A recent decision made by the Austrian Data Protection Authority (DPA) ruled that websites that use Google Analytics are not compliant with the General Data Protection Regulation (GDPR). This seminal decision impacts millions of websites and exposes businesses to the large fines imposed for GDPR non-compliance. In this article, we will discuss who this decision applies to, the background of the case, and an alternative for privacy-focused analytics.
Table of Contents
- Which websites should avoid Google Analytics?
- Transfers of personal data from the European Union to the United States and the Schrems II case
- Google Analytics is not GDPR compliant
- Privacy-focused analytics
Which websites should avoid Google Analytics?
The decision made by the Austrian DPA concerned the use of Google Analytics and its lack of compliance with GDPR. GDPR is a privacy law that protects the personal data of residents of the European Union and provides them with certain privacy rights. GDPR applies to:
- Businesses that have an establishment in the European Union;
- Businesses that offer goods or services to residents of the European Union (regardless of where the business is actually located);
- Businesses that track the behavior of residents of the European Union (through cookies, analytics services, tracking pixels or CCTV or similar technologies) (regardless of where the business is actually located.
As you can see from the above, GDPR does not just apply to businesses in the European Union, but can also apply to businesses in other countries if any of the above factors are met. Thus, according to the decision made by the Austrian DPA, any business that needs to comply with GDPR should avoid the use of Google Analytics as such use will make the business non-compliant.
Transfers of personal data from the European Union to the United States and the Schrems II case
To better understand the Austrian DPA’s decision regarding the compliance of Google Analytics with GDPR, one must first look at the standards the European Union has set for transfers of data from the European Union. Generally, GDPR prohibits the transfers of personal data from the European Union to a country that does not meet the same privacy protection standards as those provided by the European Union. Due to a lack of uniform privacy laws that provide significant privacy rights to individuals and the surveillance of United States intelligence agencies, the European Union has long held that the United States does not provide adequate privacy protections to individuals. Prior to the Schrems II case, however, companies could use the EU-US Privacy Shield Framework to transfer personal data from the United States to the European Union. The EU-US Privacy Shield was a set of requirements that companies needed to meet to be able to transfer personal data from the European Union to the United States.
In 2020, Max Schrems, a privacy activist and the founder of NOYB (None of Your Business), an organization that aims to increase the enforcement of GDPR, filed a privacy complaint with the Irish Data Protection Commissioner. The complaint alleged that Facebook’s transfers of the personal data of Max Schrems from the European Union to the United States violated his privacy as data stored in the United States by Facebook could be accessed by US intelligence agencies. On July 16, 2020, the Court of Justice of the European Union held that such transfers do indeed violate GDPR and that the EU-US Privacy Shield was invalid for transfers of data because US intelligence agencies could still access the transferred data. The decision found that the EU-US Privacy Shield is invalid and thus can no longer be used for transfers of personal data from the European Union to the United States. The decision also found that companies that want to transfer personal data from the European Union to the United States need to ensure that the transferred data receives equivalent data protection to that in the European Union. Thus, instead of using the EU-US Privacy Shield, companies transferring data would need to have contractual requirements in place and to impose technical safeguards to ensure that the data is protected in the recipient country.
Google Analytics is not GDPR compliant
After the Schrems II decision, NOYB filed a complaint with the Austrian Data Protection Authority alleging that the use of Google Analytics by websites results in a transfer of the personal data of residents of the European Union to the United States, since Google is located in the United States. The complaint alleged that the data sent to the United States is available to US intelligence agencies, such as the NSA, in violation of GDPR. The complaint also alleged that companies like Google use contractual requirements to justify such transfers of data but that the contractual requirements are not sufficient to protect the data from US surveillance agencies.
The Austrian DPA agreed with NOYB that the use of Google Analytics is a violation of GDPR. In addition, the decision found that companies are not able to change their Google Analytics settings by, for example truncating IP addresses, to make the use of Google Analytics compliant with GDPR.
The Austrian DPA made this decision regarding one of the 101 complaints filed by NOYB regarding the use of Google Analytics by websites, which means that we will see other DPA’s in other countries making decisions regarding such usage shortly. In fact, the DPA’s in France, Norway, and Denmark are already assessing these complaints. As the decision determined that data transfers from the European Union to the United States that allow US intelligence agencies to access the data are not compliant with GDPR, this decision will also affect other services commonly used by websites.