The Austrian data protection agency has ruled that Google Analytics is contrary to the General Data Protection Regulation (GDPR). According to the GDPR, the data of the citizens of the member states of the European Union must be stored and processed in Europe, and must not be “taken out” outside the European borders.
The agency made the decision following an appeal by an Austrian NGO noyb (none of your business), which focuses on the privacy of EU citizens. The group advocates for the protection of users’ privacy and has so far filed several lawsuits in European courts.
The decision of the Austrian agency is just a continuation of a previous decision of the European Court of Justice, which in July 2020 declared “Privacy Shield“For insufficient data protection of Europeans. However, Google ignored this decision and for the purposes of Google Analytics the storage and processing of data is on the company’s servers located in the United States.
“Privacy Shield” is a legal framework that regulates the way in which personal data of citizens of European Union member states can be shared, between Europe and the United States. The framework refers to the transmission, storage and processing of data for commercial purposes. It should facilitate the transfer of data to US companies whose customers are in Europe. The Privacy Shield is a replacement for the Safe Harbor, which the European Court of Justice declared illegal in 2015. The same fate befell the “Privacy Shield” on July 16, 2020, after the European Court of Justice ruled that it did not comply with data protection law.
Google Analytics is a Google service that monitors users and creates detailed traffic reports. The data tracked by Google Analytics is: how long users stay on the pages; how many pages they view when visiting; how many people visit the site; how many of the visitors are coming back…
Google Analytics can integrate with Google Ads to create, review and evaluate the results of online campaigns.
Given the importance of the data that companies receive through Google Analytics, it is not surprising that many companies decide to transfer data processing to the United States. By transferring the data, the companies commit an offense. The only way the use of Google Analytics is in line with GDPR is for companies to seek and obtain consent from users. Unfortunately, most companies do not do this, but only add a section on Google Analytics to their usage and privacy policies.
“Instead of adapting their services to comply with the General Data Protection Regulation, US companies are trying to add text to their privacy policies and ignore the Court of Justice.” Instead of working to meet legal requirements, many European companies have followed suit.
“It has been a year and a half since the Court of Justice upheld the decision for the second time, so they had enough time to meet the requirements of the law,” said Max Schrems.
Max Schrems is an activist from the European Center for Digital Rights (noyb) and is the honorary president of this non-governmental organization. In 2018, it filed lawsuits against Google and Facebook with a total value of 8.8 billion dollars. Unfortunately, these lawsuits remained unfinished after the Vienna Court declared itself incompetent and ruled that disputes against these companies should be resolved in Dublin, where the companies are headquartered. In 2020, noyb also filed a lawsuit against Apple in the courts of Germany and Spain, after the company revealed that it was monitoring the owners of the iPhone for the needs of “Identifier for Advertisers”.