Almost 6 years ago, the European Union’s General Data Protection Regulation (better known for its acronym, GDPR) changed the world of personal data protection forever. The groundbreaking ruling has since been replicated, albeit with changes, in over a dozen other markets. But, crucially, it forced tech giants to rethink their privacy framework — as was the case with Facebook and Apple — or face the risk of hefty fines… as seems to be increasingly the case with Google Analytics.
One of the provisions under the GDPR is that data transfers including personally identifiable information (PII) get processed through servers located within the geographical boundaries of the EU or through countries where the appropriate security guarantees are provided. For the record, PIIs include data sets such as users’ names and email addresses, IP addresses, or cookie IDs.
The case against Google Analytics in this context started mounting in 2020 when the European GDPR watchdog platform NOYB filed complaints against Google LLC in almost all EU member states.
By December 2021, the Austrian data protection agency (DPA) DSB ruled that a business, by using Google Analytics, was exporting user data to Google LLC’s servers in the USA. This case law decision effectively declared the usage of Google Analytics in Austria illegal, and the industry started bracing for the impact of similar outcomes in the rest of the cases filed in 2020.
Indeed, in February 2022, the CNIL, France’s DPA, also considered that data transfers like these are illegal, ordering “a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions”.
The way EU authorities see it, Google LLC qualifies as an “electronic communication service provider” under US law, making it subject to surveillance by US intelligence services and can be ordered to disclose data of European citizens to them.
Furthermore, both NOYB and CNIL are already hinting that investigations are being launched by DPAs which will extend over other data collection tools used by websites that can potentially result in the transfer of data of European Internet users to the United States.
Needless to say, there will most likely be corrective measures adopted in the coming months. Non-compliance with the GDPR can lead to fines of up to EUR 20 million or 4% of total worldwide turnover. To avoid that, organizations that operate in Austria and France or that store their citizens’ data are now trying to move away from product analytics solutions like Google Analytics… a move that will likely increase in coming months as more DPAs rulings are known.
These recent rulings in the EU put into perspective the importance of an organization’s decision when choosing its software vendors. In the case of Google Analytics in France and Austria, companies are probably scrambling with the urgency of changing their product analytics strategies, as a costly and time-consuming need in order to avoid the bigger cost of a fine. This underscores the value behind choosing a vendor that ensures complete data privacy from the get-go.
Aside from these obvious economic consequences, there are also the ethical ones: the GDPR exists because individuals’ PII should not be at risk of being misused. Users trust organizations with their data, and the organization should honor that trust by ensuring its security. Because, if a breach were to happen, the organization’s integrity and reputation will be tarnished — maybe forever.
Most actors in the industry are taking note of the impending doom for organizations that don’t take privacy seriously. From app developers to product managers to decision-makers, transparent management of user-generated data through privacy-conscious vendors must be at the front and center. It’s obviously never too late, and if your organization is now realizing the importance of ensuring full regulatory compliance, we are here to help you find a solution that fits your exact needs.
The Google Analytics case reminds us that the sooner an organization understands the risks of going against data protection regulations like GDPR, the fewer chances of running into privacy-related issues in the long run, and the more of an edge the organization will have over competitors that chose poorly.