Strike Three, You're Out!
Austrian data regulator, Datenschutzbehörde, recently found Google Analytics to be in violation of EU’s General Data Protection Regulation (GDPR) laws. It was revealed that data collected through GA from NetDoktor, a European medical news website, maintained inadequate protection against American intelligence agencies. Following the infamous Privacy Shield ruling in 2020, and a breach in European Parliament's Covid-19 Website in 2021, this is the third instance of GA operating an illegal mechanism to transfer data across borders in recent years.
“This transfer was found to be unlawful because there was no adequate level of protection for the personal data transferred. Website operators cannot use Google Analytics while simultaneously being in line with GDPR”
— Matthias Schmidli, Deputy Head, Austrian Data Regulator
What’s especially worrying is that there was nothing uncommon about the way NetDoktor had been using Google Analytics. Like millions of other GA users around the world, NetDokter places third-party cookies on visitors so as to be able to capture user behaviour. The problem is inherently with Google Analytics, as all this data then travel’s back unchecked to the tech giant’s servers in the US.
Europe is increasingly agitated with the manner in which this exported data is being transported and stored. US surveillance laws* protect foreign data far less rigorously than they do domestic data. The uncomfortable implication of this is that, in theory, US surveillance agencies have the authority to harvest massive amounts of personal data sourced from big tech companies like Google, Facebook, and Microsoft.
“What they do right now would be in violation of the fourth amendment if it’s for US citizens. Just because people are foreigners it’s not a violation of the US constitution”
— Max Schrems, Hon. Chair, NOYB
*Refer Section 702, Foreign Intelligence Surveillance Act & Executive Order 12333
What’s Next for Google Analytics in Europe?
After the episode in Austria, 30 other European countries are currently investigating the prevalence and extent of Google Analytics compliance violations. While any firm decision is yet to be made, the law is explicit in its stance. At least as it stands, it is impossible to conform to GDPR while actively using Google Analytics. The Dutch (Autoriteit Persoonsgegevens) and German Data Protection Authorities are strongly considering banning Google Analytics in the form that it currently exists. It seems only a matter of time before the rest of Europe follows suit.
What’s Next for Your European, Google-Analytics Running Website?
If there’s one thing to learn from NetDoktor’s complacency, it’s this — don’t be complacent like NetDoktor. Google Analytics is illegal in Europe. Google Analytics is not GDPR compliant. Ignoring privacy rules and regulations may result in expensive fines and damaged brand reputations. If your website is Austria-based — or even serves Austrian citizens — you should ditch Google Analytics immediately. For other EU-based websites, it is highly encouraged to replace Google Analytics with a 100% GDPR compliant tool before local authorities inevitably tighten enforcement.
"Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."
— Max Schrems, Hon. Chair, NOYB
Factors.ai is the #1 privacy-first Google Analytics alternative for your consideration. We provide end-to-end marketing analytics and revenue attribution using absolutely no third-party cookies. We’re also 100% GDPR, CCPA, and PECR compliant. Additionally, we recently secured SOC2 compliance — satisfying the Trust Services Criteria based on Security, Availability, Processing integrity, Confidentiality, and Privacy. Book a Demo with us to learn more about Factors.ai.