The EU is currently putting pressure on the US ruling that “Privacy Shield”, the mechanism used by companies such as Google, Microsoft, Amazon and Twitter to move data from the EU to the US, was illegal. This would have huge ramifications for EU, and potentially UK, businesses who use these tools every day. 
How has this dispute come about? 

Background to the dispute started in July 2016, when the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law. 

However, in May 2018 GDPR was introduced. GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. 

In July 2020, the Court of Justice of the European Union issued a judgment declaring the initial acceptance of the Privacy Shield Framework as ‘invalid.’ 

As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. 

On the back of the 2020 ruling, three countries in the EU (Austria, France and Italy) have now ruled that using Google Analytics is a breach of GDPR as GA data is processed in the US.  

From a UK perspective, the ICO (the body which is in charge of regulating data protection in the UK, and uses Google Analytics on its own site) explains that “you need to tell people about analytics cookies and gain consent for their use”. From this statement, it appears that if websites create a mechanism for the user to opt-in to analytics cookies, then the website is still considered compliant.  

Where does this leave website analytics in the EU? 

I think that the stance taken by Austria, France and Italy is designed to put pressure on the US to work on a new agreement and solution that would replace “Privacy Shield” and be compliant with GDPR. It is not clear why Google Analytics is targeted in particular, as most American cloud-based services, including Gmail, Amazon services and Azure would fall under the same ruling. Indeed, the big issue for the EU is the CLOUD act (a USA federal law, that obliges US companies to preserve, backup or disclose to US government agencies their data, regardless of where that information is located) 

It is interesting to note that the court rulings from those three countries were originally conducted in relation with Universal Analytics. Google Analytics 4 tried to address some of the GPR compliance concerns and is certainly more privacy-centric than Universal Analytics. It offers various features to put the control in the hands of the site owner. You can read more about GA4 in my previous article, but key features of GA4 include:

• GA4 properties do not log or store IP addresses 
• Data retention is stricter 2 months or 14 months 
• Ads personalisation is controlled at country level 
• Data deletion requests are much more precise, and data can be deleted at a user level 

Despite GA4 being designed with privacy in mind, the data is still processed in the US at this stage which is the key issue of the 2020 ruling. 

There is hope however that the US and EU can agree on a replacement for Privacy Shield. In April of this year a framework was agreed ‘in principle’, and whilst specific details must still be worked out, this agreement would reimplement the legal mechanism for data transfers between the EU and the US.  

Should you stop using Google Analytics? 

It is a matter for you and your legal department to decide. The solutions are to use a non-US based web analytic service. Or to carry on using GA and switching to GA4 which is much more inline with GDPR (This doesn’t resolve the issue of Data Transfer though).   

To this day no-one has been fined for using Google Analytics in France, Austria and Italy (or any other countries).   

Dog is monitoring closely this topic and will post updates on a regular basis.