The previously published handout by the Data Protection Commissioner of Hamburg (“Commissioner”) about the data protection requirements for website operators based in Hamburg and their use of Google Analytics is subject to a review and possibly revision. According to a statement (German) by the Commissioner, this review is necessary inter alia because of the judgment of the European Court of Justice of 6.10.2016 (Case C-362/14 – Schrems) in which the court invalidated the adequacy decision of the European Commission for so-called Safe Harbor Agreement with the United States of America.
Paragraph 4.7 of Appendix 1 of the „Data Processing Agreement“ for the Google Analytics terms (PDF, German) refers to the now invalidated Safe Harbor Decision in order to create an adequate level of protection for personal data when it is transferred to the USA.
The adequacy of the level of data protection can no longer be guaranteed on this basis. According to the Commissioner, this “directly affects the use of the service”. A review of the recommendations has been initiated, but is not yet completed. The Commissioner is also in contact with Google.
In the past, the Data Protection Authority of Hamburg negotiated a solution for website operators in Hamburg to lawfully use Google Analytics. This solution was also acknowledged by the other German Data Protection Authorities. In the view of the authorities, the implementation of the tool required the following measures:
- Conclusion of a data processing agreement (PDF, German) with Google
- Activation of anonymization of the IP address (IP masking)
- Information and link to an opt-out Add-on for Browsers and link to an opt-out Cookie
- Amendment of the privacy policy with additional information about Google Analytics and the possibility to opt-out
This whole process was necessary because the authorities are of the opinion that an IP address must be considered “personal data”. This week, the Commissioner clarified that the use of alternative instruments for data transfers to third countries, especially the EU Model Clauses, will currently not be challenged. Perhaps the Commissioner will require Google to offer such EU Model Clauses for Google Analytics.
Pingback: Cristina Vicarelli, La disciplina di Google Analytics a cavallo tra Italia e Germania | Technethics