Austria’s Data Protection Authority found that the use of Google Analytics on European websites violates GDPR (General Data Protection Regulation) and is not compliant in the European Union. The issue is in regard to data transfers happening between Google’ U.S. cloud-based software and European websites; because of a piece of legislation called the American CLOUD Act (Clarifying Lawful Overseas Use of Data), the United States government can demand access to data used by Google even if it is outside the jurisdiction of the U.S. In other words, the U.S. government can obtain personal user data from websites in the EU, and this is in violation of GDPR.
The case was brought by Max Schrems and his team NOYB (None of Your Business), the same group that won a case against Facebook for privacy violations in Europe. Their case details a user in Austria who visited an Austrian health website that was using Google Analytics. The data collected by Google was enough to determine the user’s identity. The user visited the site on August 14, 2020, and a complaint was filed four days later on August 18.
What solutions could resolve the data transfer violations?
There are two main solutions that could help resolve the data transfer issues that are in violation of GDPR:
1. U.S.-based companies like Facebook, Google, Amazon and Microsoft (which are all affected by data transfer laws between the U.S. and EU) need to push the U.S. government to update their data surveillance policies to align with GDPR.
2. The four big tech giants need to find a way to host European data in Europe to prevent any transfers of data between the two.
This is the first step in Europe cracking down on the use of Google Analytics in the EU; Dutch data privacy officials have issued a warning to Google regarding Google Analytics usage. Google released an article calling for changes to the EU-U.S. data transfer framework. The marketing and advertising world will be watching this story develop with much anticipation on a solution to the violations.