No. 124: 🛑 Data Privacy
🇮🇹 Italy clamps down on Google Analytics
Hola,
Greetings from Spain! 🇪🇸
Now I know what you’re thinking.
An essay on data privacy regulation doesn’t exactly scream “breezy weekend read”.
And I’ll admit there’s only so much I can do to jazz this topic up. It’s just fortunate (for me, if not you) that I’m currently writing a paper on data privacy and online tracking.
As a result, I’ve had to read a number of legal papers, many of which are slightly less exciting than a weekend with Batman, let’s say.
So I’ve tried to structure this article as an FAQ-style article, because I have actually had to field a number of questions on this very issue this week.
If you know someone who could do with a little primer on the Google Analytics story, share it right here 👇👇👇
And if you can appreciate the effort to piece this together while on a beach holiday, you can donate to the cause here:
Ok, let’s get started!
So what happened?
Italy’s privacy guarantor, Garante, issued a decision stating that Italian websites that use Google Analytics violate the General Data Protection Regulation (GDPR), the EU’s data protection law.
Notably, Google falls under the US surveillance laws, which go against the GDPR’s stipulations. For example, Google would have to give up EU citizens’ data to US intelligence services if it received a formal request to do so.
Article 49 of the GDPR states:
“personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.”
Since Google Analytics sends data from the EU to the US for processing, the Italian court ruled that businesses must add new safeguards if they wish to continue using the Analytics tool.
This follows similar decisions in France and Austria.
The website that was involved in this case, Caffeina Media Srl., has 90 days to bring its data processing in line with the GDPR. In the French and Austrian cases, they gave only 30 days to make these changes.
There’s nothing special about Caffeina Media Srl.; it is a regular company that uses Google Analytics to track and analyze customer data.
However, the data regulator ruled that it is accountable for the processing of this data through Google Analytics. And since that data is sent to Google LLC in the US, Caffeina Media Srl. must take steps to guarantee that citizens’ privacy rights remain intact.
If it cannot do so, it must stop sending user data to Google.
This is a big deal.
W3Techs, which analyzes web trends, reports:
Google Analytics is used by 85.9% of all the websites whose traffic analysis tool we know.
Understandably, a lot of other companies are wondering if they will soon meet the same fate as Caffeina Media Srl.
Garante has added that it:
“calls upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services.”
In GDPR language, the “data controller” decides why and how personal data should be processed.
The “data processor”, usually a third party like Google, then carries out these tasks on behalf of the controller.
So it is up to individual businesses to take steps to ensure their data processors, like Google, are compliant with data laws.
Why is this happening now?
This was all set in motion by an Austrian consumer privacy association called NOYB. Yes, I’m pretty sure that stands for None of Your Business.
Max Schrems, an Austrian activist and lawyer, is the founder of NOYB. You may have heard of him: he took Facebook to court a number of times in the 2010s over data privacy violations. This all culminated in the Schrems II1 determination in 2020, which ruled that the EU-US “Privacy Shield” arrangement was invalid.
Basically: It said that the US did not have sufficient protections in place to ensure the data rights of EU consumers. This matters because most giant tech companies send data from the EU to the US for processing.
NOYB has filed 101 complaints across the EU (with at least one in each of the 27 member states) relating to the use of Google’s Analytics tool.
In the initial filing, they stated:
"a quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) (Note: This is Schrems II) - despite both companies clearly falling under US surveillance laws".
As their website says,
NOYB closes the gap between law and the reality by collectively enforcing your rights, so that your rights become reality.
Their contention - and you’d struggle to argue against it - is that tech companies are still abusing consumers’ data rights and consumers either don’t know it’s happening, or they don’t know what to do about it.
How does Google Analytics actually work?
As you know, web analytics tools collect data from users as the latter browse websites and apps. The tools then process and display the data in a user-friendly interface, so the business can analyze trends and create audience lists for advertising.
Most non-technical audiences really only know this much about analytics tools. They package everything up for us, so we only need to look at the charts and make decisions.
But even non-technical audiences will need to dig deeper if they want to comply with data privacy regulations.
Google Analytics goes like this:
It sets a first-party cookie on a user’s device when the user enters a website.
This contains a tracking (or Client) ID.
The user’s actions are then tracked and tied to the tracking ID, with all data stored on Google servers.
This data includes the time spent on site, the URLs accessed, and hundreds of other dimensions/metrics.
Then Google provides access to the data patterns in the Analytics interface for the business.
The business is the data controller, so they should have authority over what data is stored, where, and for how long. Yet this is rarely - if ever - the case on Google Analytics.
Google is the data processor but one could certainly say they take on the role of data controller, too.
What has Google offered to appease data regulators?
Not enough.
Google says that it encrypts the user data before it is sent for processing.
But the regulators see that as insufficient, since only Google has access to the decryption key. 🙈
That means that they could easily de-anonymize the data if they ever needed to, in response to a government request.
Google has also offered “IP-anonymisation”, which would mean:
sending Google Analytics the user's IP address after obscuring the least significant octet (under this operation, for example, addresses 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0)."
The Italians regulator responds that this “actually consists of a pseudonymisation of the user's network address data, since truncation of the last octet does not prevent Google LLC from re-identifying that user, taking into account the overall information it holds on web users.”
Well, quite.
Google has a huge amount of data in its user accounts, and certainly enough to crack this simple code.
In fact, a coalition of ten consumer rights groups is taking Google to court over its sign-up process. The coalition alleges that it is a “fast-track to surveillance”, with only Byzantine options for turning off Google’s trackers.
They said to the BBC this week:
"People should be able to understand how data is generated from their use of internet services. If they don't like it, they should be able to do something about it."
A decision is expected this year and, on recent form, they’ll probably win.
Putting it into perspective
Google is offering insufficient remediation to its Analytics tool, but this is part of a pattern.
The GDPR is at the heart of this ruling and the regulation is intended to rebalance the information asymmetry between consumers and businesses.
The whole idea with the GDPR is that it should bring transparency to the data supply chain. It should enforce citizens’ data rights, which did exist (albeit loosely) prior to the smartphone age.
Although it is an EU regulation, it already has imitators worldwide.
And to give a sense of the data we now have at our disposal:
So it’s about time regulations caught up, essentially.
This also brings to light just how much visibility Google has into our online lives.
A 2018 study2 found that “82% of the monitored web traffic had third-party scripts owned by Google, making it the largest third-party tracker by reach.”
As noted above, Google Analytics drops first-party cookies on users. This just means that they are created by the host domain. If I go on BBC.co.uk, for example, first-party cookies are those created by that domain while I am on-site.
But Google is also the biggest third-party tracker, meaning that it drops cookies on users when it is not the first party.
In this instance, I could be on BBC.co.uk and Google would also be tracking me with a cookie created by ad.doubleclick.net.
That makes it a third party to the exchange and it enables Google to track my behavior as I move across different host domains.
There is an emerging consensus that third-party tracking is negative, while first-party tracking is generally fine. Users would normally agree: without these cookies, websites would have no “memory” - in the human sense. We couldn’t even shop online, because our shopping cart would empty with every new page load.
However, this decision shows that we have been a little complacent in our understanding. Data privacy laws make scant mention of first- and third-party tracking, as these are advertising industry terms. The same privacy laws apply, no matter who originates the tracking code.
All of which leaves us with many more questions than answers.
So what happens next?
A lot of companies are likely wondering if they could be next in line for a warning. The problem is that it’s not altogether clear what they should do to circumvent the issue.
Simply, companies like Google (and there are only a few who breathe such rarefied air) have far too much control. In exchange for convenience, they manage our complexity.
On the face of it, the Garante ruling is about the opaque relationship between consumers and their data.
I would argue that its fallout reveals just how opaque the relationship is between businesses and their own customers’ data.
Businesses have outsourced accountability to the tech giants for too long.
This leaves them bewildered when they have to take matters back into their own hands.
The first step to counter this is to audit the full data supply chain within the organization. Without understanding the end-to-end processing of customer data, businesses will struggle to find peace of mind. Next, they can assign responsibilities and create a new process for ensuring that consumer rights are upheld.
This is simply the responsibility of the data controller, after all. From this position, businesses can select a provider that adequately fulfils the role of data processor.
And it is important to note that this case is not only about Google or its Analytics products. Some businesses will be tempted to switch to another, smaller solution - but they will not necessarily be any better. It will be incumbent on the individual firms to prove that they have carried out their due diligence.
At the highest level, a resolution to this issue could come through an EU-US agreement that upgrades the Privacy Shield. That would offer some succour, until the next shock comes along.
And it will come: Just this week, an FCC commissioner in the US requested that Google and Apple remove the TikTok app from their app stores4. TikTok has since confirmed5 that some of its Chinese employees can access data on US-based users.
This is just one commissioner in the US, it should be noted. Yet if the US is raising concerns about TikTok and the US has weaker consumer protections than the EU, one would have to assume the EU will have its say on TikTok, too.
The Italian ruling gave the website 90 days to find a solution and it did not mention financial penalties. This connotes some comprehension of the website’s predicament.
Reading through other statements from information commissioners, for example in the UK6, there is an acceptance that the path forward for businesses is unclear.
They do want to see collaboration, innovation, and a good faith effort to find new alternatives, nonetheless.
In a Guardian article this week, a former EU diplomat wrote of his first-hand experience with Google and Facebook in Brussels. He saw the lobbying activities of big tech and concludes that big tobacco is the only working analogy for their actions.
The author adds:
“Big tech cannot be a partner or stakeholder at the centre of efforts to control it.
Six decades of tobacco control efforts taught us that industry interference is the most significant barrier to effective regulation.”
Although business craves certainty, it should avoid the easy solutions that the tech giants will offer. There will be further rulings that follow the lead of the Austrian, French, and Italian data regulators in the near future. These will extend to other Google products and other tech companies, too.
My advice to all businesses would be to take back some control by increasing their knowledge of the data ecosystem.
The GDPR aims to enforce citizens’ rights over their data, but its lessons apply equally to businesses as they navigate their relationships with tech giants. We have been too dependent on them for too long.
https://www.huntonprivacyblog.com/2020/07/16/breaking-unexpected-outcome-of-schrems-ii-case-cjeu-invalidates-eu-u-s-privacy-shield-framework-but-standard-contractual-clauses-remain-valid/
https://scholar.google.de/citations?view_op=view_citation&hl=en&user=07kLOOUAAAAJ&citation_for_view=07kLOOUAAAAJ:d1gkVwhDpl0C
https://clearcode.cc/blog/difference-between-first-party-third-party-cookies/
https://www.cnet.com/news/tiktok-called-a-national-security-threat-heres-what-you-need-to-know/
https://www.bloomberg.com/news/articles/2022-07-01/tiktok-says-some-china-based-employees-can-access-us-user-data
https://ico.org.uk/media/about-the-ico/documents/4019050/opinion-on-data-protection-and-privacy-expectations-for-online-advertising-proposals.pdf