Google Analytics is one of the most popular tracking tools in Germany and provides countless website operators with insights into the behavior of their customers. Now several European data protection authorities are saying that Google Analytics is not compatible with the GDPR. […]
Google Analytics enables countless website operators to gain insights into the behavior of their customers. Like no other service provider, Google knows how to collect and evaluate data. Data protection experts have complained in the past that this competitive advantage comes at the expense of the protection of personal data. Now several European data protection authorities are addressing these concerns: Google Analytics is not compatible with the General Data Protection Regulation and its use is therefore illegal.
History of the impending ban
The current development was initiated by a decision in the case of “Schrems II”. On 16.07.2020, the European Court of Justice declared the so-called “Privacy Shield” inadmissible. This data protection agreement between the USA and the EU has previously regulated the transfer of personal data to the USA. The ruling prompted the Austrian data protection association noyb to take action against 101 companies from the EU and the European Economic Area.
On January 12, 2022, a first decision was made. The Austrian Data Protection Authority stated that the web analysis tool Google Analytics violates the requirements of the General Data Protection Regulation (GDPR) in several respects. In particular, the requirements for third-country transmission and the general principles for data transmission pursuant to Art. 44 GDPR are therefore not complied with. Other European authorities followed the assessment.
Why is Google Analytics being criticized in the first place?
Google is regarded worldwide as an expert in the collection and processing of user data. Every time a customer visits a website, Google receives important information. The IP address and the cookie data are collected during each visit. In addition, there is important information about the web browser, the operating system or the exact time of the visit. The amount of data can be analyzed according to defined criteria and thus provides operators with information on the use of their own website.
The problem with this: the collected data enables the identification of the visitor. In order to prevent this, according to the GDPR, personal data would have to be better protected. However, Google Analytics does not meet these requirements.
Effects on the use of Google Analytics
Since then, there has been great uncertainty in Germany about the further use of Google Analytics. At the end of March, the news that the EU Commission and the US promised a surveillance reform also caused further confusion. The so-called “Trans-Atlantic Data Privacy Framework” is intended to contain obligations and rules that limit the access rights of the US security authorities to personal data. Compliance with the EU-wide data protection regulations is therefore guaranteed by appropriate procedures. Companies from the USA that continue to transfer data from the EU to the USA for processing should undertake to comply with the new agreement by means of self-certification.
At present, it remains uncertain whether this is the next failed attempt at data protection-compliant cooperation or whether the agreement meets the requirements for a lawful transfer of personal data to third countries. Data protection experts are already pointing out that the envisaged restrictions on the powers of intervention of the US security authorities are not the enactment of corresponding new laws, but merely administrative instructions in the form of so-called “executive orders”, in which the quality of legal protection granted to EU citizens seems rather questionable. The efforts of some website operators to prevent the transmission of data when using Google Analytics via an explicit consent of the users in accordance with Art. Art. 49 Para. 1 lit. a GDPR, however, is proving to be less effective. This is because it is expressly an exception to Art. 44 DSGVO, which cannot be a legal basis for the permanent and mass transfer of data to a third country.
Switching to another tracking tool?
Thus, most website operators only have to switch to a tracking tool that meets the requirements of the GDPR. Because the responsibility for a legally secure use of your own website always lies with the operator. With a data protection-compliant web analysis tool, data is encrypted or shortened and thus does not allow the identification of individual users. A server location in Germany or the EU is the most effective way to prevent problems with the transfer of data to a third country.
Although no binding decision has yet been made in Germany, website operators should plan the change at an early stage. This leaves enough time for the selection of the right tool and a gradual changeover. Google has largely ignored the decisions of the European courts and data protection authorities received so far. So you can be curious to see how the tech giant will react if there is a Europe-wide ban on Google Analytics.