Google Analytics 4 and the new Swiss Data Protection Act – Legally ok?

Impact of the new Swiss Data Protection Act on the use of Google Analytics 4

The new Swiss Data Protection Act (nDSG) of September 1, 2023 will bring major changes. Among other things, this raises the legal question of the use of tracking solutions such as Google Analytics 4 and Co. In this article, we take a closer look at whether and to what extent the use of Google Analytics 4 is permitted in conjunction with the new Swiss Data Protection Act.

Google Analytics 4 – the most important changes at a glance

Somewhat surprisingly, Google announced in March 2022 that the Universal Analytics (UA) web analytics service would be discontinued from July 1, 2023 and replaced by the successor version Google Analytics 4 (GA4). This step has now been completed and all standard Universal Analytics features no longer process new traffic data. The data already recorded can now only be viewed for six months.

The main changes in GA4 are as follows:

• Event-based model: unlike UA, which focused mainly on sessions and page views, GA4 works with an event-based data model. This means that all interactions on the website or app are considered events. Page views, clicks, scrolling, etc. are now recorded as events. This model allows for more flexible and detailed data collection.
• Improved cross-device tracking: GA4 uses signals to enable better cross-device tracking. This allows it to track users across different devices and provides a consistent and more accurate view of user behavior.
• Lifetime value and funnel analysis: These functions are integrated into GA4 as standard. Whereas with UA a funnel had to be created before the data was collected, GA4 allows funnels to be created and analysed retrospectively.
• Predictive analytics: GA4 uses machine learning to predict future user actions, such as the likelihood of a purchase being completed in the next seven days.
• Customisable automatic event capture: GA4 can automatically capture certain types of events, such as scrolling and clicks on videos, without the need for additional code.
• Integrated app and web tracking: While UA used separate property types for apps and websites, GA4 combines website and app tracking into a single property.
• Free Big Query integration: Unlike UA, GA4 offers the ability to send data to Big Query for free, which significantly improves data analysis and reporting.

Information on the new Swiss Data Protection Act (DPA)

From 1 September 2023, Switzerland will update the outdated Data Protection Act (DPA) of 1992 to adapt it to the latest technological developments and bring it more in line with the European Union’s General Data Protection Regulation (GDPR). The aim is to protect the right of Swiss citizens to a private and self-determined life, even in times of digital change, through regulation based on the rule of law. In our article ‘The new Swiss Data Protection Act 2023 – introduction and effects on companies, agencies and web developers’, we have summarised the extent to which this has an influence and impact on your company.

Differences between the nDSG and the GDPR

The main differences between the new Swiss Data Protection Act and the GDPR are that the Swiss DPA can also penalise private individuals with a fine of up to 250,000 Swiss francs, while the GDPR only sanctions companies – but not private individuals – with fines of up to 20 million euros or four percent of total annual turnover. There are also other differences, such as the appointment of data protection officers (DPOs), which is not mandatory in Switzerland, unlike in the EU. The notification period for data breaches is also regulated differently; the GDPR provides for a period of 72 hours, while the Swiss nDSG provides for notification ‘as soon as possible’. There is also a significant difference in the scope of application of the two laws: The GDPR applies EU-wide and has introduced coordination mechanisms between the supervisory authorities of the member states, while the Swiss nDSG is a federal law that affects the federal authorities and private sector companies – but not the cantonal authorities.

Effects of the new Swiss Data Protection Act nDSG on the use of Google Analytics 4

Collection of personal data:

When Google Analytics 4 is used, personal data (Personally Identifiable Information PII) is collected and transmitted to Google. As Google has its headquarters and the majority of its servers in the USA, this data is transferred to a country that is considered unsafe under the DPA. The personal data includes the IP address, information on the device type and browser used as well as the time spent and interactions on the website.

Cookies and other client-side storage technologies:

Contrary to widespread assumptions, the nDPA does not adopt the EU Cookie Banner Directive. According to Article 7 paragraph 3 of the nDSG, ‘privacy by default’ is provided for:

‘The controller is obliged to ensure, by means of suitable default settings, that the processing of personal data is limited to the minimum necessary for the intended purpose, unless the data subject specifies otherwise.’

David Rosenthal, an expert in data and technology law in Switzerland, explains this as follows in his commentary on the new Data Protection Act:

“If a controller provides several options for processing personal data in a service, software or device and the user can customise these options themselves via data protection settings, the default setting must be the least far-reaching setting. Where the user has no (technical) option to control data processing themselves, this obligation does not apply. The existence of consent to data processing does not lead to a default setting, nor does the right to object, even if this can be exercised via a technical function in an online service (opt-out button). A controller is also not obliged to offer users (e.g. of its online service or device) options. However, if they do, any default settings must limit data processing to the necessary minimum.”

Swiss legislation on the use of cookies and other client-side storage technologies is governed by Article 45c of the Telecommunications Act:

‘The processing of data on third-party devices by means of telecommunications transmission is only permitted if the users are informed about the processing and its purpose and are made aware that they can refuse the processing.’

The opt-out principle applies in Switzerland. It is therefore sufficient to give users the option of blocking or deleting cookies in their browser without having to obtain consent.

GA4 in the privacy policy:
If a website uses Google Analytics 4, this use should definitely be noted in the privacy policy. It is also important to include a note that tracking by Google Analytics can be deactivated.

Does the General Data Protection Regulation (GDPR) also apply in Switzerland?

Although Switzerland is not part of the EU, the General Data Protection Regulation (GDPR) has an impact on Swiss website operators. This is because websites are rarely bound by geographical borders and citizens from EU countries can therefore also visit Swiss websites. It does not matter whether a company offers Swiss products in an online shop for Swiss customers or whether the online shop is internationally orientated. The SME portal of the Swiss Confederation clarifies the following:

“Swiss companies must comply with the GDPR if they process personal data of natural persons located in the EU and if the purpose of the processing is: to offer goods or services to such persons (whether for payment or free of charge), or to track the behaviour of such persons, provided that this behaviour takes place in the Member States of the EU (Art. 3 para. 2 letters a and b GDPR).

In order to determine whether the activities of a company based outside the EU fall within the scope of the GDPR, legal advisors must analyse whether there is an intention to sell goods or services to the EU. Various indications can be examined here (for example, the mention of customers located in the Member States or of a currency commonly used in the EU). In the case of Article 3(2)(b) GDPR, the experts can analyse whether there is a clear intention to track the behaviour of natural persons in the EU (for example, if they detect the use of profiling tools or Google Analytics).”

What obligations do affected companies have to fulfil in this case?

• Inform and obtain the consent of the person whose data is being processed
• Ensure “privacy by design” and “privacy by default”
• Appoint a representative in the EU
• Create a record of processing activities
• Report data breaches to the supervisory authority
• Carry out a data protection impact assessment

New data protection framework agreement between Europe and the USA

On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US data protection framework. This decision ensures that the United States provides an adequate level of protection for personal data transferred from the EU to US companies. According to the General Data Protection Regulation (GDPR), personal information may only be transferred from the European Union to countries outside the EU under certain conditions. It is crucial that the level of protection fulfils the requirements of the regulation. This is assessed on the basis of various aspects, such as the data protection legislation in the recipient country, the possibilities for legal protection and the role of the data protection supervisory authority.

Data Protection Review Court and data erasure

US companies can prove their participation in the EU-US data protection framework through certification. In doing so, they undertake to comply with certain data protection requirements. These include principles such as purpose limitation, data minimisation, storage limitation, data security and the transfer of data to third parties. If the Data Protection Review Court finds that these new guarantees have been breached during data collection, it can order the deletion of the information in question.

Restricting access by US intelligence services

The new data protection framework introduces binding safeguards that limit access to EU data by US intelligence services to what is necessary and proportionate. Compared to its predecessors, the ‘Safe Harbour’ and ‘Privacy Shield’ agreements, this framework brings clear improvements. The ‘Privacy Shield’ was declared invalid in 2020 by both the European Court of Justice (ECJ) and the Federal Data Protection and Information Commissioner (FDPIC). Compliance with the obligations under the EU-US data protection framework is monitored and enforced by the US Federal Trade Commission.

Secure data traffic for Europeans

The President of the European Commission, Ursula von der Leyen, emphasised the importance of the adequacy decision for secure data flows for Europeans. This framework creates legal certainty for companies on both sides of the Atlantic. Following an agreement with US President Joe Biden, the USA has committed to providing these new guarantees. This will strengthen citizens’ confidence in the security of their data, while deepening economic relations between the EU and the US and reaffirming shared values. This shows that complex problems can be successfully tackled together.

Significance of the new EU-US data protection agreement for Switzerland

The Federal Data Protection and Information Commissioner (FDPIC) and the Swiss State Secretariat for Economic Affairs (SECO) are working on drafting a Swiss version of this framework agreement with the USA in the near future. This is expected to take place before the new Data Protection Act (nDSG) comes into force on 1 September 2023. According to the Federal Data Protection and Information Commissioner FDPIC, talks on this are already at an advanced stage. Until this date, Swiss companies must continue to rely on Standard Contractual Clauses (SCCs) to transfer personal data to third countries. From 1 September 2023, it will then be the task of the Federal Council to decide on the adequacy of a state in accordance with the new Swiss Data Protection Act. It will determine whether the USA will be included in the list of countries with an adequate level of data protection in due course. Until such a framework is in place, nothing will change for the FDPIC with regard to Switzerland’s current adequacy list, and the USA will remain a third country without an adequate level of data protection.

Conclusion and tips

The current legal data protection situation regarding the use of Google Analytics in Switzerland has not yet been clearly clarified. It is therefore advisable to take some technical and organisational measures to avoid violating the guidelines of the nDSG or the GDPR. Here are some tips you can follow:

1. Only use Google Analytics for specific purposes and be clear about the purposes for which the data is collected.
2. Only store the data collected for as long as it is actually needed and then delete it.
3. Use the IP anonymisation function of Google Analytics.
4. Inform your users about the use of Google Analytics.
5. Offer your users the opportunity to object to the use of Google Analytics.
6. Take into account the adequacy list of the Federal Data Protection and Information Commissioner (FDPIC) for countries with an adequate level of data protection.
7. If you are unsure or unclear, consult a legal and data protection expert.
8. You can make your website legally compliant with a website data protection solution. The automated data protection solution Legally ok, for example, regularly checks your website and creates the appropriate legal content for your privacy policy, legal notice and cookie banner. The advantage of a solution like Legally ok is that you always have an up-to-date privacy policy, even in the event of legal changes. The specialist lawyers at Legally ok check the updates regularly and make relevant updates. You can register for Legally ok for free here and get started.