Will there ever be a Google Analytics ban in Europe? Google‘s web stats platforms launched in 2005, and since then, an estimated 4.8 million companies have used it to track and report website traffic. Several issues have arisen in Europe as Google Analytics has been found to improperly protect European Union’s citizens’ data and could ultimately be banned. In addition, online services from the United States were found to transfer and expose European data for American surveillance, violating the European GDPR. However, as we are going to demonstrate, preventing businesses from using Google Analytics is not as easy as it seems, so what are the alternatives for businesses moving forward?
Will there be a Google Analytics ban in Europe? It’s not as easy as it seems
Today’s guest speaker is Magdalena Pawlitko, head of sales at Piwik PRO (DACH & France), a Polish company publishing software for web analytics. So, will Google Analytics be banned as a whole in Europe? We can find alternative answers to this question through research and Magdalena’s thoughts and knowledge on the topic.
However, predicting the end of Google Analytics isn’t as easy as it seems.
What are the current European threats against Google Analytics?
It all started in Austria when the European Centre for Digital Rights (NOYB), a non-profit organization based in Vienna, Austria filed a complaint directly against Austrian medical news company, NetDoktor. Like millions of others, the company was found to use a cookie from Google Analytics which, like Wired, the American magazine describes, tracks “the pages you read, how long you are on the website, and information about your device.” Google can also assign an identification number to the browser being used to link the visitor to other navigation data.
In addition, by using Google Analytics, all the data tracked by Google crosses the Atlantic from Europe and into the United States. On December 22, 2021, the Austrian Data Protection Agency (DPA) concluded that the use of Google Analytics violates GDPR. Natasha Lomas from TechCrunch further indicates that the “IP address anonymization function was not properly implemented.” The IP address is a personal piece of information that can be combined with other data to precisely identify the user.
However, this isn’t unique to NetDoktor as millions of companies in Europe use Google Analytics, but it is the clearest indicator that certain European regulators disagree with the way US tech companies send and collect data from Europe.
What are other countries thoughts on a Google Analytics ban?
At the moment, Austria has been the only European country to declare the use of Google Analytics as illegal. As Magdalena Pawlitko, from Piwik PRO puts it, “The recent regulations in Austria, are one of the strictest in Europe.” When looking into which other European countries are involved, Magdalena Pawlitko, states, “European countries have been impacted in the same way but have distinct views on this issue. For example, we have Austria, the Netherlands, France, and Germany, that are all preparing their response to the recent interpretations and legal requirements.” To prove Magdalena’s point, I have carried out some research about those countries.
As mentioned before regarding Austria, Matthias Schmidl, the deputy head of the Austrian data regulator, states in Wired, “The transfer of information from Austria to the US was found unlawful because there was no adequate level of protection for the personal data transferred.”
In the Netherlands, the protection authority is currently investigating two specific complaints against Google Analytics and has not yet determined whether the use of the platform will be banned.
As far as France is concerned, Magdalena Pawlitko adds, “I think France’s CNIL (the Commission Nationale Informatique & Libertés) is a good example as it shows people the direction and the tools that are GDPR compliant.” However, France’s CNIL is only giving formal notice to website owners using Google Analytics to cease the use of the platform or find a different data tracking tool that complies with GDPR and does not send data outside of Europe.
Lastly, in Germany, issues are examined on a case-by-case basis to determine whether protection is guaranteed, and in cases where it is not, “Supplementary measures must be taken to comply with this level of protection,” as stated by eTracker.
Regarding the European Union (EU) as a whole, it is expected that other European authorities will follow the decisions of data protection authorities, such as Austria and Germany. The director of data compliance for Europe, Simon McGarr, in Wired says, “The Austrian position is probably at one end of a spectrum of opinion—and it would probably represent the most radical end” and that other regulators will either endorse, amend, or reject actions similar to those of Austria. Other EU regulators will eventually come to their own conclusions when looking at other cases, especially since NOYB is currently preparing 10,000 other complaints.
If Google Analytics is banned more thoroughly in Europe, it will affect millions of European sites that rely on Google’s platform for data tracking (disclosure: including Visionary Marketing) and affect vendors such as Stripe, whose infrastructure is located and operates in the United States.
What could possibly happen in the future?
- Scenario one could be that Google Analytics is banned as a whole in Europe, where no data will be transferred from Europe and across the Atlantic into the United States, but this is not immediate and takes time as it has to be legally enforced. As a result, American companies such as Facebook, Microsoft, and Instagram, or those European companies whose infrastructure is in the United States, such as French health company, Doctolib, in that case be able to track and obtain information about their European consumers, ultimately not being able to operate anymore.
- Scenario 2 would consist in United States-based tech companies storing and consolidating data in Europe to ensure that they are entirely compliant with ePrivacy and GDPR laws. This would ultimately go against the CLOUD Act which states that all American service providers must when ordered, provide authorities in the United States with data that is stored in their servers whether that is domestically or internationally. As Magdalena Pawlitko confirms, “Every company which is US-controlled or US-based, is subject to US law, meaning that if the American government requests visitor data from these companies, then they must show them.” This law circumvents other countries’ laws regarding privacy, such as the GDPR in Europe. Therefore, this scenario would be difficult to fulfill as the CLOUD Act would have to be terminated, which is not as easy as it seems.
- Alternatively, scenario three would be that European businesses find alternatives to Google Analytics and ensure that whichever program they utilize complies with GDPR and ePrivacy rules. Unlike banning Google Analytics as a whole, having EU companies switch to a different platform is a quicker and more immediate action. Magdalena Pawlitko logically agrees with this scenario adding, “I think it’s quite wise for businesses to have a look at which European solutions one can use to ensure that one’s visitors’ data is safe and only used for what they consented to.”
- Finally, the fourth scenario is linked to the potential enforcement of the Innovation and Choice Online Act. Thomas Romanoff from Bipartisan Policy Center says that the act is “the latest bipartisan effort targeting big tech companies for potential antitrust and consumer choice violations.” If enforced, the issue would be settled.
What Should Businesses Do Moving Forward?
In conclusion, it takes time for regulations to change and laws to be passed and enforced globally. Alternatively, businesses can start working on finding other ways to track consumer data in a way that is safe and follows privacy laws. This way, Google Analytics, and other US-based analytics platforms would not have to be banned from Europe, and European companies can use local analytics platforms to keep their visitor’s data safe. Rather than wait for laws to be enforced, businesses should start working ethically and find alternatives that abide with ePrivacy and GDPR laws.