Google’s analytics service sends data from European users to the United States, which is prohibited under the GDPR, says the Austrian privacy regulator.
According to the Austrian privacy regulator, Google Analytics violates the GDPR, the European privacy directive. The watchdog makes the decision in the wake of a series of complaints filed by noyb, the privacy group around Max Schrems.
The Google Analytics service transmits European users’ IP addresses and contact details to the United States. However, that falls under personal data, and they are not allowed to leave Europe under GDPR, the Austrian privacy regulator has ruled. According to Google, the data is sufficiently encrypted, but the regulator does not agree with that argument.
The case is the first in what could be a long series. In August 2020, Noyb filed a complaint with various privacy regulators against 101 European websites, including four Belgian ones, about data transfers of European user data to the United States. This concerns, for example, sites such as Bpost and Neckermann, which transfer data via services such as Facebook Connect and Google Analytics.
Those data transfers were previously governed by a treaty between the EU and the US called Safe Harbor, which was scrapped in 2015. A new treaty, Privacy Shield, was also annulled by the European Court in 2020, which means that, in principle, no more data transfers are allowed between these countries. Sites and services that still work can therefore expect a privacy complaint.
This does not only affect websites, by the way. Some cloud services based in the US also become unusable for European companies that want to comply with the rules. “The fact that regulators are now gradually declaring US services illegal means that EU companies and US providers will feel more pressure to start using safe and legal options, such as hosting outside the US,” said Max Schrems in a statement. In addition, the noyb complaint to the Belgian Privacy Commission against four sites, is still ongoing.