NOYB: Use of Google Analytics is Illegal in Europe

The legality of data transfers in Europe is in focus as NOYB says that Google Analytics is illegal in Europe.

Google Analytics has been a go-to solution for web traffic analysis for years now. For a lot of people who use it (ourselves included), the web solution is meant as a way of getting a general idea of how well certain web pages perform. For instance, if one were to have a gardening website, will a page talking about planting techniques be more interesting than a page about soil analysis? Often, the best approach is to try to have both available, see what performs better, and find out to get a better idea of how to shape a website to better suit the users needs.

Before that, engagement could be measured by the number of comments left behind. The thinking was that if the content is well received, people would comment on it. The problem with that is that measuring by the number of comments is a terrible way of gauging a pages performance. For instance, a page with 42 comments might sound great, but what if 30 of those comments consists of two people having an argument? What’s more is that if a page only has, maybe, 2 comments, but it manages to answer almost every visitors questions, then you can’t really tell if it’s actually performing well.

There have been, in recent years, questions over the validity of the numbers that roll in. This has been prompted, in part, by bots spamming the code responsible for tracking visitors. What those bots would then do is set the country of origin or language to “get more traffic by visiting our obviously very scammy site”. That kind of activity ultimately polluted the data coming in. What’s more is that Google was initially slow to respond to such data pollution techniques. We do note that things have gotten better since then, but it did leave a number of users frustrated with the situation.

There are a number of reasons why people end up with Google Analytics in the first place. For one, it’s free. All you really need is a Gmail account which is free. From there, you just need to get the necessary code and drop it into the site to start tracking. Alternatively, a simple plugin will also get the job done on almost any standard Content Management System (CMS). Either way, implementation is very much dead simple.

Moreover, the amount of data you get is almost overkill. You can gauge overall traffic, traffic coming in from different countries, the languages spoken, the operating system (for mobile users), the web browser, and screen resolutions visitors get. What’s more is that you not only get granular data on each individual pages performance, but also real-time tracking for when users access your page if you really want to go all out. The ways you can track how your site is doing is seemingly limitless. Combine that with the big name of Google and you can see why so many web administrators simply use this solution by seemingly default.

For many, the legality of this wasn’t really the subject of debate. A web administrator voluntarily uses it and users can block the tracking software if they so choose. So, what’s the harm in this software? Well, Google is a US-based multinational corporation. If you are an administrator in Europe, you are going to be bound by European law. In recent years, Europe has been ratcheting up privacy laws. Whether it is through enacting laws such as the General Data Protection Regulation (GDPR) or through various court rulings that have happened following the enactment of these laws.

One such ruling happened in 2020 where a huge hole was effectively punched through the so-called SHIELD laws. In that ruling, it was found that different countries must vet personal data before it is being transferred to another country. This as opposed to what was happening before where if data was going to a so-called “safe” country like the US, then transferring that personal information was just fine and dandy, no need for additional scrutiny. So, that ultimately paved the way for what is considered changes to “data transfers”.

As a result of changes to the way data transfers work in the legal realm, that has led to additional questions on how different web software solutions work. More recently, None Of Your Business (NOYB) noted that using Google Analytics in Europe is actually illegal. From NOYB:

2020 CJEU ruling hits the real world. In July 2020, the CJEU has issued its groundbreaking “Schrems II” ruling, holding that a transfer to US providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers in the GDPR. The CJEU consequently annulled the transfer deal “Privacy Shield”, after annulling the previous deal “Safe Harbor” in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has relied on so-called “Standard Contract Clauses” to continue data transfers and calm its European business partners.

Max Schrems, honorary chair of “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”

Decision relevant for almost all EU websites. Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US. A similar decision on EU-US transfers was reached by the European Data Protection Supervisor (EDPS) a week earlier.

Max Schrems: “We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.”

Google LLC does not fall under Transfer Rules? The DSB has rejected claims against Google LLC as a data recipient, holding that the rules on data transfers only apply to EU entities and not the US recipients. However, the DSB said that it will investigate Google LLC further in relation to potential violations of Article 5, 28 and 29 GDPR, as it seems questionable if Google was allowed to provide personal data to the US government without an explicit order by the EU data exporter. The DSB will issue a separate decision on this matter.

Max Schrems: “For us, it is crucial that the US providers cannot just shift the problem to EU customers. We have therefore filed the case against the US recipient too. The DSB has partly rejected this approach. We will review if we appeal this element of the decision.”

No penalty (yet). The decision is not dealing with a potential penalty, as this is seen as a “public” enforcement procedure, where the complainant is not heard. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty. The GDPR foresees penalties of up to € 20 million or 4% of the global turnover in such cases.

Max Schrems: “We would assume that there is also a penalty for the EU data exporter, but we only recived a partial decision so far that does not deal with this question.”

This will no doubt be frustrating to web administrators who were hoping to stick to status quo (which is going to be a lot). NOYB doesn’t offer alternatives for European users to switch if they are worried that using Google Analytics would land them in hot water. What’s more is that finding an alternative is going to be dizzying from the outset.

Here’s one page which showcases some of the alternatives. While it does mention the status of compliance for different privacy laws, the question that pops up is whether those solutions are going to be reliable or secure. I would easily ask if I implemented one of those solutions, does that somehow open the site up to security vulnerabilities? Also, just because the site says it is compliant, does it actually mean it is compliant or is it just the opinion of the site that it’s compliant? What’s more, if I see 400 page views on a page, are those legitimate page views or are they the result of a bot?

These are fair questions given how such tools are typically a core aspect of an overall web strategy. After all, not knowing how many people are accessing your website is like driving with binoculars strapped to your face. You need to know what users (including those passive lurkers) are finding useful. You might have a general idea about some things, but your are limited to your own experience as a user rather than seeing through the eyes of other users. It would have been nice for NOYB to have made some suggestions on what is safe, reliable, and compliant with the laws and court rulings. Unfortunately, that post didn’t mention any alternative, just that alternatives exist.

One passive reaction might be that, well, you need to do your own research. Sure, someone like me might be able to figure something out given that I basically live on discussing these issues, but not everyone is in my position. Your typical web hobbyist who might be more interested in the various kinds of chocolate out there may not even be aware that this whole idea of data transfers is even a thing. All that administrator might now is that they managed to get some web space and a simple site up and running. That administrator might be blissfully unaware that using Google Analytics could theoretically land them in hot water. All they’ll know is, “Hey, my page about 4 different kinds of milk chocolate got 12 unique visitors, cool!”

It’ll be interesting to see if Google appeals such a decision or they change their product accordingly so that European users will be in compliance with the way these privacy laws are interpreted.

To be clear, this isn’t about being anti-privacy. In fact, when GDPR first came around, unlike some others, we were generally supportive of the idea and even went so far as to consider the GDPR laws to be a gold standard for how other countries can form their own privacy laws. As such, we recognize that there will be a teething process when it comes to figuring out what is allowed and what isn’t allowed. The question is whether or not there are tools available to properly research and find solutions for website administrators so they can more easily follow the law. From what we can tell, that currently falls a little bit short for the time being.

Drew Wilson on Twitter: @icecube85 and Facebook.

1 Trackback or Pingback

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: