The revolution that the Internet has brought to the business world is undeniable, allowing information to be shared around the world in a matter of seconds. In fact, a large part of the services and business models that have arisen as a result of the use of the internet are based on this ability to share information, allowing companies located in a given territory to offer their services worldwide, as we have seen with the rise of the tech giants.
Among the digital services that are most relevant in the digital world, we can find the web analytics services. These services make it possible to obtain information on how individuals use a website (for example, where they access it from, how they arrive at the website, how long they stay, which pages they visit, etc.). These services usually work through the implementation of a cookie that applies an online identifier to the user and stores information about their browsing, information that is put together with that extracted from other users to provide website operators with relevant metrics and general information to help them make better decisions and offer tailored content to their users.
One of the main legal challenges arising from these services is that, although the cookie would not necessarily know the name of the individual behind the identifier, both the identifier itself, as well as the information the cookie collects about the user’s behaviour, would be considered personal data (Article 4(1) of the General Data Protection Regulation). Therefore, the processing of data derived from web analytics services is subject to personal data protection laws.
In this respect, a particular issue under the European data protection regime would be international data transfers. This would occur when an organisation in the European Economic Area transfers personal data to countries outside this territory that do not have an adequacy decision by the EU Commission. This would be the case, for example, in the United States, which is also particularly in the spotlight following the “Schrems II” ruling of the Court of Justice of the European Union, which invalidated the “Privacy Shield” and ruled that international data transfers need to be carefully assessed before they take place.
Based on the pillars laid by that ruling, the Austrian data protection authority (“Datenschutzbehörde” or “DSB”) has just issued a decision in January 2022 that the continued use of a particular analytics tool provided by a US provider is unlawful. This is because the DSB considers that insufficient measures would be provided to prevent access by US authorities to the personal data of European citizens. The same decision could be considered applicable to any other similar service provided by providers located in the US.
Following the above decision, the Norwegian data protection authority has followed the same approach by deciding against the use of the same service. Also, the Dutch data protection authority has also announced that it is “likely” to rule in the same direction shortly. This decision may therefore lead to other data protection authorities deciding along the same lines in the coming weeks, which may set an important precedent for the use of data-related services offered by service providers based in the US.