Is this the end of Google Analytics in Europe?

The Austrian data protection authority (the Datenschutzbehörde) ruled that the use of Google Analytics violates the General Data Protection Regulation (GDPR) in a decision issued on January 13, 2022. It found that by transferring personal data to the United States, this tool violates the Schrems II judgment which invalidated the Privacy Shield. This text facilitated data flows across the Atlantic by recognizing that American law offered guarantees equivalent to European law.

Noyb’s initiative
It is once again the Noyb association which is at the initiative of this procedure. Following the judgment of the Court of Justice of the European Union, it had filed 101 complaints with the data protection authorities of 30 States of the European Union and the European Economic Area (EEA). This affected European companies that transmitted personal data to Google and Facebook. These two companiesadmit that they transfer data from Europeans to the United States for processing (…) However, neither Google Analytics nor Facebook Connect are essential to the functioning of these web pages“, explained Max Schrems, the honorary president of Noyb, at that time.

In a letter dated April 9, 2021, Google explained that “technical and organizational measures” had been taken to protect the personal data of Europeans. He promised, for example, to assess each government request for access to data by a specialized team, to notify the request to the user concerned… However, the Austrian authority doubts that these measures are sufficient to prevent the American authorities from accessing the personal data of Europeans.

For Max Schrems, the conclusion is clear: “businesses can no longer use US cloud services in Europe. It has now been a year and a half since the Court of Justice confirmed this, so it is time for the law to be applied.“.

Towards a total ban on Google Analytics?
The decision of the Austrian authority is already having consequences. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has placed a new warning on the page regarding the operation of Google Analytics. It is a kind of manual to configure the tool to comply with data protection legislation. “The use of Google Analytics may soon no longer be permitted“, can we read since January 13, 2022 in reaction to the decision of the Austrian authority.

The AP also conducts its own survey on the use of Google Analytics. Its conclusions should be published at the beginning of the year and will make it possible to know whether or not the tool complies with the GDPR.

Google defends itself
To defend himself, Russel Ketchum, product manager at Google, wrote a blog post in which he recalls the advantages of Google Analytics. “Organizations use Google Analytics because they choose to. They, not Google, control what data is collected and how it is used,” he defends himself.

The European Parliament was also singled out this week by the European Data Protection Supervisor (EDPS) for its mishandling of personal data. It was the use of cookies associated with Google Analytics and Stripe that was concerned. Being two American companies, the data collected is sent to the United States. However, the EDPS considered that the Parliament had not demonstrated that it had applied the necessary safeguards to ensure that data transfers to the United States fully comply with the Schrems II decision.

Several options on the table
Is this the end of Google Analytics? According to Noyb, two options are possible: “either the United States adapts basic protections for foreign persons to support its technology industry, or American providers host the data of non-American users outside the United States“. The problem is that even hosted in Europe, the data can be claimed by US authorities under the Cloud Act. What matters is not the geolocation of the information but the nationality of the company hosting it.

A third option seems possible: that Google modify the privacy settings of its traffic analysis tool in order to meet the requirements of European regulators. This would be the easiest way. Because, as a reminder, Google Analytics is used by the vast majority of sites to measure their audience, identify the best performing parties and the most visited pages.

The end of American collaborative tools in universities
What about all the other tools offered by American companies and widely adopted by European players? On this subject, the National Commission for Computing and Liberties (CNIL) declared last May that it was necessary to find alternatives to the collaborative tools published by American companies in higher education and research. “In some cases, transfers of personal data to the United States in the context of the use of ‘collaborative suites for education’“may occur, she wrote. However, the data processed by these establishments concerns a large number of users (students, researchers, teachers, administrative staff).

The interministerial director of digital (Dnium), Nadi Bou Hanna, published a circular on September 15, 2021 stating that the Microsoft 365 (formerly Office 365) offer was not “compliant with the Cloud doctrine at the center“. This requires ministries and administrations to use only secure clouds that are immune to extra-EU regulations. Instead, ministries are required to use the state’s internal cloud solution or an offer that has received the label “SecNumCloud” issued by the National Information Systems Security Agency (Anssi). At present, only three companies – Oodrive, 3DS Outscale, OVHcloud – have received this precious sesame for some of their activities.

Hybrid offers, the best way out?
In France, a way out could be found with future hybrid solutions allowing French companies to distribute solutions offered by foreign companies under licence. This is how Thales and Google Cloud announced their cooperation, following in the footsteps of Microsoft, Orange and Capgemini. These offers still do not exist at the present time. Cédric O, the Secretary of State for the digital transition and electronic communications had not hidden the complexity of this question both technically and legally. “But our will is to protect the French“, he finally concluded during his interview with L’Usine Digitale.

Leave a Comment