The
Austrian Data Protection Authority has recently ruled that the Austrian website of
a medical news company is in breach of the GDPR because of its use of Google
Analytics (GA) to collect and transfer data from the EU to
the US, where foreigners’ Personally identifiable Information (PII) receives
less protection than that of US citizens.
While the Austrian data regulator’s decision isn’t final and currently only applies in Austria, this sets a precedent throughout Europe and it’s highly likely that other countries will follow its lead. France’s Commission Nationale de l’Informatique et des Libertes (CNIL) announced last week that it too considers such data transfers illegal and ordered a French website manager to either comply with the GDPR or stop using GA.
Moving forwards, this could have major
ramifications for all analytics platforms – not just GA – and the companies
that use them.
What does the ruling mean for data capture on your
website?
There’s no need to panic. Google Analytics
is still compliant with the GDPR in countries other than Austria. And even in
France it can still be used as long as PII isn’t transferred outside the EU.
However, in the short term, companies will need to audit and review both their
GA and cookie preference platforms to find ways to exclude or remove any data
coming from Austria – for example, by not allowing the GA tracking code to
deploy on Austria-based sites or using a cookie blocker to block all GA
tracking scripts or stop cookies being dropped. Another option is to explore a
server-side tracking solution with a shield to stop PII being sent to the US.
This will be more pressing for large DACH-based businesses.
Companies should also conduct a general review of the data that is captured on their website, as it is a much more severe GDPR breach to gather random PII that then ends up stored within analytics platforms. Although this does put additional pressure on companies to assess their first-party data policies, these should be reviewed regularly in any case. And with the likelihood of the Austrian ruling being repeated in other countries, it makes sense to review how your business’ website captures data and put safeguards in place for compliance.
Will Google Analytics eventually be illegal?
The short answer is no. The decision by
regulators in Austria and France may drive forward the rollout of Google Analytics 4
(GA4) – Google’s new AI-based analytics platform which uses
machine learning to fill the gaps left where users have not given consent for
tracking. However, this is likely to require much more heavy lifting from a
set-up and implementation point of view.
Although GA is bearing the brunt of these
changes, any tool or software that stores or transfers data from the EU to the
US, that contains PII, will need to be reviewed and, certainly in the case of
data gathered from Austrian websites, blocked.
In the long run, unless the US changes its protections for foreigners’ data that is transferred from the EU using analytics platforms, the best outcome would be if Google follows the example of Adobe and sets up an option allowing users to store their data in the EU. Alternatively, US-based providers may have to host foreign data in another country.