ONWARD TRANSFER: To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.
1. It is not necessary to provide notice or choice when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of and under the instructions of the organization. The Onward Transfer Principle, on the other hand, does apply to such disclosures.
A crucial element is thus whether Google is acting as an agent when offering Google Analytics (which I understand to be a poor negotiator’s translation of the processor/controller divide on intra-EU data protection). It might be relevant that this Google Analytics identifier is stored in a first-party cookie (both for Coursera and 23andMe), and that I was otherwise registered on both sites (using directly identifiable information). I have also requested the same data with Google Switzerland (where I live), and expect to be told Google is only acting as a processor when handling my-sessions-on-Coursera analytics.
Also notable is the definition of personal data, on those same pages:
“Personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the Directive [FADP], received by a U.S. organization from the European Union [Switzerland], and recorded in any form.
The “scope of the Directive” has been interpreted many times over recently (maybe most relevant here to assess “identifiable”: Rynes case at the EUCJ), so I have little doubt that Google Analytics identifiers and associated data are indeed personal data under EU laws, and am reasonably confident this can also be established for the transatlantic case.
When the controller is in Europe/CH and the processor is in the U.S., this page and that page are relevant. I am actually testing that right now too, for the website of the data protection officer of Canton de Vaud (where I live and which indeed uses Google Analytics), a big university (which falls directly under federal regulations), some big news companies, etc. The law is more clear in this case (at least in CH), and I got some of them to ask Google, but we will see what Google replies.
My assessment about Google Analytics and transatlantic data flows is thus:
- It is trivial to find websites that claim compliance with Privacy Shield/Safe Harbor and use Google Analytics (that step can be automated).
- Each of those sites can potentially be asked for access to personal data (again, this can be automated).
- If those requests succeed, this could drastically alter the transparency equation with Google Analytics, but also other similar setups.
- On the other hand, each unsuccessful request is liable to turn into a Safe Harbor/ Privacy Shield arbitration (initiating the request can be automated too).
- It could then be that my argument “loses” in a U.S. arbitration court, but then Safe Harbor comes short of offering adequate protection, or Privacy Shield is tested further (many many times in parallel, due to the design of the Shield).
We will see…