In what may be the first of many such rulings, Austria has ruled that Google Analytics violates the GDPR and is therefore illegal.
Google Analytics is the premier tool available to website operators to gauge their traffic, and better understand how they’re engaging with visitors. Unfortunately for Google, Google Analytics seems to run afoul of the GDPR, the EU’s privacy legislation.
The issue is the result of a 2020 EU ruling that using US cloud providers violates the GDPR. Because US cloud providers are legally compelled to help US intelligence agencies, they were deemed inherently incapable of being GDPR-compliant. As a result, data on EU citizens could no longer be sent to US companies as freely as it once was. Google Analytics runs afoul of this law because it transmits user IP addresses and other identifiable information to the US.
Unfortunately for users’ privacy, many companies — both in the US and EU — are choosing to ignore the law and continue with business as usual. The European Center for Digital Rights (noyb) has filed 101 cases against such companies, and the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has ruled on one of them, concluding that Google Analytics is illegal.
EU authorities have been cooperating on such cases, acting as a task force, making it likely that Austria’s ruling is just the first of many that will soon be handed down.
“We expect similar decisions to now drop gradually in most EU member states,” said Max Schrems, honorary chair of noyb.eu. “We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.
“This is a very detailed and sound decision,” Schrems continued. “The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”
Schrems also highlighted the need for the US to adopt its own data protection laws, something prominent US executives have also advocated for, lest platforms and services be splintered.
“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems noted. “I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”