Google Analytics, Illegal in the EU

Google Analytics is a web analytics service that allows us to use various tools and information exclusive to Google to analyze specific data in our companies. Thanks to Google Analytics, we can know the performance of our marketing actions according to the behavior of users on our websites and applications. This service can contribute a lot to understanding our users or clients so we can offer them better experiences and, therefore, get better results. However, not everything's just peachy.

This month, I read that the French Data Protection Agency, CNIL (Commission Nationale de l'Informatique et des Libertés), determined that the use of Google Analytics is illegal under GDPR (General Data Protection Regulation). As you may know, GDPR is a set of data protection and privacy rules within the European Union (EU) and the European Economic Area (EEA). These rules apply to any organization that stores, processes or transfers personal information of European citizens, even operating outside those territories.

The CNIL's decision immediately follows the same decision taken earlier this year by the Austrian Data Protection Authority (Datenschutzbehörde, DSB). And all this comes out of what was already resolved in 2020 by the Court of Justice of the European Union (CJEU). As I stated at that time, the CJEU "determined that the EU-U.S. Privacy Shield agreement, a safeguard used by many companies to transfer personal data from the European Union to the United States for commercial purposes, was invalid."

Let's briefly revisit what happened some years ago. It all started back in 2013 when Austrian privacy rights campaigner Max Schrems contested the transfer of personal data of European individuals from Facebook to servers in the U.S. After typically protracted and tiresome legal imbroglios, it was finally in 2015 that the CJEU determined that the principles of the existing Safe Harbor agreement between the EU and the U.S. Department of Commerce were inadequate for the protection of EU citizens' information. That ruling received the name "Schrems I."

Once again, the parties involved, companies in the U.S. and EU, had to seek changes and reformulations. Despite this, some ended up ignoring what happened, and it was precisely this that led to the DSB decree in Austria. In the words of Erin, from Google Analytics alternative, Matomo, "The choice to ignore is what landed one Austrian business in the [DSB's] line of fire, damaging the brand's reputation and possibly resulting in a hefty fine of up to €20 million or 4% of the organization's global turnover." But aren't there many at the moment surely doing the same thing? Well, as stated, penalization is a possibility; for now, what matters is to reinforce widespread compliance.

It seems that noyb, the group of professionals founded by Max Schrems that acts in favor of the privacy rights of individual users in Europe, discovered an inappropriate behavior in the aforementioned Austrian company. They were using Google Analytics. And Google is among those U.S. providers that are required by law to provide personal data to their country's authorities. The thing is that, from that service, IP addresses and other user identifiers were being sent as cookie data to the U.S. Then, based on Schrems II, reviving that decision and rejecting insufficient measures of regulation taken so far by Google, DSB was the first to declare that the use of Google Analytics, at least in Austria, is illegal. Although, as Schrems himself says, "The bottom line is: Companies can't use U.S. cloud services in Europe anymore."

So, not a month passed before France, through the CNIL, took the same decision on the use of Google Analytics. As stated in a press release, the CNIL orders French website managers/operators to comply with the GDPR (Articles 44 et seq. are being violated) and, if necessary, to discontinue using that service under current conditions. In this case, the CNIL explicitly has given a month's deadline for the parties involved to comply with the decree. Furthermore, they mentioned something that affected their decision and that I choose to highlight now: What was reported by the noyb association to Austria is part of a set of 101 complaints that noyb presented for the EU and EEA countries "against 101 data controllers allegedly transferring personal data to the U.S."

In the short term, many Austrian and French companies or foreign companies providing website services to citizens of these two countries will have to look for alternative tools with similar functionality to Google Analytics (e.g., Matomo, Piwik Pro). Tools that do not give them legal headaches. Businesses in the other EU and EEA member states can prepare for something analogous. In the long term, as noyb points out, "Either the U.S. adapts baseline protections for foreigners to support their tech industry, or U.S. providers will have to host foreign data outside of the United States." If they do not resort to any of these options, alternative, non-U.S. products and services may well end up leading the market in Europe.