We will keep updating this article. Updates can be found at the end.
The Austrian Data Protection Authority (DSB) has declared that the data transfer from the EU to the US through Google Analytics is illegal. This is a groundbreaking decision, as millions of websites worldwide rely on Google Analytics and it is considered the industry standard.
noyb initiated the decision by filing the 101 model complaints after the “Schrems II” decision, which rendered the EU-US data transfer agreement illegal in 2020. Back then, the European Court of Justice decided that US providers violated the GDPR as US authorities gained access to personal information of EU citizens.
Instead of adapting to the GDPR, US companies tried to maneuver around the issue by updating their privacy policies and ignoring the court decision, giving them an unfair advantage over EU based companies.
Other EU countries are expected to follow the DSB decision.
Who Is Noyb and Max Schrems?
noyb is an NGO from Austria fighting for privacy on the internet. Last year, they got media attention for filing 422 formal GDPR complaints on nerve-wrecking cookie banners. Max Schrems is the leading figure behind noyb, a lawyer, and author.
What Can You Do About It as a Website Owner?
We recommend removing Google Analytics from any website you own. While it might take a while until other EU countries follow the Austrian decision, and it’s unlikely that you will get sued in the next few weeks or months, it’s best to be on the safe side. The court didn’t decide on the penalty yet, but the GDPR foresees penalties of up to 20 million euros, or 4% of global turnover.
A lot of businesses depend on Google Analytics to measure their marketing campaigns and website performance metrics. Most of the these key metrics can easily be measured with a GDPR compliant alternative, like Pirsch or other european-based web analytics solutions.
You can run one of the solutions alongside your GA setup if you like and compare the numbers. A nice benefit of GDPR compliant solutions is that you don’t need consent, so you should see higher numbers than on GA and more accurate statistics. In the long run, US companies will have to adapt or be replaced by GDPR compliant solutions.
Update January, 16
The Dutch privacy protection authority warns that GA might become illegal, following the Austrian decision. As we have already assumed, it’s likely that more European countries will follow.
Update Feburary, 10
The French DPA agrees with the Austrian Data Protection Authority that the data transfer from Google Analytics into the US violates the GDPR.
Update September, 22
Yesterday Denmark followed the rulings of France, Austria, Italy, and the Netherlands and decided that using Google Analytics is incompatible with data protection regulations: Our conclusion is that the tool cannot, without more, be used lawfully.