Austria Government says Google Analytics is Illegal
Over the nearly four years that it has been in effect, Europe’s strict General Data Protection Regulation (GDPR) had primarily been perceived as an issue for Big Tech. It’s now a major issue for European cloud service users, ranging from businesses to governments. In an Austrian investigation concerned a visitor to a health-related website that employs Google Analytics, the world’s most extensively used toolkit for website owners to measure how people use their site, European privacy experts claimed a partial win.
The website’s owner broke the GDPR by sending the user’s data to Google in the United States, as per Austrian Data Protection Authority. Exporting personal information to a corporation in the United States is illegal if the company cannot ensure the data’s safety from US intelligence services as determined in a landmark judgment by the EU’s top court in 2020. No American company may give that guarantee because of the Foreign Intelligence Surveillance Act (FISA).
The consequences may be far-reaching. While this complaint only included one website publisher, it was one of 101 filed by Big Tech a nob Max Schrems and his NOYB (None of your business) privacy advocacy group at the same time, a year and a half ago. Because the EU’s data protection agencies were forced to coordinate their measures in reaction to the massive assault, there’s a good chance that as many as more such judgments are on the way. If this is the case, European websites will be strongly influenced to quit utilizing Google Analytics and other US-based cloud services.
While the Austrian regulators ruled it against an unidentified website publishing company which Fortune acknowledges is currently owns a German media house-it rejects the portion of the GDPR only imposed legal obligations on the organizations trying to export the data.
It is indeed unknown whether the website’s publisher got a fine or additional penalities; the whole verdict hasn’t been released yet. Whereas the Austin judgment is the first one to address one of the 101 concerns, it comes on the footprint of a similar decision by the European Data Protection Supervisor (EDPS) already this week, which has authority over top EU institutions. The European Parliament was fined by the watchdog for using Google Analytics and stripe to organize testing for COVID-19 PCR on an internal website.
There are only a few options that, what European Businesses and Organizations should do right now. One option is to avoid utilizing cloud services provided by the United States. Another option would be for the United States to enact meaningful surveillance reforms that would enable American cloud service providers to guarantee the security of foreigners’ information-although this is unlikely to happen anytime soon.
Another alternative for US cloud service providers is to work with local firms to build up hexagonally European data centers, with local companies controlling access to the personal information stored on the servers. Google recently announced such a facility for enterprise clients in Germany, in collaboration with local IT giant T-systems.
The Authority determined that now the Standard Contractual Clauses, in combination with the Austrian website operator’s additional procedures to transmit personal information to Google LLC in the United States, did not provide an appropriate degree of data protection. As a result, the transfer of data of the United States violated the GDPR.
The Authority examined each of Google’s additional safeguards in detail and decided that they were not effective in ensuring an appropriate degree of data security. The following measures were taken:
- Notifying data subjects about government access requests,
- Publishing a transparency document,
- Investigating each data access permission made by public authorities for accordance with applicable laws,
- Using IP anonymization functionalities,
- Using pseudonymization features.
According to the Authorities, these technical safeguards are effective in protecting personal information at any point as long as Google may acquire this personal information in simple text.
The Authority, however, decided not to impose penalties on the website operator due to a change in ownership of the corporation that operated the website. Instead, the Authority reasons that because the website is now owned by a German corporation domiciled in Bavaria, only the Bavarian Supervisory Authority has the power to levy a penalty on the website operator.
In the case of Google Analytics, the Authority determined that, as the data converter, Google LLC was not liable for GDPR transfer regulations compliance. Because only the data shipper is required to follow the regulations, the Authority determined that Google was not in violation of the GDPR. The Authority also determined that Google is a processor when it comes to the data it collects through its Google Analytics services. The Authority, on the other hand, stated that it will conduct a ‘further official review policy’ on this matter and that it did not access Google’s role for any further computation of the personal issue being investigated.
This judgment contrasts with a statement made by the German Supervisory Authorities in May 2020, which stated that Google should not be regarded as a processor but rather a joint controller with website proprietors that use Google Analytics. It once again highlights how difficult it is to put the controller and processor principle into action. The Authority noted that it did not analyze whether Google had violated its responsibilities as a processor under the GDPR, but that it intends to do so in a parallel inquiry.
Now, this is the moment for EU firms with websites to take action. While Google attempts to persuade consumers that it is fine to proceed using Google Analytics, these court judgments demonstrate that data protection regulators throughout the EU disagreed with Google’s position. The penalties, damaged reputations, and stress associated with the use of Google Analytics are all on the horizon. Because this issue isn’t going away, you’ll need to find a replacement for Google Analytics.
However, eliminating Google Analytics from your site somehow doesn’t imply that you must abandon website analytics entirely. Today, there are several Google Analytics options to choose from.