The Austrian Data Protection Authority has recently ruled that the Austrian website of a medical news company is in breach of the GDPR because of its use of Google Analytics (GA) to collect and transfer data from the EU to the US, where foreigners’ Personally ldentifiable Information (PII) receives less protection than that of US citizens.
While the Austrian data regulator’s decision isn’t final and currently only applies in Austria, this sets a precedent throughout Europe and it’s highly likely that other countries will follow its lead. France’s Commission Nationale de l’Informatique et des Libertes (CNIL) announced last week that it too considers such data transfers illegal and ordered a French website manager to either comply with the GDPR or stop using GA.
Moving forwards, this could have major ramifications for all analytics platforms – not just GA – and the companies that use them.
What does the ruling mean for data capture on your website?
There’s no need to panic. Google Analytics is still compliant with the GDPR in countries other than Austria. And even in France it can still be used as long as PII isn’t transferred outside the EU. However, in the short term, companies will need to audit and review both their GA and cookie preference platforms to find ways to exclude or remove any data coming from Austria – for example, by not allowing the GA tracking code to deploy on Austria-based sites or using a cookie blocker to block all GA tracking scripts or stop cookies being dropped. Another option is to explore a server-side tracking solution with a shield to stop PII being sent to the US. This will be more pressing for large DACH-based businesses.
Companies should also conduct a general review of the data that is captured on their website, as it is a much more severe GDPR breach to gather random PII that then ends up stored within analytics platforms. Although this does put additional pressure on companies to assess their first-party data policies, these should be reviewed regularly in any case. And with the likelihood of the Austrian ruling being repeated in other countries, it makes sense to review how your business’ website captures data and put safeguards in place for compliance.
Will Google Analytics eventually be illegal?
The short answer is no. The decision by regulators in Austria and France may drive forward the rollout of Google Analytics 4 (GA4) – Google’s new AI-based analytics platform which uses machine learning to fill the gaps left where users have not given consent for tracking. However, this is likely to require much more heavy lifting from a set-up and implementation point of view.
Although GA is bearing the brunt of these changes, any tool or software that stores or transfers data from the EU to the US, that contains PII, will need to be reviewed and, certainly in the case of data gathered from Austrian websites, blocked.
In the long run, unless the US changes its protections for foreigners’ data that is transferred from the EU using analytics platforms, the best outcome would be if Google follows the example of Adobe and sets up an option allowing users to store their data in the EU. Alternatively, US-based providers may have to host foreign data in another country.