“Europe’s Move Against Google Analytics Is Just the Beginning”
WIRED, January 19, 2022
Security
By Matt Burgess
“Austria’s data regulator has found that the use of Google Analytics is a breach of GDPR. In the absence of a new EU-US data deal, other countries may follow.”
The Austrian website of medical news company NetDoktor works like millions of others. Load it up and a cookie from Google Analytics is placed on your device and tracks what you do during your visit. This tracking can include the pages you read, how long you are on the website, and information about your device—with Google also assigning an identification number to your browser that can be linked to other data.
NetDoktor can use this analytics data to see how many readers it has and what they’re interested in—the website picks what it collects. But by using Google Analytics, the tech giant’s traffic monitoring service, all this data passes through Google’s servers and ends up in the United States. For data regulators in Europe, the shipping of personal data across the Atlantic remains problematic. And now a small Austrian medical website finds itself at the center of an almighty tussle between US laws and Europe’s powerful privacy regulations.
On December 22, the Austrian data regulator, Datenschutzbehörde, said the use of Google Analytics on NetDoktor breached the European Union’s General Data Protection Regulation (GDPR). The data being sent to the US wasn’t being properly protected against potential access by US intelligence agencies, the regulator said in a decision that was published last week. Days earlier it was revealed that European Parliament’s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe, according to a decision from the European Data Protection Supervisor (EDPS).
The two cases are the first decisions following a July 2020 ruling that Privacy Shield, the mechanism used by thousands of companies to move data from the EU to the US, was illegal. These landmark cases will likely pile pressure on negotiators in the US and Europe who are trying to replace Privacy Shield with a new way for data to flow between the two. If an agreement takes too long, then similar cases across Europe could have a domino effect, with cloud services from Amazon, Facebook, Google, and Microsoft all potentially being ruled incompatible, one country at a time. “This is an issue that touches all aspects of the economy, all aspects of social life,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.
NetDoktor isn’t unique—but it is the clearest hint yet that European regulators still don’t like the way US tech companies send data across the Atlantic. Current US surveillance laws, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, don’t protect data held on people living outside the US as well as they do those living inside it. In short: It’s theoretically possible for US surveillance agencies to collect huge amounts of data that’s moved to the country.
“What they do right now would be a violation of the Fourth Amendment if it’s for US citizens,” claims Max Schrems, honorary chair of legal nonprofit organization noyb, who launched the legal cases that brought down Privacy Shield in 2020 and its predecessor Safe Harbor in October 2015. “Just because people are foreigners it’s not a violation of the US Constitution.” One outcome of the 2020 Privacy Shield ruling is that companies moving data from the EU to the US must make sure there are extra measures in place to protect that information. Now the Austrian Data Protection Authority has determined that the technical measures put in place by Google Analytics—including limiting access to data centers and encrypting data as it moves around the world—don’t do enough to stop it potentially being scooped up by US intelligence agencies.
About the Author:
Matt Burgess is a senior writer at WIRED focused on information security, privacy, and data regulation in Europe. He graduated from the University of Sheffield with a degree in journalism and now lives in London.