Petteri Pyyny
14 Jan 2022 11:11
Pretty much every website in the world uses some form of analytics service to track its pageviews and usage. By far, the most popular solution for this is Google Analytics.
But now, Austrian data protection agency has made a decision against Google Analytics, stating very bluntly, that the service is illegal in European Union.
Why, you might ask?
Behind the decision is the European Union's tight privacy legislation called GDPR that protects European users and their data. Previously, European Union and United States had a mutual agreement in place that allowed tech giants like Google and Facebook to transfer their user data freely from continent to continent.
But back in August, 2020, everything changed, as the so-called "Privacy Shield" agreement was struck down by the European court.
In its decision, court ruled that United States can't provide same level of protection for European users as mandated by the GDPR. This is because the U.S. legislation allows American law enforcement agencies (NSA, FBI, Homeland Security, ..) pretty much a free access to all data stored within the U.S. soil. Now, that obviously is against everything that GDPR stands for and thus, the court decision.
Since then, American tech giants have tried to evade the issue by encrypting their data that flows from Europe to United States. Google also half-anonymizes the user data and IP addresses it collects from the users visiting websites that use Google Analytics.
But Austrian DPA decided that the encrypted transfers and pseodo-anonymizing isn't enough to ensure that U.S. agencies don't get an access to European data.
As Google's analytics software is used by 72 percent of the world's websites, the decision obviously poses a problem for the websites, too.
Google has probably two options now: it can either properly encrypt the transferred data, in a way that not even Google itself can read the data in any way. Or alternatively, Google has to set up a separate "data silo" within the European Union that is completely cut off from rest of its data.
And obviously, the shockwaves of this decision go much wider than just Google: pretty much all the major tech giants have been circumventing the GDPR rules by encrypting the data and transferring it to United States, no matter what.