Violation of GDPR: Will Google Analytics soon be blocked in the EU?

And the groundhog says hello every day. Once again, one of the US tech giants is having problems with European data protection law. This time it’s Google. But this is by no means a first for the search engine giant. The company is already well aware that its in-house marketing tool Google Analytics violates applicable EU law. Despite appropriate improvements, the French data protection authority CNIL is still not satisfied with the result. Website operators who use the statistics tool are now suffering first and foremost.

No sufficient protection against US intelligence services

As with Meta, Google’s data processing is regularly the number one topic of contention in the EU. The reason for all this is the fact that both tech giants do not process European users’ data in the EU itself. Instead, they are forwarded all the way to the US. Understandably, the data protection authorities of the EU members fear that the user data could be used by NSA, CIA & Co. Since this glaring security problem has already been pointed out to Google, the company has tried to make improvements. As it now turns out, this was done without success.

The CNIL still affirms that the IT company’s actions violate the EU’s General Data Protection Regulation (GDPR). In particular, Google’s statistics tool does not comply with the regulation in terms of data transfer. According to the CNIL, even the increased security measures taken by Google do not change this. The EU’s objective of protecting EU citizens from access by foreign intelligence services is simply not met. Google would have to make further improvements here or, consequently, completely abandon Google Analytics in Europe.

Unanimous opinion within the EU

The renowned French data protection authority is, of course, not the first to rebel against Google’s questionable data transfer. The Austrian counterpart DSB also pointed out the grievances a few weeks ago. But why are the complaints piling up at the moment? The cause probably lies in a landmark ruling by the European Court of Justice (ECJ) from just under a year and a half ago. In the so-called “Schrems II case,” the judges were asked to examine the extent to which the protective measures of the large U.S. tech companies were sufficient to meet the requirements of the GDPR.

Since time immemorial, Google, Meta & Co. have relied on the so-called “Privacy Shield”. This is intended to ensure the safest possible data transmission of user data to the USA. The ECJ ruled in the summer of 2020 that this does not comply with the applicable standards of the GDPR. The reason for its ruling was, among other things, the “Cloud Act” applicable in the USA. This allows US intelligence services to access protected data in the event of a “threat to national security”, even through the Privacy Shield.

Big problems for website operators

But it’s not just Google itself that is nibbling away at the ECJ ruling. Since website operators in the European Union rely primarily on the search engine giant’s analysis tool, they now fear for the future of their Internet presences. This is made clear by the example from France that has now become known. There, the CNIL instructed a website operator to adapt the processing of user data to the standard of the GDPR. The forwarding of data to the USA is a thorn in the side of the authority. Since this is simply impossible when using Google Analytics, the CNIL informed the website operator that he must replace Google Analytics with another statistics tool if necessary. We are curious