Following mounting pressure from data protection agencies (DPAs) in different European countries, Google has started offering so-called data processing agreements to websites using its Google Analytics suite in the European Union, Iceland, Norway or Switzerland.
Up to now Google did not provide such contracts because it maintains that it does not process personal data. Since 2011 it has offered such agreements only in Germany, after demands from the German DPA.
In October last year the European Union's council of DPAs, the so-called Article 29 Working Party, asked Google to make the agreements available EU-wide. The issue is part of a wider ongoing investigation into Google's privacy policies by DPAs in France, Germany, Italy, the Netherlands, Spain and the U.K.
Google has until now refused the working party's request, but in a surprise turnaround the company will roll out these modifications after all, it revealed to Dutch IT news site Webwereld.
"Over the last few years, Google Analytics customers have asked us to offer data processing agreements that clarify how Analytics data is stored, used and secured. In response to this demand, we're pleased to provide an optional data processing agreement to Google Analytics customers in the EU, Norway, Switzerland and Iceland," the company said in a statement.
Google made the decision only recently: The agreement is so far only available to European customers in English, but other languages will probably follow, Google said.
The Dutch DPA had no comment on Google's concession. "We have not been informed by Google yet", said spokesperson Lysette Rutgers. "And we cannot respond publicly on this issue, as our investigations are ongoing".
Privacy expert Herman van Braam, owner of Dutch hosting service Privyon, called the move an important turnaround. "It's clearly a result of the close coordination of the different DPAs in this case. They are pressuring Google much more effectively," he said.
In a way it's also a preemptive move by Google, as Europe is moving towards a new, uniform and in some respects stricter privacy regulation, said Van Braam. Under the new regime, which is still being ironed out in Brussels, one national DPA will rule on privacy issues for the whole EU, and fines can be up to two percent of the worldwide revenue of a company. In Google's case, that means potential fines of up to US$1 billion.