Google Analytics and GDPR Compliance: What next?

Google Analytics is a popular tool used by website owners across the world to observe and measure user engagement. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR. This followed a similar decision by Austrian Data Protection Authority in January. 

Is a website owner processing personal data by making use of Google Analytics? On the face of it, the answer should be no. Google Analytics only collects information about website visitors, such as which pages they access and where they link from. The website owners do not see any personal data about visitors. However, Google does assign a unique user identification number to each visitor which it can use to potentially identify visitors by combining it with other internal resources (just think of the vast amount of information which is collected by Google’s other services). 

The fact that the above mentioned French and Austrian decisions ruled that analytics information is personal data under GDPR does not in its itself make the use of Google Analytics unlawful. Of course website owners need to find a GDPR Article 6 condition for processing (Lawfulness) but this is not an insurmountable hurdle. Legitimate interests is a possibility although the UK Information Commissioner’s Office (ICO) holds the view that use of analytics services is not “strictly necessary” in terms of the PECR cookie rules and its own cookie banner, adopts the express consent approach.  

A bigger obstacle to the use of Google Analytics in Europe is the fact that website users’ personal data is being passed back to Google’s US servers. In GDPR terms that is a “restricted transfer” (aka international transfer). Following the judgment of the European Court of Justice (ECJ) in “Schrems II”, such transfers have been problematic to say the least.  In Schrems, the ECJ concluded thatorganisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework. They must consider using the Article 49 derogations or standard contractual clauses(SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

In France, the CNIL has ordered the website which was the subject of its ruling about Google Analytics to comply with the GDPR and “if necessary, to stop using this service under the current conditions”, giving it a deadline of one month to comply. The press release, announcing the decision, stated:

“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services.”

“There is therefore a risk for French website users who use this service and whose data is exported.”

The CNIL decision does leave open the door to continued use of Google Analytics but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. It also suggests use of alternative toosl which do not involve a transfer outside the EU. Of course the problem will be solved if there is a new agreement between the EU and U.S. to replace the Privacy Shield. Negotiations are ongoing.

In the meantime, what can UK based website owners do. Should they stop using Google Analytics? Some may decide to adopt a “wait and see” approach. The ICO has not really shown any appetite to enforce the Schrems decision concentrating instead on alternative transfer tools including International Data Transfer agreement which comes into force tomorrow. Perhaps a better way is to assess which services, not just analytics services, involve transfers to the US and switch to EU based services instead.  

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop on Wednesday. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.


Lloyd v Google: What DPOs need to know

Last week, the UK Supreme Court handed down its much anticipated judgement in the case of Lloyd v Google LLC [2021] UKSC 50. It is a significant case because it answers two important questions (1) whether US style class action lawsuits can be brought for data protection claims and (2) whether damages can be claimed for mere “loss of control” of personal data where no actual damage has been suffered by data subjects. If the Supreme Court had decided that the answer to either of these questions was “yes”, it would have resulted in Data Controllers being targeted with much more costly data breach litigation. 

The present case was brought by Richard Lloyd, a former director of consumer rights group Which?, who alleged that between 2011 and 2012, Google cookies collected data on health, race, ethnicity, sexuality and finance through Apple’s Safari web browser, even when users had chosen a “do not track” privacy setting on their phone. Mr Lloyd sought compensation, under section 13 of the old Data Protection Act 1998. 

Mr Lloyd sought to bring a claim in a representative capacity on behalf of 4 million consumers; a US style “class action”. In the UK, such claims currently need consumers to opt-in, which can be a lengthy process (and costly). Mr Lloyd attempted to set a precedent for opt-out cases, meaning one representative could bring an action on behalf of millions without the latter’s consent. He sought to use Rule 19.6 of the Civil Procedure Rules which allows an individual to such bring a claim where all members of the class have the “same interest” in the claim. Because Google is a US company, Mr Lloyd needed the permission of the English court to pursue his claim. Google won in the High Court only for the decision to be overturned by the Court of Appeal. If Mr Lloyd had succeeded in the Supreme Court on appeal, it could have opened the floodgates to many more mass actions against tech firms (and other data controllers) for data breaches.

The Supreme Court found class actions impermissible in principle in the present case. It said that, in order to advance such an action on behalf of each member of the proposed represented class, Mr Lloyd had to prove that each one of those individuals had both suffered a breach of their rights and suffered actual damage as a result of that breach. Mr. Lloyd had argued that a uniform sum of damages could be awarded to each member of the represented class without having to prove any facts particular to that individual. In particular, he had argued that compensation could be awarded under the DPA 1998 for “loss of control” of personal data constituted by any non–trivial infringement by a data controller of any of the requirements of the DPA 1998.

The Supreme Court  rejected these arguments for two principal reasons. Firstly, the claim was based only on section 13 of the DPA 1998, which states that “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”. The court ruled that “damage” here means material damage, such as financial loss or mental distress, as caused by unlawful processing of personal data in contravention of the DPA 1998 (i.e. simply infringing the DPA 1998 does not in itself constitute “damage”). Secondly, in order to recover compensation under section 13 of the DPA 1998, it is necessary to prove what unlawful processing (by Google) of personal data relating to each individual actually occurred. A representative claim could have been brought to establish whether Google was in breach of the DPA 1998 as a basis for pursuing individual claims for compensation but not here where Mr Lloyd was claiming the same amount of damages (£750) for each of the 4 million iPhone users.

This case was decided under the DPA 1998.  Article 82(1) of the UK GDPR sets out the right to compensation now; “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. The similar wording to the DPA 1998 means that the outcome would be the same if Mr Lloyd had commenced his action post GDPR.

The Lloyd-Google judgment means that those seeking to bring class-action data protection infringement compensation cases have their work cut out. However, claims under Art 82 can still be brought on an individual basis – in fact the judgment seems to indicate that individual cases can have good prospects of success. There is more to come in this area. TikTok is facing a similar case, brought by former Children’s Commissioner Anne Longfield, which alleges that the video-sharing app used children’s data without informed consent. 

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.


GDPR, Class Actions and the Right to Compensation

Gavel, scales of justice and law books

In November 2018 we reported the decision of the English High Court in the case of Lloyd v Google [2018] EWHC 2599 (QB). In summary, Mr Lloyd, who is a consumer protection champion, was attempting to bring a ‘class action’ (or ‘representative’ action) against Google. He brought the claim on behalf of over 4 million Apple iPhone users, alleging that Google had secretly tracked some of their internet activity, for commercial purposes, between August 2011 and February 2012.

Because Google is based in Delaware in the USA, Mr Lloyd first had to seek permission from the High Court to serve the legal action outside the jurisdiction of the English courts. To do this he had to prove that the claim had a reasonable prospect of success. The High Court decided that the claim did not have a reasonable prospect of success for two reasons.

Firstly, none of the people in the represented class had suffered damage under S. 13 Data Protection Act 1998 (DPA). This provision contained a right to compensation which is now to be found in Article 82 of the General Data Protection Regulation (GDPR). The High Court took the view that the claimants seemed to be relying on the fact that they were entitled to be compensated because of the breach alone, without showing how the breach had caused any damage, which was a necessary requirement for the class action to proceed under section 13. Secondly, the members of the ‘class’ did not share the same interest and were not identifiable, which was also a necessary requirement.

On 2ndOctober 2019 the Court of Appeal, in Lloyd v Google  [2019] EWCA Civ 1599, reversed this decision and gave Mr Lloyd the right to proceed with his representative action against Google in the English Courts. This decision is significant because it now means that the claim against Google will be considered, at some future date, in the Media and Communications Court in London. It is also significant because of the Court’s ruling on the question of damages in respect of breaches of data protection legislation.

Why did the Court of Appeal reach this different decision?

The Court had to consider the following legal questions; Could the claimants recover damages for loss of control of their personal data under S. 13 of the DPA 1998? It decided, after reviewing various authorities from earlier case law and interpreting the DPA 1998 by reference to agreed principles of European Union Law, that they could.

The Court of Appeal’s approach was quite different to that of the High Court. The latter had rejected Mr Lloyds’ argument that the claimants were entitled to compensation because of the breach alone.  It stated that it was necessary for a claimant to demonstrate a causal link between the breach of the DPA and the damage suffered, and they had not.

In reversing the decision, the Court of Appeal emphasised that S. 13 of the DPA had to be interpreted in the light of Article 13 of the Data Protection Directive 1995and Article 8 of the Charter of Fundamental Rights of the European Union.  It also referred to the General Data Protection Regulation 2016. In particular, the Court considered GDPR ***Recital 85 which supports the view that “loss of control” over personal data is an example of the kind of “physical, material or non-material damage that might be caused to natural persons as a result of a data breach”. On this basis, the Court of Appeal accepted that a claimant could claim damages in respect of ‘loss of control’ of their personal data, provide the damage was not trivial. On the facts, the Court considered that ‘browser generated information’ (BGI) was an asset that had commercial value. Consequently, a person’s control over their BGI does have a value so that the loss of control must also have a value.  Therefore, the loss of control damages claimed by the represented claimants are properly to be regarded as compensatory in nature and damages are in principle capable of being awarded for loss of control of data under Article 23 and S. 13 DPA 1998 even if there is no pecuniary loss and no distress.

(***It is interesting that the Court of Appeal considered the recitals to interpret the substantive provisions of GDPR. These recitals are often difficult to match with the latter. Our GDPR Handbook does this for you as well as cross referencing relevant ICO Guidance and the Data Protection Act 2018.)

Turning to the second legal question that had to be considered by the Court of Appeal; was the High Court judge right to hold that the members of the class did not have the same interest under and were not identifiable? According to the Civil Procedure Rules it is necessary for the claimants in a class action, to all have ‘the same interest’ in the claim. The High Court decided that the claimants did not all have the same interest; some affected individuals would be heavy internet users and ‘victims’ of multiple breaches; the extent of the loss of control across such a large group would be varied; and not all users would view the loss of control in the same way.

The Court of Appeal decided that this was the wrong approach. The claimants that Mr Lloyd seeks to represent have all had their BGI (something of value) taken and used by Google, without their consent, in the same circumstances and over the same period. Accordingly, they are all victims of the same alleged wrong, and have all sustained the same loss, namely loss of control over their BGI. The Court accepted that this means that the damages that can be claimed (if the future action is successful) will be at the lowest common denominator.

The Court of Appeal also decided that it would be possible to identify the class of people represented in this claim. It must be possible tosay of any particular person whether or not they qualify for membership of the represented class of persons by virtue of having” the same interest as Mr Lloyd” at all stages of the proceedings. The Court considered that every affected person will, in theory, know whether he or she satisfies the conditions that Mr Lloyd had specified. These included any person who between 9 August 2011 and 15 February 2013 (whilst they were present in England and Wales)

  • Had an Apple ID
  • Owned an iPhone 3G or subsequent model running iOS version 4.2.1 or later; and
  • Used the Apple Safari internet browser version 5.0 or later on that iPhone to access a website that was participating in Google’s DoubleClick advertising service

In any event, the Court recognised that Google would have the data to be able to identify every person in the class!


In this case the Court of Appeal reversed the High Court’s decision that Mr Lloyd could not serve an out of jurisdiction action against Google. It approached the case by interpreting the now repealed Data Protection Act, in the light of principles of EU Law. The way is now clear for this class action to proceed before the Media and Communications Court in London. It of course remains to be seen how the case will proceed and no doubt it will be fought hard by Google, given the size of the class.  It is also difficult to predict how the Media and Communications Court will approach the case if it takes place post Brexit.

Readers may also wonder why the case is relevant given that the applicable law is now the GDPR. However, the Court of Appeal seemed to be at pains to point out that the GDPR supports its interpretation in this case. The significance lies in the fact that the Court of Appeal has made it clear, that in its view, it is possible to claim damages for loss of control of personal data (including BGI data) without having to prove financial loss or distress.

You can find more on these and other developments in our GDPR update workshop running in Leeds and London in November.

Google v CNIL and the Right to be Forgotten


24th September 2019 is most likely to be remembered as the day the UK Supreme Court unanimously ruled that the Prime Minister, Boris Johnson, had unlawfully prorogued Parliament. As media attention focussed on the constitutional implications of this landmark judgment, you might be forgiven for not noticing another very important legal judgment delivered by the Court of Justice of the European Union (CJEU) in (Google LLC v CNIL (Case C-507/17). In contrast to the Prime Minister, the case went in favour of Google and provided clarification regarding the extent of its obligations to erase personal data under Article 17 of GDPR, the so called “Right to be Forgotten.”

This decision is, in many senses, a continuation of the Court’s landmark judgment in 2014 (Google v Spain (Case C-131/12) in which the CJEU ruled that Google, as a Data Controller, had to give effect to the data protection right of erasure provided in Article 12(b) and the right of objection under Article 14 of the EU Data Protection Directive 1995 (the 1995 Directive). Readers will know that the Directive has been repealed and replaced by the GDPR. Although, at the time of the case the operative law was the Directive, the Court decided that it would consider the questions raised in the light of both the Directive and the GDPR to ensure that its answers would be of relevance now that the GDPR is in force.

The Right to be Forgotten (or the right to erasure) is now found in Article 17 and the right to object to processing in Article 21 of GDPR. In Google v Spain the Court held that where a search engine operator received a request under Article 12 (b) of the 1995 Directive then it would have to take steps to remove those links to third party web sites that were displayed in a list in a search conducted against the Data Subject’s name (provided the conditions of Article 12 (b) were met). This meant that a Data Subject would have the right to request Google to ‘de-reference’ certain links to information held on third party web sites. This has been referred to as the “right to
de-referencing”. This right was not absolute.

Turning to the corresponding provisions of the GDPR (Article 17), the Court also notes that the Right to be Forgotten under Article 17 (3) of the GDPR is also not absolute.
A search engine operator may refuse the request if one of the conditions in Article 17(3) applies. Article 17 (3) specifically states that the Right to be Forgotten does not apply where processing is necessary for exercising the right of freedom of expression and information. Therefore consideration needs to be given to the specific circumstances of the case, the sensitivity of the personal data, and the interests of the public in having that information, which may vary depending on the public role played by the Data Subject.

What happened in the latest case?

In 2015 the French Data Protection Authority (the Commission National De l’informatique Et Des Libertés) instructed Google that when it received a request from a person to remove links to web pages about them, from the list of results displayed following a search conducted on the basis of that person’s name, it must apply that removal to all its search engine’s domain name extensions.

Google responded by removing the links in question but only from the results displayed following searches conducted from the Google domain names in the Member States. It also implemented so called ‘geo-blocking’ measures that meant if an internet user in the EU switched to a non-EU version of Google it would automatically be re-routed to an EU version of Google (which would not display the ‘disputed’ links). Despite this the French Data Protection Authority, using its powers under the French law that implemented the Data Protection Directive, imposed a fine of €100,000 on Google. Google challenged this decision. The French Court considered that the case raised difficult legal issues regarding the interpretation of the Right to be Forgotten and the territorial scope of the Data Controller’s obligation.

The Issues

The issue in this case was about what steps Google had to take in response to a request to de-reference links. Did it have to ensure that the link was removed from all the domain names used by its search engine so that the links no longer appear, irrespective of the place where the search is initiated or whether it is conducted from a place outside the European Union? In other words the issue was about the territorial scope of Google’s obligations to de-reference links when a Data Subject makes a valid request under Article 17.

The Court deals with this as follows:

  • It begins by stating that the objective of the GDPR is to provide a high level of protection of personal data throughout the European Union, and a
    de-referencing of all versions of a such engine would achieve that objective.
  • But it recognises the ‘ubiquitous’ nature of the internet that is global in reach and without borders.
  • And it also acknowledges that not all States that host the Google search engine recognise the right of de-referencing.
  • Article 17 (3) strikes a balance between the rights of the Data Subject and the right of information, but does not strike such a balance as regards the scope of de-referencing outside the EU.
  • There is nothing in Article 17 of the GDPR that suggests that the EU intended that the scope of the Right to be Forgotten would extend beyond the territory of the Member States of the EU.
  • Consequently there is no obligation under EU Law, for a search engine operator, who grants a request for de-referencing, under Article 17, to carry out a de-referencing on all the versions of its search engine. It is only required to implement de-referencing in all the EU Member State versions of its search engine.
  • However, where necessary the search engine operator is obliged to use measures which prevent, or at the very least, seriously discourage internet users in the EU from gaining access to the ‘offending’ links in question.

The CJEU then referred the matter back to the French Courts for them to determine whether the measures taken by Google (the geo-blocking measures) or proposed by Google meet these requirements. However, what is clear is that the ‘Right to be Forgotten’ in the context of Google searches has its limits. The extent to which Google, and other search engine operators, can prevent or discourage determined internet users from gaining access to ‘de-referenced’ personal data remains to be seen.

More on these and other developments in our GDPR update workshop presented by Ibrahim Hasan. Looking for a GDPR qualification? Our practitioner certificate is the best option.

%d bloggers like this: