Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Google Analytics’ Operations in Trouble Within the European Union?

Published March 3, 2022
Author

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

This post is also available in: Brazilian Portuguese

For years now, privacy and data compliance advocates have been calling on tech giants like Facebook, Google, and Amazon to take data protection laws seriously. When the General Data Protection Regulation (GDPR) came into effect in 2018, it legally mandated all companies serving EU residents to reform their data processing activities. Over the last four years, the GDPR has become the global standard for data protection, with several pieces of legislation drawing their inspiration from it.

The way the GDPR is written is broad, on purpose it attempts to be future-proof and not to have a simple list of elements that are considered to be personal data. It states that personal data means any information relating to an identified or identifiable person, and indicates that it includes if someone can be identified directly or indirectly.

Exactly how broad this is is becoming clearer as rulings appear that help to define just how broad these terms can be - and this brings us to Google Analytics and other systems that collect elements of information that are designed to be collated together with other known information - at what point have you collected enough to identify an individual and at what point does a single element therefore become personal data because it can be collated together with other data? So as per the definition of personal data under the GDPR, as long as there remains the slightest possibility of identifying an individual after taking into consideration all means likely reasonably to be used by the data controller or by any person, the information is qualified as personal data and is subject to data protection requirements under the GDPR.

On 13 January 2022, Google Analytics, the popular tool within the digital marketing industry received a ruling that stated that it violated GDPR because it transfers data to USA that could subsequently be intercepted or requested by US law enforcement authorities and EU citizens do not have any appropriate recourse to a US court or ombudsman to challenge.

How did it come to this? What led to such a drastic measure? And if you use Google Analytics, what should you do?

A Name to Remember

Anyone that successfully manages to successfully challenge a name like Facebook has arguably won the acclaim of data protection activists for life. Max Schrems has repeated the feat. His latest case against Google is based on similar grounds, arguing that the manner in which Google Analytics operated, specifically how it collects and transfers data on EU residents to the US, is in violation of GDPR statutes regarding the transfer of data collected in the EU to other jurisdictions because data subjects are not aware of the data collection and processing taking place.

A Brief Background

Why now? It's not like Google Analytics began operating and collecting data on EU citizens last month. It has been doing so for years now. So why is it only now that it has faced such a remarkable repercussion?

It has to do with three separate pieces of agreements and legislation.

The first is the International Safe Harbor Privacy Principles. It was formulated back in 1998 when issues related to online data privacy were less prone to public scrutiny. Under the agreement, companies that stated (and registered themselves) they complied with the Safe Harbor principles could transfer data from the EU to the US.

However, when Max Schrems complained that data collected by Facebook was insufficiently protected, Safe Harbor was invalidated as an adequate protection mechanism for data transfers from the EU to the US (European Court of Justice - October 2015). This ruling became known within the public as The Schrems Ruling - though is now typically referred to as "Schrems I" At the same time, the European Commission and the US Government began working on a new agreement. One that would afford more protection to data being collected. This came to be known as the EU–US Privacy Shield.

The EU–US Privacy Shield did mark a significant improvement upon the International Safe Harbor Privacy Principles. However, concerns over data collection practices, deletion of data, and the role of new intermediaries remained.

Max and privacy groups kept on vehemently opposing the Privacy Shield framework, and the Court of Justice of the European Union (CJEU) issued its final verdict in the case, and struck down the Privacy Shield framework for the lack of adequate protection measures in place for data privacy of EU residents, such as an independent ombudsman for US organizations that EU citizens can refer to and that each US State has differing data protection laws none of which have been considered “adequate” (similar) to GDPR in the breadth of rights for data subjects. This case came to be known in the public court of opinion as "Schrems II".

But why were privacy advocates in the EU so convinced about the lack of data privacy for EU residents' data being transferred to the US? In part, this relates to the USA law The Foreign Intelligence Surveillance Act (FISA)

FISA allows US intelligence agencies to conduct surveillance and request any information on “persons reasonably believed to be outside the United States” and applies “to providers of electronic communications services.” In other words, once data is transferred from the EU to the US, any US intelligence agency can have access to it.

Back to Austria

NetDoktor is a medical website. It uses Google Analytics to create cookies to track the behavior of users on the site.

However, the issue is whether the data Google Analytics collects on users, such as their IP address, can be “potentially” used to identify the user.

Now, an Austrian court has passed its ruling, (referred here) declaring the methods used by Google Analytics to be highly invasive and in violation of Article 44 of the GDPR concerning the transfer of data. Google argued that the data transferred was not personal data as this data on its own, could not be used, nor had it been used, to derive an individual's identity. However, NOYB successfully argued that this data, in addition to other data also held or transferred by Google Analytics, could identify an individual.

Google’s extensive employment of supplementary measures to protect the transferred EU personal data was considered irrelevant by the Austrian Court, which held that, despite these extensive measures, the transferred personal data of EU citizens was still at risk of unwarranted surveillance by US intelligence agencies due to FISA and therefore personal data transfers to Google Analytics fell foul of the CJEU’s judgment in Schrems II.

What Next?

The Dutch Authority for Personal Data (AP) has already updated its guide on using Google Analytics, reflecting the dim and almost non-existent future for Google Analytics in the Netherlands and the EU. There is a scant chance of either the FISA or the GDPR being repealed or amended anytime soon. Hence, the onus is on Google itself or its customers, the web site owners, to amend their data practices vis-a-vis Google Analytics.

The CNIL, France’s data protection authority has followed suit and declared Google Analytics to be in breach of GDPR with the following statement,

“​​The CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service [Google Analytics] is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions."

This should be a wake-up call for businesses, big and small, to rethink their approach towards data privacy and compliance.

What Can I Do?

This IAPP article is a great source of more information and recommendations, specifically individual consent. https://iapp.org/news/a/what-do-the-google-analytics-enforcement-cases-mean-for-privacy-compliance/

For individual consent, see below:

If you are using Google Analytics on your website, you need to make this clear to data subjects and allow them to opt in of data collection via Google Analytics. Analytics cookies or audience measurement cookies are “non-essential” cookies as per the guidelines of Irish, UK, and Finnish regulatory authorities and should be classified as such. This is because of the reason that analytics cookies are used as measuring tools for websites - they can collect information about how people access an online service, the number of users on a website, how long they stay on the site for, and what parts of the site they visit.

As per the French regulatory authority's guidance, audience measurement cookies can be essential cookies only if they are strictly limited to the sole measurement of the audience on the site for the exclusive account of the website publisher and produces purely anonymous statistical data. However, where such cookies track the navigation of the person using different applications or browsing different websites or allow the data to be cross-checked with other processing or for the data to be transmitted to third parties, then, under those circumstances, those cookies are not essential.

Since the criteria for analytics or audience measurement cookies is strict, extra care must be adopted while categorizing them as either essential or non-essential and as a general rule, they should be placed in the non-essential cookie category.

This requires reviewing your current privacy notices and if you previously considered Google Analytics to be an “essential” cookie, moving it to the “non-essential” cookie category ultimately allowing users to select (opt-in) and decide whether to accept GA as an individual cookie.

Securiti is a market leader in providing enterprise solutions related to data compliance, including cookie consent, privacy notices, and universal consent that can help you remain compliant with data protection regulations around the world.

Request a demo today to see Securiti's plethora of data privacy tools in action.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
What is AI Security Posture Management (AI-SPM)? View More
What is AI Security Posture Management (AI-SPM)?
AI SPM stands for AI Security Posture Management. It represents a comprehensive approach to ensure the security and integrity of AI systems throughout the...
View More
Data Security & GDPR Compliance: What You Need to Know
Learn the importance of data security in ensuring GDPR compliance. Implement robust data security measures to prevent non-compliance with the GDPR.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Top 3 Key Predictions on GenAI's Transformational Impact in 2025 View More
Top 3 Key Predictions on GenAI’s Transformational Impact in 2025
Discover how a leading Chief Data Officer (CDO) breaks down top predictions for GenAI’s transformative impact on operations and innovation in 2025.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New