On the second week of January 2022, Austrian Data Protection regulator made a decision that use of Google Analytics violates the EU General Data Protection Regulation 2016/679. Which means that the companies with websites based in the EU and directed at EU data subjects cannot use Google Analytics on their websites. As European Data Protection Board had discussed issues around the use of Google Analytics in the December plenary session and reached some form of consensus, Austrian decision wasn’t entirely unexpected, what is more noticeable is that other data protection regulators haven’t issued supporting or similar decisions, which perhaps shows that they are choosing to “wait and see”.
Austrian regulator ruled that in providing the Google Analytics service, the company collects and transfers personal data to the U.S. while failing to protect it from U.S. government surveillance. The DPA determined configuration abilities for customers, including truncating IP addresses, are insufficient to prevent re-identification, potentially by Google or the U.S. government. The decision also determined that supplementary measures implemented by Google, including government access transparency reports and encryption of data, were insufficient.
The decision is the result of privacy advocacy group NOYB alleging in the complaint made to the Austrian regulator (and not only) companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers and Google Analytics was still processing personal data in the “third country” that is the US. The “Schrems II” decision invalidated the EU-U.S. Privacy Shield agreement which was used as legal mechanism to validate the EU-US personal data transfers and even though Google has put in place Standard Contractual Clauses as means of legalising the transfer these are seen as only paper.
In the words Max Schrems, honorary chair of NOYB: “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.“
What does it mean for the business? Even though NOYB has sued 500 companies in the EU for breaching the rules of third country data transfer and cookie use, they won’t get to each and every small and medium company in the EU any time soon so the immediate risk is not high. Unless your business is Austria or German facing as German state and national data protection regulators are bound to follow suit of Austria. So if you use Google Analytics on the company website, well, don’t. There are replacements available none of them as ubiquitous as Google Analytics but technically sound.