Note: Not a Lawyer – speak to legal counsel before making any changes.
Following my evaluation of the Austrian case over the weekend, several interesting discussions about the consent management aspect popped up. I originally left it out because consent wasn’t obtained from the Austrian site prior to collection and in the German case, the consent wasn’t obtained prior to loading the consent manager (yes, I realize how that sounds).
This prompted me to review the cases again, and take a look at how this could likely play out.
So let’s start with understanding if consent would have changed things and what the specific requirements for consent would be. If we look at the Austrian Decision, starting on page 34 it speaks to the specifics that could be leveraged in order to conduct the transfer of data to external country (in this case the United States). Such transfers can occur in different scenarios, but this case references Articles 45, 46 and 49 of the GDPR.
Article 45 speaks to data transfers that occur to a country which has data adequacy to the GDPR. We know from the case that ended the privacy shield, that the U.S.A. does not have data adequacy, and so Article 45 can not apply.
The DPA says this on page page 34.
Article 46 speaks to data transfers that occur to countries without data adequacy and evaluates the conditions of such as transfer. The next 5 pages of the decision look at this from multiple angles.
In the case of the Austrian decision 2 pages are spent evaluating the ‘appropriate guarantees’ portion of the data transfer, and cite that due to the intelligence agencies of the United States, that this alone can not fulfill the standard data protection clauses required for such as transfer.
Google argued that additional safeguards where in place, and so the DPA considered those as well over the next several pages. It had the following to say in light of the access to the data by Google and additionally by the United States government.
As a further interim result, it should be noted that the “additional measures” in question not are effective, as these do not close the legal protection gaps identified in the framework of the judgment of the ECJ of June 20, 2020 – i.e. the access and monitoring options of US intelligence services.
As such Article 46 does not apply (page 39). This is a major finding because if Art. 46 does not apply the only remaining basis for transfer is Art 49, which has a higher bar for transfer.
Article 49 covers various exceptions in which a data transfer may occur when they are not covered by Articles 45 or 46.
On Page 39 the Austrian DPA notes that user consent wasn’t obtained prior to transfer so Article 49, 1a does not apply and that they could not determine any other conditions of Article 49 to apply .
Thus the transfer to Google could not take place under Article 49.
Could Consent have made the difference?
In my non-legal opinion, potentially.
If consent was granted the DPA would have had to consider Article 49 1(a) as a mechanic in which the user consented to the data transfer prior to the transfer occurring. This assumes that the integration between the consent manager and tag manager worked properly.
Technically, I think for this to be valid we’d have to either not request the analytics.js file until after consent, or we need to self-hosted the analytics.js file, because otherwise by simple virtue of loading the external resource, we may run afoul of GDPR as happened in the German case I referenced previously where a site was fined for loading Google Fonts.
Ultimately it depends on what a DPA would determine is a transfer. Certainly sending data to the analytics collection servers is transfer and the decision states as much. Would a DPA side with the German court and rule that loading the analytics.js file hosted by Google is also a transfer? It’s hard to say but based on recent decisions, I consider it probable. If we asked permission prior to loading the an external analytics.js file (or used a self-hosted file) however, we’d be covered even against this possible interpretation.
Legally, under Article 49 1a consent has specific requirements.
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
The issue with the above, is that while it may be viable legally, I can’t actually picture any brand saying “Do you agree to let us run analytics, oh and by the way the United States Government may get a copy?” as part of their consent preferences. I would think someone related to Brand Safety would strongly object to such a notice which you could (in theory) avoid entirely with a different non-U.S. based product.
Server Side Considerations
I also think these risks would need to be communicated even with most server side tagging solutions because logging is typically enabled by default and the server side container processes the client side data to construct the redacted request ultimately served to the analytics collection server. I am not confident a DPA would meaningfully differentiate between the analytics collection server, and the Google Tag Manager server side container when Google owns and has access to both.
Google would in theory have access to the original client side analytics hit to the server side container in the logging so I am not sure it matters that what the analytics server gets is a reduced data set where Google ultimately has access to both the original and the modified request at different points in the data flow.
We haven’t see a DPA rule on this yet because this hasn’t been the architecture in any of the cases to date. So I can only theorize about what they would ultimately rule based on the relevant cases I’ve reviewed to date.
What about Legitimate Interest?
Article 49 does make allowances for Legitimate Interest as seen here:
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
There’s a lot of conditions here to claim transfer on the basis of legitimate interest, but specifically as I have highlighted, the transfer in such as case is not repetitive. Since an analytics software data collection is repetitive, it is exceptionally unlikely in my opinion to be a viable basis for transfer for the purposes of analytics.
Given the above I think the best option is 49 1(a), which means you need user consent after telling them all the risks regardless of client or server side tagging.
Consent is still an evolving topic. The Belgium DPA recently ruled against IAB Europe over the Transparency and Consent framework in part, because it wasn’t specific enough to the user. Could user consent have altered the Austrian decision? Perhaps. We won’t know if user consent is enough to be compliant until a DPA adjudicates and evaluates that specific scenario. I am skeptical, however, that any site is properly communicating the risk at this point after going down this rabbit hole for the past several days.