DSK adopts minimum requirements for the use of Google Analytics
DSK recently published a resolution on the use of Google Analytics ("GA") in the non-public sector (PDF / only in german). This resolution is designed to supplement the "Guidance from Supervisory Authorities for Telemedia Providers," which was adopted by DSK in March 2020. In addition, older opinions concerning GA will no longer apply due to the modified legal framework created by the GDPR, which will allow DSK to take a single line with respect to the use of GA.
Despite the word "notes" in the title, DSK makes it expressly clear that these are minimum requirements for the use of GA in conformance with data protection law. Controllers who fail to satisfy these requirements run a higher risk of facing penalties in the event of an official audit. Interestingly, DSK states that the resolution is subject to a different interpretation by the European Data Protection Board and the ECJ, but does not mention the German Federal Supreme Court, which recently issued a ruling in the "Planet49" case (pre-checked checkboxes not sufficient for valid consent).
In DSK's view, website operators using GA do not have exclusive decision-making authority with respect to the means and purposes of data processing. Rather (in some cases), Google alone has decision-making authority with regard to the data processing which takes place. Accordingly, this is not a controller-processor relationship in terms of Article 28 of the GDPR, so that any processing agreements which may have been concluded between the controller and Google would not apply, in DSK's view, in cases where GA is used.
It also notes that the data processing which takes place when GA is used (i.e. data processing and transmission from the user's website to the Google server, processing on Google servers for GA purposes and for other purposes) should be viewed as a single matter, so that the user and Google should not be able to alternate between the roles of controller and processor. This is notable e.g. because the ECJ ruled in the FashionID case that multiple parties may be involved in the processing of personal data in various phases of the project and to varying degrees. But DSK views Google and the GA user as joint controllers in terms of Article 26 of the GDPR. It remains to be seen whether Google will respond by providing a joint controller agreement for use of GA.
The legal basis for processing, in DSK's view, is the mandatory requirement for the active consent of the data subject in accordance with Article 6(1) Sentence 1(a) of the GDPR. Processing cannot be based on the user's legitimate interests, or those of Google as a third party, above all because data subjects cannot anticipate that their "personal data will be communicated to third parties, thoroughly analyzed with the object of creating personalized advertising and combined with personal data obtained from other sources." In the future, using GA without the express, i.e. active consent of website visitors presents a legal risk which may lead to penalties from the supervisory authority.
DSK also cites the following minimum requirements for use of GA in conformance with data protection law:
- consent for the specific processing activity (which is notable, since it is not entirely clear which personal data is processed by GA in particular);
- a description in the consent text which clearly and distinctly states that the data processing will largely be performed by Google;
- website visitors must issue active consent for processing by GA (pre-checked boxes are insufficient (in the view of the Federal Supreme Court as well), as are opt-out solutions (= "If you continue to surf our website, we will assume that you agree to the use of GA.");
- and users must be able to choose whether to issue consent for processing by GA or not (voluntary consent; requiring consent (for GA) for provision of a service unnecessarily may render the consent (for GA) involuntary).