Austria rules Google Analytics in violation of GDPR—What it means and what’s next

The ruling found that because Google Analytics exports the data collected on EU visitors to the United States for processing without required safeguards, it is in violation of GDPR. This is regardless of whether European users opted into tracking.

Websites had previously been relying on a data sharing agreement between the EU and the US struck in 2016 called Privacy Shield, which allowed for the free exchange of personal data between the regions. However, that was struck down in a ruling in July 2020 called Schrems II, which stated that US surveillance laws allowed access to any data in the US that was collected on EU residents—which violates their guaranteed rights.

Google Analytics violates this because when the data is collected from the visitors’ browser, it is sent to the United States for processing. Protections, such as anonymizing the user’s IP, were found to be insufficient, as the combination of that data with user agent and cookie identifiers could still be used to identify and was not encrypted during the transfer for processing.

Most businesses and websites until this point have been in wait mode since Privacy Shield was struck down. The slow roll-out of rulings on what GDPR’s meaning and boundaries actually are makes it difficult for businesses to have a clear understanding of what being non-compliant means.

And even here in this instance, as identified by Google, this ruling is particular to this website and to Austria. It’s not clear whether the website in question, NetDoktor, will face a penalty. Google was not found to be liable, as they were just on the receiving end.

Google’s response to the ruling sought to convince that data collected by Google Analytics protected user privacy but did not rebut the crux of the ruling, which is that, by bringing data into the US for processing, it opened that data on EU residents to US surveillance. While Google notes it has never received a FISA request for user data, that doesn’t mean it could not.

Although Google could solve this issue by processing EU collected data in the EU, doing so could be seen as Google agreeing that the data it collects is not protected. Additionally, it could require Google to accommodate country-by-country processing moving forward. And while this ruling focuses on Google Analytics, because this is about data transfer, it will affect so many of the tools businesses use—including cloud data storage, collaboration tools and more.

As noted in a great run down in Wired, The European Data Protection Supervisor has already announced it is investigating EU firms’ use of Amazon Web Services and Microsoft Office 365.

All of this underscores the need for an updated data sharing agreement between the US and EU. The breadth of services and products that would be non-compliant with this ruling is large.

What’s next

Since GDPR’s passage in 2016, it has been an annual trend for a new ruling to be introduced that lays out even stricter interpretations than before. Companies trying to create a standard set of policies that satisfies a global standard are thrown a curveball with each of these rulings.

A wait-and-see approach makes sense here. Although moving off of Google Analytics may solve one problem, the broader issue of data sharing will only be solved with an audit of your entire ecosystem to ensure all EU data is processed within the EU and is handled accordingly with this new broad definition of Personal Information (PI) data.

There are analytics options that can resolve this, however:

• Matomo analytics offer the same broad metrics as Google Analytics but will process EU data in the EU. Its pricing is measured on traffic, but you can expect at least several thousand dollars annually.
• Google Tag Manager Server-Side Tagging is a service from Google that allows you to set up a dedicated analytics server where traffic is first routed. This server can be customized to, for instance, delete any user data prior to sending to Google’s servers and allows you to send the fuller data to your own data servers. You could send the full data set to Google Cloud servers in the EU, for instance, satisfying the ruling. This also will cost at least $1,200 per year for the Tagging Server and potentially more for data storage.
• Adobe Analytics processes EU data in London (whose policies protect EU residents). Adobe Analytics are robust, but this is the most expensive option, coming in between $30k-$350k per year.

My personal favorite is the Server-Side tagging. The key being, it allows you to see what user data is being sent from your website or app, and then decide how much goes to third parties or to which servers. As rulings continue to come, this customization will allow greater flexibility.

However, this underscores a piece I wrote last spring. After years of storage and analytics costs coming down, the new wave pushing decentralization is likely to make performing the same marketing tasks more expensive—both in products (paid, multiple) and people (more staff to customize and run them).

GDPR has been living in a period of declaring stricter privacy without actually enforcing it. We are soon to find out what the cost actually is.