Google’s response on the Analytics GDPR violation saga. Other countries are also taking actions
You have probably heard about the latest news circulating around Google Analytics being declared illegal by the Austrian DSB. The situation left a lot of questions unanswered and certainly presented quite the conundrum for both the US and the EU in terms of data transfer moving forward. However, as it currently stands, Analytics’ use is still considered a direct violation of the European GDPR and no particular decisions have been made, nor have there been any actions taken, although Google did release a public statement about their standpoint on the problem through a couple of posts on their official blog.
Google’s response about Analytics
On January 13th - the same day as the issues with Analytics were first reported, Russell Ketchum - director in relation to the product management of Google Analytics, released an official statement, in which he informed the public of the technology’s features, intentions and the overall principles behind the software. Ketchum made clear that Google Analytics was a service, which was utilized by companies and businesses worldwide with the intention of tracking different website metrics and user engagement rather than collecting data about users or their identity.
Additionally, he also mentioned that all of the collected data is controlled by the business or organization that willingly decides to utilize the software and not by Analytics itself, further emphasizing that Analytics' primary goal is to put “users in control of their data”.
Moreover, the director also assured that Analytics cannot possibly be utilized to show targeted advertisements in relation to any potentially collected sensitive information like “health, ethnicity, sexual orientation, etc”.
Furthemore, Ketchum also specified that “an organization’s Google Analytics data can only be transferred when specific and rigorous privacy conditions are met” in order to reassure users that the required safety protocols and measurements were in effect, which could guarantee that their collected data would be stored safely and securely.
Google’s urge for a new data transfer agreement
On January 19th, Google’s president of global affairs - Kent Walker, released another statement urging both the EU and the US to create and implement a new successive agreement to the Privacy Shield, in order to protect and maintain the flow of data between the two regions.
Additionally, Walker pointed out that never in the software’s 15 year of service have the US intelligence agencies required data, essentially downplaying the severity of the situation. The core of the problem lies in the fact that the EU’s GDPR exclusively states that access and surveillance to collected EU citizens’ data should be prohibited at all times, rather than being a question of ‘it has not happened before, so it will probably not happen in the future’.
What is more, Walker also went on to assure the EU that the user information collected by Analytics is securely stored in modern state-of-the-art facilities with absolutely no chance of breaches and leaks occurring due to the data being encrypted at rest. However, while true, this does not solve the problem as the main issue is the fact that central intelligence agencies are permitted to extract user information legally due to the US surveillance legislation.
Furthermore, rather than suggesting a remedy or a resolution to this problem, Walker stated that the data is stored in correlation to their privacy standards while also implying that no changes shall be implemented for the foreseeable future.
Moreover, he also went on to state that a large majority of businesses and organizations in the EU will lose customers and profits if an agreement is not reached soon, essentially trying to pass the blame over to the EU legislation, which was picked up by Techcrunch: “the tech giant is resorting to loudly yelling for lawmakers to ‘fix’ its legal headache with a quickie data transfer pact”.
Ultimately, Google’s president of global affairs also stated that the company did attempt to provoke such changes to the US legislation through their Global Network Initiative and the Reform Government Surveillance coalition in addition to creating and publicly releasing a transparency report, in which Google detailed the government’s requests about specific user data. But while these actions are commendable, nothing in particular has emerged as a result of them.
Max Schrems’ take on Google’s statements
The chair of nyob - Max Schrems, regarded these official releases as a mere PR stunt, noting in a tweet of his own that while Google did ‘finally get moving’, their official statements were nothing more than just general information thrown at the public, the aim of which was to instigate a “quick deal” between the two regions in order to solve the problem as soon as possible without actually addressing the severity of the matter at hand.
Schrems also went on to state that these privacy and data transfer issues related to Google Analytics can have a major impact on US cloud providers in relation to the EU customers and their data, even mentioning that tech-giant companies like Microsoft, Apple and the newly-renamed Meta could also see their services disallowed in Europe.
Other countries’ responses, fines and potential future impact on other cloud services
In the summer of 2020, nyob filed 101 complaints: “concerning companies in 30 EU and EEA member states” in relation to the EU-US data transfer process. And now, after the Austrian DSB have deemed Google Analytics to be illegal due to the GDPR violations, more companies and privacy authorities have begun to examine the complaints in greater scrutiny.
As reported in an article by Wired, the 30 countries have started to investigate the cases specifically in relation to Google Analytics and Facebook Connect as well as “country-specific websites belonging to Airbnb, Sky, Ikea, and The Huffington Post…also (being) subject to complaints”.
Wired also reported, in the same article, that the Autoriteit Persoonsgegevens, which is the Netherlands’ data protection authority, has also taken action and will most likely prohibit the use of Google Analytics ‘in its current form’.
As for Germany, Wired also informed the public that Hamburg’s protection authority has also taken action against two websites, which were utilizing Google Analytics incorrectly.
However, while some countries are now starting to consider implementing different restrictions and measurements, others have already been fining large US cloud companies across Europe for violating the GDPR.
In France, the CNIL, which is the French privacy protection authority, issued Google a fine of 150 million euros at the end of 2021 for “failing to make it as easy to reject consent to the use of cookies as it is to accept the same on google.fr and youtube.com”. While not directly connected with the use of Google Analytics, the problem again revolves around the data collected by the software’s cookies. Additionally, this sanction comes just a year later after Google had already been fined along with Amazon by the CNIL for dropping cookies that can be used to track users without their consent.
Other countries, which have previously fined Google for not being GDPR compliant, also include Sweden and Belgium in 2020. Additionally, Amazon was also subjected to fines for breaking the European GDPR in relation to data storage and privacy breaches, this time by Luxembourg’s CNPD which imposed a fine of a staggering 746 million euros.
All of these fines against major US cloud companies in Europe are now going to definitely be brought to the forefront of the GDPR violations due to the Google Analytics case. However, each EU country’s privacy authority can reach a different conclusion and fines and regulation expectations can differ from country to country. However, one thing is for certain - a change needs to be implemented and reforms should be introduced in order for these US tech-giants to continue their operations in Europe.
What can we expect next?
Data privacy and security are becoming an increasingly prevalent issue in our modern day society and the potential of such surveillance and access to European citizens’ data by another party and country needs to be addressed and the circulating issues - resolved. But while some see this as a curse, smaller EU-based companies look at it as a blessing, allowing them to break through on the European market while not being overshadowed by the tech giants. All in all, what happens next remains to be seen, however, it is evident that major changes need to be implemented before an agreement between the two sides can be reached.