Let's talk
Back to overview

Data Privacy for Communicators: With one foot in crime?

Data protection in the European Economic Area is considered unique and outstanding. The GDPR is a particularly important framework in the EU. But what does it mean for online communication, for advertising and for our everyday lives?

Written by Eckart Holzinger -
published on

This is a blog post, necessarily incomplete and although written with care, it is not a substitute for legal advice. If you have any questions or feedback, please do not hesitate to contact us.

A small tour d'horizon

When changes to cookie banners are featured and discussed in daily newspapers, it means that the protection of personal data is of high priority in society. According to recent research by Gartner, data protection is already considered on a global scale in most countries as a result of updated laws: By the end of 2023, about 75% of all people worldwide should be subject to at least some protection.

In Europe, the basis for this protection was created by the GDPR. Its goal was not only to create a uniform European legal framework, but also to guarantee its compliance through appropriate penalties. And it is working: In the third quarter of 2021 alone, more than one billion Euros in fines were imposed by the European Data Protection Authorities, the largest of which was against Amazon at 750 million.

Why are these penalties imposed? Or to put another way: Could this also affect me? What do I have to watch out for in order not to violate the rights of my users and expose myself to the risk of a fine?

Generally speaking: wherever I am responsible.
That is, where personal data is processed based on my decisions - whether in-house or via third parties I have chosen. In the latter case, the situation of joint responsibility can also arise, for example with Facebook "fan pages" or in the case where there is advertising space on the website. This responsibility cannot be contractually transferred either; on the contrary, I can also be held liable for data protection violations by my contractors or partners - keyword: selection liability.

 

Data privacy: exchanges with countries outside the EU

In the online world, the processing of data is typically interlocked. Specialised software or services, often outsourced to third parties, take over essential tasks. Therefore, a regulated exchange of data is extremely important, even beyond the borders of the EU. But how can the central concerns of European data protection be met in these cases? The right of users to first consent to the use of their data, the right to information, rectification and deletion, the possibility of involving an independent authority in the event of violations of the law?

  • For data processing within the scope of the EU regulations and the national transpositions of directives, this is very simple, which was also the intention of the GDPR.
  • For countries with an equivalent level of protection recognised by the EU, it is also simple. Such adequacy decisions by the EU Commission exist, for example, for Switzerland, Japan or the United Kingdom - there also for the independent Crown Dependencies of Guernsey, Jersey or the Isle of Man.
  • Additional measures to protect the rights and freedoms of data subjects must be taken with organisations and companies in countries that do not fall under either of the first two groups, such as the so-called "Standard Contractual Clauses", the design of which was renewed at the end of 2021.
  • Exceptions continue to exist for occasional transfers, such as booking a hotel room in one of the third countries.

It is noticeable that the USA is not on the list of safe third countries. Since many corporations that currently determine our online lives are based here, this is a serious point. So here is a brief digression on the reasons and the current outlook.

 

The crux with the USA

At the instigation of Max Schrems and his NGO noyb, decisions of the European Court of Justice (ECJ) were made, which essentially state that there is no equivalent data protection in the USA to that in the EU.

This includes unconditional mass surveillance, the lack of any rights of access, rectification or deletion as well as an independent authority to protect the interests of the data subjects.

The first attempt with Safe Harbor - normatively a treaty between the USA and the EU - therefore failed, the Privacy Shield was an attempt with a whole set of measures but also had to be declared illegal, as it could not solve the underlying problem. Apart from the fact that the USA had never kept to the agreements - a fact that was criticised by the European Data Protection Authority several times.

These basic conditions do not change, neither through fine words nor smiling declarations of intent. The " alignment" between the positions of Joe Biden and Ursula von der Leyen that have been discussed in recent weeks is therefore purely cosmetic, intended to accommodate the interests of US corporations. Such a construct cannot logically offer legal security for European clients.

 

Basic data transfer

In contrast to previous regulations, the GDPR requires data controllers to think about the consequences of their actions in advance. Therefore, it is our responsibility as communicators to think about how the organisational goals can be achieved whilst at the same time respecting the fundamental rights of the data subjects, i.e. all of us. Lamenting and "doing nothing" are no longer options. Environmental factors often limit action; strategic and operational priorities prevent rapid implementation. Nevertheless, this process should be well documented! In the event of an emergency, the documentation serves as an aid to the authorities to make clear that serious considerations were made, alternatives had to be considered and, if necessary, discarded, and what concrete measures were taken to protect personal data.

Data is rubbish

The first step is always to decide whether it is personal data at all.
If so, do we need this data?
Are we actually doing something with it or is it just "in storage" because it was ordered that way in a previous requirement?
Data may be the new oil (10 euros in the phrase bank!) - but much more fundamental: data is rubbish if it is not needed or used. And what does a sustainable organisation do with waste? First, avoid it, second, separate it and third, recycle it.
Because if you don't throw anything away, you're a hoarder.

So is Google Analytics illegal?

One thing in advance: there is no simple answer.

Not even for all of Google's applications is a viable "one-size-fits-all" solution available, let alone for the heart of online marketing, web analytics. Google Analytics, but also other widely used web services and programmes (such as Microsoft Office 365 or Wordpress) may only be used with caution as soon as user data is collected.

The previously expressed thoughts on the topic. "What data sources and data do I really need for my organisation?", remain unaffected. This is about practical approaches and ways to act.

First, a there is the distinction of:

  • Universal Analytics (UA)
  • Google Analytics 4 (GA4)

Here again a distinction is made:

  • Free version
  • Paid version

The decisions of the Austrian and French data protection authorities, which are currently prominently discussed, each refer to cases where a free version of Universal Analytics (i.e. the "old" version) was used while neglecting various hygienic factors (lack of IP anonymisation). Dozens of secondary conditions - such as on which end device, with which browser or whether a Google account already exists - make a general statement difficult.

In summary, it can be said that by taking advantage of all Google offers (IP anonymisation, accepting the data processing addendum, standard contractual clauses, etc.) and switching to a server-side component that only passes on the "in-house" ID, Google Analytics can be used in a way that is 96% compliant with data protection. However, the effects of the Google Marketing Platform are lost and other components may not be used, as otherwise there is no compliance. The same applies to data subjects who use an Android-based end device and possibly if Chrome is used on the end device and/or the data subjects are logged into a Google account.

Conclusion: Difficult.

What are my options now?

It is important to understand that as the responsible person of a website, you are also obliged to ensure data protection, even if the data processing is carried out by third parties. A detailed explanation on the DSGVO-compliant use of Google Analytics can be found here.

  1. Tracking of data may only take place after users have been informed and agreed that personal data, tracking IDs, IP addresses and device information may be sent to Google in the USA and that local authorities there may gain lawful access to the data. Furthermore, users must be informed that they can revoke their consent at any time.
    If properly implemented, this measure is in principle sufficient to allow the use of Google Analytics. The other steps are intended as additional protection beyond consent.
  2. Make sure that your contracts for the use of Google Analytics (including the data processing agreement) have been concluded with Google Ireland Limited and not with Google LLC (by now, these contracts are concluded with Google Ireland Limited by default). Older contracts may need to be updated.
  3. Make sure that IP anonymisation is enabled and properly implemented.
  4. Make sure that the data sharing option in Google Analytics is disabled.
  5. Make sure that Google Signals are disabled.
  6. If you use your own user IDs, make sure that they do not allow user identification (e.g. no email addresses in plain text).
Categorized under
Data Privacy |
Digitalization
Share