The data regulator in Austria has discovered that the use of Google Analytics is a breach of the General Data Protection Regulation (GDPR). Without a new EU-US data deal, the other nations in the region may follow.
NetDoktor, an Austrian medical news website, works like millions of other sites. Whenever one loads it up, a cookie from Google Analytics is placed on the device that they are using to access the site. The cookie then tracks everything that one does in their entire visit.
The tracking comprises all pages read, how much time a user spends on the site, and information about their device. Moreover, Google also assigns an identification number that they use to link the user’s browser to other data.
Using this data, NetDoktor determines the number of readers it has and what they want to see on the site since it picks what it collects. Nonetheless, through the use of Google Analytics, all the collected data passes through the Google servers and ends up in the United States.
For the data watchdogs in Europe, the shipping of personal data to the US is considered problematic. Today, the small Austrian medical website is at the core of a massive tussle between Europe’s powerful privacy restrictions and US legislation.
On December 22, Datenschutzbehörde, the Austrian data regulator, said the use of Google Analytics on NetDoktor significantly breached the European Union’s GDPR. The data sent to the United States was not effectively protected against possible tampering by US intelligence agencies, according to the regulator.
Previously, it was discovered that European Parliament’s Covid-19 testing website also breached GDPR by using Google Analytics and Stripe cookies, based on a decision made by the European Data Protection Supervisor (EDPS).
Related: Become a Google Analytics master for under $20
These cases are the first decisions after a July 2020 ruling that Privacy Shield, which is used by thousands of firms to send data between the EU and the US, was banned. Analysts believe that the landmark cases might increase pressure on the negotiators in Europe and the United States who wish to replace Privacy Shield with a new conduit for data to flow between the two regions.
If no agreement is reached in the near term, similar cases around Europe may have a domino effect. Cloud services from Facebook, Microsoft, Amazon, and Google might be ruled incompatible from one country to the next. The vice president of global privacy at Future of Privacy Forum, Gabriela Zanfir-Fortuna, said:
“This is an issue that touches all aspects of the economy, all aspects of social life.”
NetDoktor is not a unique case. However, it shows that regulators in Europe do not approve of the way US tech firms send a lot of data from Europe to the US. The active US surveillance laws, including Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act, do not protect data that is held on people living outside the United State as they do for those living inside the country.
In general, theoretically, the United States surveillance agencies can collect massive amounts of data that is sent to the nation. The honorary chair of legal nonprofit organization noyb, Max Schrems, stated:
“What they do right now would be a violation of the Fourth Amendment if it’s for US citizens.”
Schrems is the honorary chair of the legal nonprofit organization noyb. He introduced the legal cases that pulled down Privacy Shield in 2020 and the predecessor Safe Harbor in October 2015.
Just because people are foreigners it’s not a violation of the US Constitution.”
Based on the 2020 Privacy Shield ruling, firms sending data from the EU to the US have to implement additional measures to protect the information. The Austrian Data Protection Authority has said that the technical measures put in place by Google Analytics are not adequate to prevent data from being scooped by the United States intelligence agencies.
Since Google could access the sent data in plain text, this data was not entirely protected from possible surveillance, according to the Austrian Data Protection Authority. The deputy head of the Austrian data regulator, Matthias Schmidl, said:
“This transfer was found to be unlawful because there was no adequate level of protection for the personal data transferred.”
Schmidl said that website owners can never use Google Analytics and then manage to be in line with GDPR. For now, this decision applies to Austria and it is not final. Sites across Europe will not suspend the use of Google Analytics abruptly.
Related: What is GDPR? Everything you need to know about the new general data protection regulations
While commenting on this development, Google’s senior vice president for global affairs, who is also the chief legal officer, Kent Walker, stated:
“While this decision directly affects only one particular publisher and its specific circumstances, it may portend broader challenges.”
In a January 19 blog post, Walker insisted that Google has put in adequate technical measures to protect people’s data. Thus, such a decision by Austria may affect the way data flows throughout the American and European business ecosystem.
Experts and analysts believe that this is just the beginning. Apart from filing the complaint against NetDoktor in August 2020, noyb also filed 100 other cases with different data protection authorities around Europe. Schrems said:
“It’s not specific to Google Analytics. It’s basically about outsourcing to US providers in general.”
Currently, regulators in 30 EU nations are investigating cases covering Facebook Connect and Google Analytics. Country-specific sites that belong to Ikea, Airbnb, Sky, and The Huffington Post are also on the regulators’ radar. Zanfir-Fortuna commented:
“The majority of these decisions will have the same or similar outcomes.”
Since noyb used the same legal arguments for all its cases, it might win several other cases. To respond to the Google Analytics allegations, the data protection regulators set up a task force to discuss different legal issues. Schrems added:
“We expect that this is going to mobilize country by country, wherever it drops.”
On its part, Autoriteit Persoonsgegevens, the Dutch data protection authority, said that it is investigating various allegations against Google Analytics. The watchdog said that it might ban the use of the current form of Google Analytics.
Data issues are regulated by region in Germany. In that context, Hamburg’s data protection authority confirmed that it received two complaints from noyb and stated that in one case the site has eliminated Google Analytics. Therefore, it “does not plan to issue any orders or a fine” in that instance. However, it is now investigating the other case.
Although there is a lot of coordination among the data regulators in Germany, there might be some differences in opinion, according to the director of data compliance for Europe at McGarr Solicitors, Simon McGarr. He explained:
“The Austrian position is probably at one end of a spectrum of opinion—and it would probably represent the most radical end. Hence, other data bodies will either endorse, amend, or reject that line of reasoning.”
Disagreement often comes up among the EU’s 27 GDPR enforcers. In 2021, an Irish Data Protection Authority targeting WhatsApp was added by €175 million after the other authorities disagreed with the decision. McGarr believes that the other European Union watchdogs that are reviewing noyb cases may have different opinions according to the facts provided for every case.
An EDPS spokesperson said that the regulator’s view is that personal data sent to the US has to be protected by “effective supplementary measures.” It is also investigating the way official EU organizations utilize Microsoft Office 365 and Amazon Web Services.
What Next For Google Analytics?Bottom of Form
The Australian decision and other cases show the tension that is growing between Europe’s privacy laws and what comes up once data leaves the EU bloc. Some think that Europe might reduce its reliance on major US technology firms. Others insist that it will help negotiators from both sides to strike a viable deal that supports data sharing before economies and data flow get disrupted by new laws.
Firms may review the Austrian regulator decision and maybe consider the available alternatives as they await more rulings from different national data bodies in Europe, the director of public affairs at Clever Cloud, Guillaume Champeau, highlighted:
“It could help change the business landscape to make competition fairer in Europe.”
Champeau says that many European cloud-powered analytics companies never attract the kind of attention that Google Analytics has. However, Google Analytics is believed to be used by more than 28 million websites globally.
Related: Stringent data protection regulation has gone global
If more such decisions keep coming up in the coming months, Schrems believes that some of the big companies and banks may begin questioning who is responsible for their GDPR issues. He mentioned:
“If people invest millions of euros into some cloud solution that then turns out to be illegal, there’s going to be huge questions about who pays the bills in the end.”
The Austrian authority never confirmed whether it fined NetDoktor. But, the case is still underway. For now, the Silicon Valley giants are not expected to change their attitudes and technology. Schrems claims:
“There is simply no willingness by Silicon Valley to adapt to these rules.”
Some internal Facebook documents seen by Politico indicate that the social media firm believes that there are no issues with sending EU data to the United States. Facebook lawyers insist that US laws protect all data from the European Union as excellently as if the data was staying in the EU bloc. Based on a statement by a Google spokesperson, the firm does not intend to reveal where its European data is processed.
It seems like the EU and US negotiators will broker a deal for data sharing before the tech firms decide to alter their approach. The United States and the EU are discussing what has to replace Privacy Shield after it was shut down in July 2020.
Nonetheless, these talks are yet to become fruitful. Officials want more oversight of US security agencies, including the courts and judges who determine if the collection of EU data is legal. Schrems commented:
“The easiest way would be to say there needs to be some judicial approval of surveillance, and so on, as it is for American citizens.”
In recent months, negotiations have increased and have become a priority for both sides, according to a European Commission spokesperson. Nevertheless, there are some red lines. The commission would not want a Privacy Shield successor to be challenged and defeated in court once more. The spokesperson added:
“Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic.”
The Austrian decision might increase pressure on the negotiators. However, there might be no legislative changes in the United States. There might not be a lot of appetites to reform the surveillance laws in the US. Any changes that will support the replacement of Privacy Shield may come from executive orders, according to Zanfir-Fortuna. He concluded:
“It’s very possible that we will see a replacement of the Privacy Shield in the next couple of months. The question then is for how long will a new Privacy Shield ensure certainty for transfers in the absence of reforms in the US?”