Following on from Austria, France has now also declared Google's web analytics service non-compliant with the GDPR. The reasons, the consequences and the alternatives.
The French data protection authority CNIL has deemed the transfer of user data to the United States within the framework of Google's Web Analytics unlawful. It argues that Google is insufficiently protecting the data from access by the U.S. intelligence services. The Austrian data protection authority (DPA) had already issued a similar decision in mid-January.
Anyone who transfers analytics data of EU citizens to Google is in violation of the the EU's General Data Protection Regulation (GDPR). The penalties can be severe: Article 83 (5) of the GDPR calls for fines of up to 20 million euros, or 4% of the total annual global turnover in the previous fiscal year, whichever is higher, in the case of particularly serious violations.
So how to run web analytics without creating privacy issues?