One little website in Austria might bring down Silicon Valley’s data sharing practices.
NetDoktor isn’t available in any language other than German. There’s a strong possibility that before today you haven’t heard of it – even if you are from Germany. It focuses on medical news and diagnoses, a little bit like a German WebMD.
Before today it had no obvious connection with Silicon Valley.
Now, because it uses Google Analytics, it’s become embroiled in a discussion about what big Silicon Valley companies get to do with the data they collect from European websites.
Let’s start at the beginning.
What’s Google Analytics?
Google Analytics is one of the many ways Google collects data about you.
Whenever you visit a website, a little piece of code embedded on the website transmits data about who you are and what you’re using to see that website to Google.
In the time it takes to load up a webpage, Google knows where you’re from, the language you speak, and all the pages on the website you’ve seen so far. This data gets logged underneath an identifying code, and Google can then use that information to hone its algorithm and figure out how to rank that page.
Site owners also have access to Google Analytics, and to the data it collects. From there, they can figure out how to build a better website that works for the majority of their visitors.
Ostensibly, Google Analytics benefits you: the business owner, the website user. In theory, every piece of data that goes through Google is only available to the person who owns that business.
However, as Google Analytics can be integrated with Google Ads, it also benefits Google. The data that is generated from Google Analytics can then be fed back into Google Ads, which improves Google’s capacity to create personalised ads for your users, which in turn gives Google a lot of information about your users.
Okay, and why is this a problem?
To get into that, we need to talk about everyone’s favourite European data privacy act: GDPR.
The General Data Protection Act is only applicable to countries in Europe, and it’s trying to protect you.
There’s been an unprecedented hike in user data ever since social media networks really took off. If you want, you can go even further back: there’s been a hike in user data ever since the technology to record data in bulk crawled its way out of Bill Gates’ mythical garage.
What GDPR does is make sure all your identifying data – your name, your address, your location, your email – is protected. It makes sure you have access to this data. It makes sure that you can delete your entire self off the internet if you want to.
It makes sure that if there’s something wrong, and your data is now broadcast across the internet, you know about it.
Think about the last time you’ve visited a web-page. You know that pop-up that asks you if you’re okay with data collection?
That’s been imposed by GDPR.
And not complying with GDPR can mean getting fined upwards of 20 million EURO.
(This is why some websites, such as Washington Post, are also difficult to access from Europe now).
Yes, we know about GDPR. What does this have to do with Silicon Valley or NetDoktor or Google?
In December, the Austrian data regulator ruled that the way NetDoktor uses Google Analytics is in breach of GDPR and ruled that the use of Google Analytics is now illegal in Austria.
What?! Why? If people consent to the website collecting their data, it isn’t in violation, right?
People might have consented.
But it isn’t the consent that’s the problem; it’s the fact that all data that Google Analytics collects and stores is sent to the United States for hosting and storage.
And US data laws might be protective over their own data for their own citizens, but their laws for people outside the United States aren’t as stringent as GDPR and don’t protect foreign citizen’s data as well as their own.
Data centres in the United States can still, theoretically, be accessed by the CIA, FBI, NSA, and other intelligence agencies. By law, they can do this: it’s data that’s now on American soil, which puts it in their jurisdiction and there’s a whole court law about how the government can access these communications basically at any point in time.
To paraphrase Brooklyn Nine Nine, Datenschutzbehörde’s opinion of that is ‘cool story, still a felony.’
It’s just one website though, right? Fine that one website and move on with it.
It’s every website that uses Google Analytics.
That means your WordPress blog. It means your favourite coffee shop’s website.
It means this website, too.
Every website that currently uses Google Analytics can potentially be in violation of GDPR, which means £20M fines for all or 4% of annual turnover, whichever is higher.
Repeatedly, and continually, violating GDPR puts you at the mercy of each individual member state’s data protection act, who don’t stop at penalties: they’ll order the immediate cessation of data collection, suspend trading activities until the GDPR issues are fixed, and you’ve destroyed all the collected data. If further violations occur, criminal sanctions can be brought against the company.
Why is this something people have noticed now?
It’s actually something that people have been arguing against basically one day after GDPR was implemented.
Previously, the US could transfer and host European data without any issues under an agreement called Privacy Shield. In 2020, two years after GDPR was turned into European law, Privacy Shield was ruled illegal and the Court of Justice of the European Union stated that any business still using Privacy Shield would be fined.
What’s Privacy Shield?
Privacy Shield was created to allow U.S. businesses to share personal information between borders – even though the United States doesn’t protect personal information to the same equivalence as GDPR does, and therefore shouldn’t have been allowed.
It was a replacement for Safe Harbour, a framework that Facebook used to transfer data between its company in Europe and the company in the United States, which was found to be in violation of the CJEU’s data protection guidelines.
This is important because…?
Privacy Shield is illegal because people complained.
Actually: let’s rephrase.
One person complained.
Maximilien Schrems lodged a complaint to the Irish Data Protection Authority that transferring his data from Facebook Inc, Ireland to Facebook Inc, US was a violation of GDPR and his data was not being protected. The Irish Data Protection Commissioner rejected the complaint, but it made its way to the Court of Justice of the European Union.
The Court ultimately ruled that Privacy Shield was no longer legal – and that businesses had to find a different way of transferring their data.
So far, they haven’t. Negotiations for data transfer are still ongoing.
What does this have to do with me?
If you’re a citizen of an EU country, you have a right to protect your own data.
As a European citizen, your data can and will be accessed by United States intelligence agencies. They can also collect that data. They can use that data.
The European Protection authorities don’t want that to happen. Transfer between the United States and Europe currently doesn’t have enough safety measures in place to avoid European data falling into the hands of United States intelligence agencies.
Or, in other words, using Google Analytics violates GDPR, and you – as a website owner, not as a user – may be entitled to a fine.
This is one decision for one case.
There are currently over 100 other cases where data transfer to the United States is being investigated. They’ve been filed based on similar complaints, so it stands to reason that the outcomes will be the same – but the results might vary.
Some European data regulators, like Austria, can rule that Google Analytics and other similar frameworks are illegal – which means websites can no longer use those measures or face having to pay a fine. Other data regulators might just want stricter measurements in place, but that it won’t lead to a fine.
The greater issue is what this means for websites financially. If you are in contempt of a GDPR fine because of your cloud network, then are you liable for it?
Or is the United States?
What does this mean for businesses?
Businesses don’t need to worry yet.
But they should start looking at different cloud-based services if they’re based in Europe.
There is a chance that, like Privacy Shield and Safe Harbour, Google Analytics will have to go the way of the dodo. It’s better to have a back-up plan if the Court of Justice in the European Union decides data transfer – which will impact trade, small businesses, and basically everything in between – to the United States violates GDPR, and is therefore illegal.
There’s an upside to selecting an EU – and therefore GDPR-compliant – service: it removes the extensive cost of maintaining GDPR.
Why is this important now? Data leaks have been a thing since the early internet.
The early internet didn’t have the scale and quantity of data that there is available today.
We’re talking about it now because people have started to understand what that means, and to be concerned about where all this data is going. We’ve spoken a little bit about it in our Marketing Trends 2022 blog, but here’s the summary: consumers don’t like it when big corporations have so much data on them.
Unhappy consumers complain.
Every consumer complaint to a European data protection agency is now followed by court action – no matter how long it takes.
What does Google think about all this?
Google wants a new data protection agreement, and threw its support behind the ongoing transatlantic data discussion. It did reiterate that Google had never received a request for the kind of data that the Austrian protection agency spoke about – but that’s largely irrelevant. On paper, in European courts, Google and other cloud-based providers that transfer data to the United States are still in violation of GDPR.
Can it just not go away?
If the United States and Europe can reach an agreement over how to protect European citizens’ data once it’s in the United States – which means, to a certain extent, removing the Congressional and governmental access to that data – then there’s no need for any business to worry.
But don’t hold your breath on that. Everyone knows how the U.S. considers data.
Frequently Asked Questions
Can businesses still use Google Analytics in the EU?
Yes, definitely. Only one court case in Austria has ruled Google Analytics illegal; the rest of Europe hasn’t weighed in yet.
Is Google Analytics illegal in the EU?
No, Google Analytics is only illegal in Austria as of the time this article is published.
That said, with an EU-US data transfer protocol still under negotiations, and more claims filed against Google Analytics throughout Europe, there’s no telling if Google Analytics will remain legal in Europe with their current practices in place.
What we anticipate will happen is that Google will create a server network in Europe to mitigate more GDPR fallout, which will semi-solve the problem.
Can anyone access Google Analytics?
Absolutely! Google Analytics is free to all users who have a Google account and want to see where their traffic is coming from. However, once you hit a certain traffic threshold, or if you want more advanced features, you have to pay a subscription fee that varies depending on the features you want.
What information does Google Analytics access?
Website activity: how long do people stay on your website, what do they do while they’re there, their general location. There’s a version available for mobile browsers as well, but it’s not on the same scale as Google Analytics for web and also doesn’t allow for users to choose to opt out of sending data to Google, which web allows for.