Around the New Year, the European Union announced a deep concern towards Google Analytics, followed by a threat for a possible ban. Since we work very closely with data specialists here at Proteqt, I could not let the subject pass me by. Like many others, I was left wondering: “What are the grounds for this threat, and what would the possible ramifications look like?”
Since May of 2018, the General Data Protection Regulation (GDPR) has been introduced in Europe. This legislation is a collection of rules that deal with the handling of personal data of all European citizens. Recently, Google Analytics has been accused of not complying with this legislation by the French privacy guard CNIL and by non-profit organization NOYB. The question that arises now: is Europe going to ban the use of Google Analytics for European websites?
What is Google Analytics used for?
In short, Google Analytics is a software set up by Google that can be used to measure all the activities towards and on websites. It gathers statistics and displays it in detail. This way they can attach data to the user behavior of the visitors of the website to continuously improve the user experience. The software links a tracking code to the website, allowing Google Analytics to gather the data to then release it through several reports. This process currently requires moving the collected data to the US, where Google has its headquarters, to then deliver the reports to the web analysts.
So what is the issue?
Due to the current shifts in European regulations, European websites could possibly (relatively soon) not be allowed to use Google Analytics anymore to gather all this valuable data. But why take away a software that significantly facilitates the improvement of websites? There are two reasons that suggest that Google Analytics is not complying with this European legislation. First, the way Google Analytics is transporting the data is not in line with the European GDPR. Second, the data of the users from these websites is insufficiently protected. In both cases, this is a direct infringement on Europe’s mission to protect its citizens in terms of their privacy.
Simply put, in Europe, it is forbidden to use anyone’s personal information if the reason for it is not transparent and reasonable. Reasonable means that there needs to be a justified goal for using this data. This goal must be well-defined and explicitly described in advance. The purpose for which an organization will use the personal data must be compatible with the reason for collecting the data in the first place. To ensure that organizations from different continents who work together are still compliant with this legislation, there should be a privacy agreement between said continents. Thus far, a previously drafted privacy agreement between the U.S. and EU was invalidated by the European Court of Justice in 2020. For now, negotiations remain ongoing regarding such a privacy deal between these continents.
What is The Netherlands doing about it?
So, what is currently happening here in the Netherlands? For now, the Dutch Personal Data Authority is investigating a possible ban of Google Analytics, if Google fails to provide a different, transparent way of handling data. The investigation has not yet been completed, but the decision in this case will follow soon.
As specialists in Data, Security and Cloud, we try to help our clients get staff with the right skillset to make sure everything is running smoothly and safely. Are you having a hard time finding the right people for the job? Then you can always contact me at manon@proteqt.nl