rubric.
   3. In the settings for data release there is a checkbox under “Google Products & Services”  with the additional conditions for the data which are released for Google.
   4. The Google Measurement Controller – Controller Data Protection Terms are to be found there.
   5. Click to agree once you have read through them.

The “Gesellschaft für Datenschutz und Datensicherheit e.V.” (English “Organisation for Data Protection and Data Security”) is a German association for data protection and has already published a number of guides for implementing the GDPR. 

The legal basis for joint responsibility can be found in Article 26 GDPR, according to which two or more parties may be responsible for determining the purpose and means of data processing.  

A clear role allocation serves to protect the rights and freedoms of the affected person, first and foremost the transparency and safeguarding of the affected person’s rights as stipulated in GDPR. 

1. 1. Two Parties 
   2. Determining the joint purposes and means of processing

Important: 

• Expertise and superior knowledge alone are not sufficient for joint responsibility 
• Identical options for action are not necessary 
• Actual access to the data is irrelevant

The decisive factor for the GDD is the adequate influence of both parties in terms of the type and duration of processing and accessing data. 

Differentiation from contract processing

With joint responsibility, both parties must ensure their own credentials for the respective data processing in the form of a valid legal basis because they each pursue their own interests with the data, whereas the contracted data processor draws on the “agreement for contracted data processing” for its own legal basis. 

Legal consequences and obligations with joint responsibility

The collaboration must be made transparent to the affected person. The type of information which must be made available according to Article 26 Paragraph 2 S. 2 GDPR as “First Level Information” is to be decided on a case-by-case basis. A regular reference to the joint responsibility is required as soon as the data is gathered together with the notice that further information may be viewed in an area managed by both parties. 

Information obligation

According to Article 26 GDPR the affected person is to be informed about the responsible parties involved, the cooperation, the distinct roles played by each party and the respective relationships to the affected person. 

Who is liable and what are the potential sanctions? 

Both parties are jointly liable according to Article 82 Paragraph 4 GDPR, § 840 BGB. The claimant can decide at which party the claim is to be directed, irrespective of whether an agreement between the parties exists. Each party’s amount of responsibility is decisive for liability within the internal agreement. A clear distinction of roles in the agreement, in accordance with Article 26 GDPR, is therefore essential. 

General rules for sanctioning apply as stipulated in Article 83 Paragraph 3 GDPR (fine of up to 10.000.000 Euro or 2 % of global revenues from the previous year). 

DISCLAIMER

The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department. These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.