Google Analytics illegal in the EU
Following on from Austria, France has now also declared Google's web analytics service non-compliant with the GDPR. The reasons, the consequences and the alternatives.
The reasons
The French data protection authority CNIL has deemed the transfer of user data to the United States within the framework of Google's Web Analytics unlawful. It argues that Google is insufficiently protecting the data from access by the U.S. intelligence services. The Austrian data protection authority (DPA) had already issued a similar decision in mid-January.
The consequences
Anyone who transfers analytics data of EU citizens to Google is in violation of the the EU's General Data Protection Regulation (GDPR). The penalties can be severe: Article 83 (5) of the GDPR calls for fines of up to 20 million euros, or 4% of the total annual global turnover in the previous fiscal year, whichever is higher, in the case of particularly serious violations.
The alternatives
So how to run web analytics without creating privacy issues?
- Anonymize: For one, services that enable complete anonymization of data, including the visitors' IP addresses, can be used. (e.g. etracker, Matomo or Piwik PRO). This prevents personal data from being processed.
- On-premise operation: Another option is to choose an analytics platform that offers self-hosting. Storing and processing data on your own infrastructure means you don't share it with third parties in the first place. (e.g. Matomo @ aspectra).
- Is Google Analytics GDPR-compliant? (Piwik PRO Blog, 04.02.22.)
- Frankreichs Datenschutzbehörde: Google Analytics ist in der EU rechtswidrig (Heise, 10.02.2022)
- Austrian DSB: Use of Google Analytics violates "Schrems II" decision by CJEU (NOYB, 13.01.22.)
- A bid for more independence from Google (aspectra Blog 05.11.20.)