After the Austrian ruling that was issued in February, France's privacy watchdog, the CNIL, has also declared that Google Analytics breaches the GDPR and must therefore be banned. The CNIL published a statement:
"The CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service [Google Analytics] is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions."
Google Analytics illegal in Europe
When the Privacy Shield legislation was invalidated in 2020, this had far-reaching consequences for US online services operating in Europe: They were no longer allowed to transfer data of European citizens to the US as this would make data of European citizens vulnerable to American mass surveillance - a clear violation of the European GDPR.
However, the Silicon Valley tech industry largely ignored the ruling. This has now led to the ruling that Google Analytics is banned in Europe. NOYB says:
"While this (=invalidation of Privacy Shield) sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has relied on so-called "Standard Contract Clauses" to continue data transfers and calm its European business partners."
Now, the Austrian Data Protection Authority strikes the same chord as the European court when declaring Privacy Shield as invalid: It has decided that the use of Google Analytics is illegal as it violates the General Data Protection Regulation (GDPR). Google is "subject to surveillance by US intelligence services and can be ordered to disclose data of European citizens to them". Therefore, the data of European citizens may not be transferred across the Atlantic.
What was the court case about?
On August 14, 2020, a Google user had accessed an Austrian website about health issues. This website used Google Analytics, and data about the user was transmitted to Google in the USA. Based on this data, Google was able to deduce who he or she was.
On August 18, 2020, the Google user complained to the Austrian data protection authority with the help of the data protection organization NOYB.
Now, the Austrian court has declared this data transfer of Google Analytics as illegal in Europe.
Data not adequately protected
The issue at hand is that due to the American CLOUD Act US authorities are able to demand personal data from Google, Facebook and other US providers, even when they are operating outside of the US, so in Europe for instance.
Thus, Google cannot provide an adequate level of protection under Article 44 GDPR - a clear violation of European data protection guarantees. The standard contractual clauses invoked by the website operator do not help, as recognized in 2020 by the European Court of Justice (ECJ) in its decision on the "Privacy Shield" (Schrems II).
No proof of data abuse needed
The decisive factor for the legal assessment of the use of Google Analytics is not whether a U.S. intelligence agency actually obtained the data or whether Google actually identified the user. The mere fact that this was theoretically possible already was a violation of the GDPR.
Google users can, however, make a setting in their Google accounts to stop Google from evaluating their use of third-party websites in detail. But that this feature exists is proof that Google is able to merge usage data with the individual.
Biggest success of NOYB
This ruling is one of the biggest successes of the data protection organization NOYB to date. Consequently, the NOYB and Max Schrems are very happy about the decision by the Austrian court:
"This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced."
This ruling is the first among 101 lawsuits by Schrems' non-profit NOYB in most member states of the European Union.
Similar decisions on the ban of Google Analytics are now expected to drop in Germany, the Netherlands and other EU member states.
Remove Google Analytics?
Tutanota - as a secure email service that focuses on users' privacy - has never used Google Analytics.
But now, many companies in Europe must ask themselves whether they should remove Google Analytics from their websites or risk a penalty for violating the GDPR.
In the long run, there will be two options: Either the United States change their surveillance laws to strengthen their tech businesses, or US providers will have to host data of European users in Europe.
The Dutch Authority for Personal Data (AP) - where two decisions on the use of Google Analytics are still pending - has now updated its own guidance on the "privacy-friendly setup of Google Analytics".
With the update, the AP has issued a warning:
"Please note: The use of Google Analytics may soon no longer be allowed."
The Dutch Authority for Personal Data plans to decide on the pending Google Analytics cases in early 2022. Then the AP will issue a clear statement on whether the use of Google Analytics is illegal in Europe or not.
While Silicon Valley tech companies will find a way to still offer their services in Europe - one way or another - the approach that they took after the invalidation of Privacy Shield must raise several red flags to European businesses:
As a European company it is no longer possible to trust sensitive user data to companies such as Google that deliberately ignore European privacy legislation and risk hefty fines for their European business customers.
The fines against the Austrian health website in the discussed case have not been decided upon, yet, but we will follow the development closely.
To the contrary - and as privacy is becoming increasingly important to consumers around the world - it is a logical step for any European business to choose services that focus on protecting their users' privacy.
Tutanota, for instance, is a secure German email provider that is in full compliance with the GDPR.
Recommended for further reading: Quick guide to take back your privacy online with lots of Google alternatives.