Is Google Analytics in breach of the GDPR?
Is the use of Google Analytics in breach of the GDPR? The use of that platform is widely extended on almost all the websites of most businesses with an online presence. This Google service, which is used to measure traffic on these websites, can be easily identified by the installation of cookies that start with “_ga”.
Recently, the Austrian Data Protection Authority, followed by the French, came to the conclusion that the transfer of data collected on websites used by Europeans to Google servers in the US is in breach of the GDPR.
This conclusion, which is the result of a series of more than 100 claims from the entity NOYB, is in turn a consequence of the annulment of the data transfer agreement between the EU and the US, which we already discussed in this blog in the summer of 2020.
Within these movements of the data protection authorities, there is the recent threat of Facebook and Instagram abandoning Europe if the data transfer problem between the EU and the US is not solved.
Google Analytics and the GDPR: What is the state of the matter?
Despite the July 2020 ruling annulling the data transfer agreement between the EU and the US (known as the Privacy Shield), not only did the United States act as if nothing had happened, but as of today the list of companies that claim to benefit from this protocol of receiving data from Europeans is still accessible. As is the self-certification system, all after more than a year and a half has passed since the sentence annulling the agreement.
Faced with this situation and the complaints from the NOYB, led by the instigator of the annulment (Privacy Shield) Max Schrems, the data protection authorities, judgement in hand, have started to take action.
In essence, both resolutions establish that the use of Google Analytics implies a risk for Europeans whose data is transferred to the United States, all without sufficient guarantees for their right to data protection to be respected.
What to do if my website uses Google Analytics?
At present, the Spanish Agency for Data Protection has not made a statement on this matter but usually, when such high-profile decisions are made and have such an impact, all the EU Member States and their data protection authorities end up adopting the same criteria.
Given this more than likely situation, it is not ruled out that Google will decide to relocate its servers within the EU, something that Dropbox did in its day, for example. Until this happens, it is advisable to analyse possible “European” alternatives to Google Analytics, or those that are compatible with the GDPR. Some options to assess include Mixpanel or Matomo. In any case, inaction at this time is not recommended.
In conclusion, it seems that finally, the decision of the European Justice on the annulment of the Privacy Shield has landed, although it has taken more than a year and a half. As always, this will have consequences in the short and medium term for websites that use analytics to measure their visits, interactions, etc., which is almost all of them.
On the other hand, and to see the brighter side of the matter, this will cause many developers and website owners to look for alternatives to Google, something that sometimes seems impossible to do and that nobody even considers when designing a website.
We are therefore entering a new stage of web analytics and, as always, it will be time to ask questions and update. If you have doubts about this or any other issue, don’t hesitate to contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.