📊 Using Google Analytics? you better start thinking about a plan B
even if your company is not based in the EU, this might come back to bite you
If you’re more or less attentive to what is going on in the privacy world, you’ll have heard about the issues Google Analytics is facing in the EU. More specifically, the fact that Italy, France, Austria and the Netherlands have deemed it illegal.
Yet, between court decisions and hundreds of complains to local data authorities, the reasons are not exactly clear and, to complicate the matter, have actually evolved. How should we face this issue? this is the question I’ll try to respond.
Google Analytics is under fire from multiple European Data Protection authorities for not being able to provide enough assurance that data from European citizens are protected against government surveillance programs
France, Austria, Italy and The Netherlands have already considered it illegal
This became more important since the fall of the Privacy Shield in mid-2020
Google Analytics stores and processes data in servers based in the USA
If Google doesn’t change the way it works, the most likely scenario is that it will become illegal in the whole European Union
On July 2020, the Court of Justice of the European Union issued a major ruling: the fall of the Privacy Shield. This framework was the base for data transfers between the EU and the USA, and was invalidated because it did not provide adequate safeguards against the risk of unlawful access by US authorities to the personal data of European residents (see Section 702)
In practice, such transfers may now only take place if additional technical, legal and organisational safeguards are put in place by organisations to prevent these accesses. For these transactions to continue happening, companies will have to rely on Standard Contractual Clauses (SCCs) that would effectively tell Google they shouldn’t provide data to the US Government, if requested. The problem is that even these clauses are being questioned by regulators in the European Union.
The current situation
Throughout 2022, local European data protection authorities issued their own statements regarding the topic, namely the DSB (Austria Data Protection):
the measures taken in addition to the standard data protection clauses
mentioned in point 2. b) are not effective as they do not eliminate the possibilities
of surveillance and access by US intelligence service
… and the CNIL (French data protection):
The organisations given formal notice have a period of one month to comply and to justify this compliance to the CNIL. This one-month period may be renewed at the request of the organisations concerned, if the CNIL so agrees. All data controllers using Google Analytics in a similar way to these organisations should now consider this use as unlawful under the GDPR. They should therefore turn to a provider offering sufficient guarantees of compliance.
TL;DR: CNIL said to a number of companies that Google Analytics was unlawful under the GDPR and they had a month to move away from it. Other companies should take this decision in consideration and do the same. Ouch.
Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support my work.
🚨 A note on the case rulings
It’s important to highlight that local data privacy authorities didn’t issue a statement saying that GA it’s illegal and everybody should remove it immediately. They have responded to cases opened by data protection groups and have enforced compliance in the frame of the complaint. Yet, it seems obvious that it doesn’t take much for you to be obliged to do the same or for the ruling to become general.
What is **exactly** the problem?
The issue here is that Google collects data of European Citizens and sends it back to their USA servers for processing. Without Privacy Shield, if the US Government wants to access this data, even with the Contract Clauses, they could do it. Below a résumé of where we stand:
Google currently only hosts Google Analytics data in the United States
Contractual clauses were deemed insufficient
Even if Google decides to start hosting Google Analytics data in the EU, it would still not solve the problem because the US Government can request access to the data since Google LLC is an American company (see Cloud Act)
IP anonymization is insufficient because it’s not clear weather this happens before or after the data is moved to the USA
Encryption would not solve the problem because Google needs to see the data to create the reports. If they can see the data, so can the Government
Explicitly asking users if they agree with this data transfer is also not a solution because the Article 49 of the GDPR says that these types of derogations can only be used for non-systematic transfers
So what’s next?
While the Privacy Shield case clearly sent a message, US providers have apparently ignored the case. So far companies like Microsoft, Facebook, Amazon or Google have relied on so-called Standard Contract Clauses to continue data transfers and calm its European business partners. This is a strategy that is now being proved wrong by the courts in the EU.
As the open cases pile up, the most likely scenario in the future is for other countries to start issuing equivalent rulings. This could be an issue also if your company is not based in the EU, because it would affect all the data collection happening there.
If you plan on replacing Google Analytics, here’s a few challanges:
Technical implementations will have to be rebuilt (e.g. new tagging, events, etc.)
Integrations with other Google tools (e.g. Google Ads, Data Studio, etc) will be lost and might never be possible to integrate again
This issue is in the making for a good part of the last two years and the hope is for Google (and others) to take this matter seriously by finding technical solutions to fix it. If you believe they can do it, you can wait, if not, it’s a good idea to start looking at alternatives.
You can see a list of Privacy-friendly Analytics tools here.