Posted by: María G. Moriano | Posted on: September 4th, 2012 | 0 Comments
During the summer days of 2012, searching jointly for the keywords “Google Analytics” and “Norway” rendered results with titles such as: “Google Analytics breaks Norwegian privacy laws, local agency says”, “Google Analytics about to be banned in Norway?”, “Google Analytics faces Norway ban” or “Google Analytics could be banned In Norway” .
We have read rather critical articles about the stance of the Norwegian government related to this issue. Unfortunately we have also realised that there is some legal misinformation about it so please allow us to explain in some detail what’s cooking today is Norway but tomorrow, who knows?
Norway has been strongly criticised for investigating only Google, no other company.
Norway has been chastised for using European Directives against Google despite not being a member of the European Union, thus implying an arbitrary and self-serving use of European regulations.
To consider IP addresses as personal data under this issue, but not under others such as the French law who explicitly allows IP address trace thus identifying those who download copyrighted content Internet using P2P networks, (also know as the HADOPI law), is another point that has raised disapproving voices.
By reading these criticisms we couldn’t help but notice the poor knowledge of the European institutions and the basis of the rules regarding data protection. Hence, we thought it useful to explain what´s exactly going on.
What started all this?
The Norwegian Data Protection Agency is investigating the websites of several Norwegian public institutions. These websites (again: public institutional sites) use Google Analytics for their digital analytics measurement purposes. This is the reason initial why specifically Google Analytics, as a product, is under investigation, not Google.
Why does Norway refer to the European Directive?
Norway is indeed not part of the European Union. This is clear.
Nevertheless not only does the European Union exist but so does the European Economic Area that Norway did join because, for example, of the European Economic Area Agreement of 1994. Let’s remember, for example, we do not need a passport to enter Norway. Under those rules Norway is committed to maintaining the same European standards regarding data protection.
Why is it possible to track IP addresses, for example in France, as part of an anti-piracy law?
This is all about a law, not another level of regulation, establishing the situations under which certain acts can be undertaken while assuring many safeguards for citizens. We’re not saying we agree with this, we’re just stating the facts. Let’s think about the police investigating crimes committed using the Internet. The law allows them to access some level of personal data (as IP addresses) with some safeguards: ISPs (Internet Service Providers) provide the law enforcement authorities with this type of data under a court order. Only another law can create an exception to the general rule regarding data protection.
How does Google Analytics really work?
Google provides a service to measure web traffic that is proving to be very successful due to great design, ease of use and offering a rather complete picture of digital metrics for a ridiculous price. It’s free.
The right to measure web traffic is not questioned, but it must be done under certain conditions to ensure user’s rights.
By accepting the T&C (Terms and Conditions) of the service, the website using Google Analytics allows the service to access visitor’s data. Google Analytics will use collected personal data to provide measurement services but also for other purposes such as advertisement. To the Norwegian Data Protection Agency, the key issue is that personal data belongs to each individual and each individual should be able to give its consent. Consent should not be given only at the level of the website using the service. Google’s right to provide web analytics services is not being questioned. What is missing are the guarantees offered to the website users about the use of their personal data..
The big question is: what do we consider to be personal data? Personal data is defined as any information relating to an identified or identifiable natural person. At the same time an identifiable person is defined as one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to her physical, physiological, mental, economic, cultural or social identity. An IP address is considered to allow identify of a data subject.
The European Directive regarding data protection, released in 1995, set out in Article 7 under which circumstances personal data could be treated:
- The data subject has unambiguously given her consent; or
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
- Processing is necessary for compliance with a legal obligation to which the controller is subject to; or
- Processing is necessary in order to protect the vital interests of the data subject; or
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed to; or
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject, which require protection under Article 1 (1).
It seems Google has no relation with the data subject surfing on the website using Google Analytics that could realistically fall under anyone of the first five circumstances described in Article 7. It is probable however that Google is trying to argue legitimate interest to be considered under circumstances reflected in Article 7.6.
What about Google’s reaction?
Recently Google has stated that: “Google Analytics fully complies with Norwegian and European data protection laws. Every day many Norwegian companies use Google Analytics to improve their online presence and make their websites better for the users. Google Analytics is designed to keep information safe. Webmasters using Google Analytics are in complete control over which data is sent to the service and how Google uses, and can use, the information received from their sites. We have offered to meet the Norwegian Data Protection Agency several times to answer to any questions on Google Analytics and we remain willing to do so.”
Google will clearly fight yet their arguments remain unconvincing:
- Google will fulfill with the data protection rules if it is considered that legitimate interest to process user’s data exist. However if it is determined that there is no legitimate interest, Google will not comply with the data protection regulations because they do not hold the explicit user permission (not the webmaster’s) to share information regarding each individual user with other Google services.
- Service design to keep information safe is about business continuity and an initial must have but has nothing to do with data protection.
- It is great the webmaster has complete information about the data sent to Google but the user visiting the website is the one who must give her permission for Google to use that information with other Google services (Gmail, Youtube ..) or with other third parties through Google AdWords. This has nothing to do with using data for measurement and improvement purposes.
What’s going on?
To summarize: the Norwegian Data Protection Agency inspected certain public websites. These sites use Google Analytics for their digital analytics measurements. The way the web analytics service manages subject data seems not to comply with data protection regulation.
A few months ago the W29 (the European working group bringing together all European authorities for data protection) published an analysis of the circumstances for cookie consent exemption. It has concluded that (for analytics cookies) it is not necessary to request the user’s prior consent provided that an adequate level of protection and specifies at least the following requirements:
- Anonymization mechanisms applied to collected identifiable information such as IP addresses so that the analytic service provider (in this case Google Analytics) will not have access to the user’s real IP;
- That there is a simple (user-friendly) way through which users can refuse the processing of their data (Google itself has created a plug-in that blocks the collection of information from Google Analytics);
The German Data Protection Agency also asks for a Google Analytics service contract processing personal data between the website and Google since the role of Google is, according to the European Directive, a processor thus a data processor contract is compulsory (actually a standard contract has been agreed between the Agency and Google for this purpose). By the way, data processor contracts are SOP (Standard Operating Procedures) in Spain, where we come from.
Norway is requesting from Google to perform the guarantees agreed in that document. At the time of writing it is not clear if a contract regulating data processing is also required.
Erik Thon, Director of the Norwegian Data Protection Agency clearly pinned the heart of the matter down a few days ago by stating the following: “When enterprises accept the terms, they also grant Google access to personal information regarding the visitors to the websites. As a consequence, they are no longer in control of the information collected“.
Is Google really evil?
The truth is that this whole matter is under investigation and a preliminary report from the Norwegian Data Protection is expected by September 10th. Yet it appears that the Norwegians will follow into the footsteps of the German Data Protection Agency (which reflects the view expressed by the W29 about consent and cookies). Let´s take into consideration that Google has already bowed to the demands of the Germans, which leads us to believe that there is no reason not to go the same way for Norway.
It is clear that the days of the Wild West where measurement on your own and use of collected data on your own are over. We can measure our site traffic (and should do it to be competitive) but user´s rights must be respected as well. European authorities are willing to raise the level of privacy for users. We will have to wait for the preliminary report but if the path initiated by Germany is confirmed this will not be the last time we will hear talk in Europe of Google Analytics in relation to privacy issues.