February 3 2022

Does Google Analytics violate the GDPR? Illegal Google Analytics in Europe?

Austrian DSB: The use of Google Analytics violates the “Schrems II” decision of the CJEU.

Print Friendly, PDF & Email

Google Analytics is one of the most widespread and popular services on the web: it is used by almost all websites, and even the social network Facebook (one billion users) relies on it. But how can it guarantee compliance with the new European data protection regulations?

Last year Google updated its Privacy Policy to comply with the GDPR: in particular, it implemented a new tool to let people know what data is collected and how it is used. The information is now more detailed and explicit.

Google Analytics, however, would not comply with the European rules on data transfer, considering the technical, organizational and contractual measures adopted by Google to be insufficient: the question is contextualized in the activities subsequent to the Schrems II judgment which declared the Privacy Shield agreement between Brussels and Washington illegitimate.

For the same reason, the EDPS recalls that Google Analytics must be considered a "processor" pursuant to Article 28 of the GDPR, but also stresses that this does not mean that it is subject to all the provisions of that regulation. Indeed, if a company wishes to process personal data on behalf of another entity (in this case Google), then it must ensure that there are appropriate safeguards for adequate protection of such data (Articles 32-36).

In the wake of this decision, the Austrian authorities have asked Google to comply with the provisions of the General Data Protection Regulation (GDPR) adopted in 2018, so that users can obtain access, rectification or deletion and data portability.

To this end, Google had to provide a copy of all data processed on behalf of each user.

The DSB authority has already published a first inspection report on the subject. The conclusions are devastating for Google, which would not respect European rules on data transfer. Indeed, the EDPS recalls that the Schrems II judgment declared the agreement invalid "Privacy Shield"Between the EU and the United States regarding transfers of personal data. The EDPS therefore invites Google to make further efforts to comply with European standards.

What is the Privacy Shield and when was it abolished?

The GDPR Privacy Shield is an agreement that allows us to send your data to the United States.

The GDPR Privacy Shield is a new framework for transatlantic data flows between the US and the EU. It is a "privacy shield" because it protects personal data when it is sent from the EU to US companies. The agreement replaces an old framework, called a "safe harbor", which has been used by thousands of US companies since 2000. safe harbor was abolished because it was not strong enough to protect information.

The GDPR privacy shield works differently than safe harbor. Use stronger enforcement powers and stricter policies for US companies handling EU citizen data. This will ensure that your personal information is handled well and used only for legal reasons.

The GDPR Privacy Shield went into effect on July 12, 2016, but has been controversial ever since. In September 2017, EU privacy regulators decided the deal isn't strong enough to protect people's information. They said they would take action to suspend the deal if no more changes were made by September 2018.

What are the risks and penalties for those who do not comply with the GDPR?

First of all, we need to think from the point of view that if there are violations, it is likely that there may be repercussions and sanctions.
For example, here is a recent list of events:
June 9, 2021: Italian Privacy Guarantor blocks the PagoPA Spa IO app also for exporting data outside the EU (also using Google Cloud regardless of the server location in Europe or in the USA).
December 15, 2021: non-EU data export block to Germany for US technology use in the service chain for managing consent to cookies.
December 22, 2021: in Austria the Guarantor blocks Google Analytics considering it goes against the GDPR for the same reason.
After 1.5 years from July 16, 2020, the date on which the European Court of Justice invalidated the US Privacy Shield, European companies still largely did not understand the trend.

The GDPR is a big deal. In fact, the fines can be huge - up to 4% of a company's global annual revenue or € 20 million, whichever is greater. You don't want to risk violating the GDPR, which means you need to know what it says and how it applies to your business.

The General Data Protection Regulation (GDPR) is a regulation by which the member states of the European Union establish common data protection standards for European citizens regarding the collection of personal data. It also regulates the export of personal data outside the EU.

 

 

Do you have doubts? Not sure where to start? Contact us


We have all the answers to your questions to help you make the right choice.

Write to us

Chat directly with our technical support.

0256569681

Call us immediately during office hours 9:30 - 19:30

Receive assistance

Open a ticket directly in the support area.

INFO

ManagedServer.it is the leading Italian provider of high performance hosting solutions. Our subscription model is affordable and predictable, so customers can access our reliable hosting technologies, dedicated servers and the cloud. ManagedServer.it also offers excellent support and consulting services on Hosting of the main Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Magento.

Back to top