The Austrian Data Protection Authority (DSB) has ruled that the use of Google Analytics is in violation of the GDPR in a case involving NetDoktor, a health portal providing medical tools and news. NetDoktor, like millions of other websites, uses GA for their site’s tracking and analytics.
The NGO, My Privacy is None of Your Business (noyb), filed complaints against NetDoktor and 100 other European companies that still use Google Analytics. This is because the Court of Justice of the European Union (CJEU) ruled in their “Schrems II” decision that using Google Analytics or Facebook Connect is in violation of the GDPR because user data is transferred to the U.S.
The upheld claims were:
- Unique user identification numbers, IP addresses, and browser parameters were being sent to Google as part of the user’s tracking.
- Standard data protection clauses between NetDoktor and Google are not adequate because all data sent to the U.S. is subject to American surveillance laws.
- Privacy Shield was annulled by the Schrems II decision, so there is currently no agreed upon way for the transfer of data between the EU and the U.S.
This decision puts pressure on tech giants and their customers to comply with GDPR to the letter of the law instead of hoping that business contracts will sufficiently protect them from penalties and fines. This could also spur the EU and U.S. government to negotiate a successor to Privacy Shield. Privacy Shield itself was the second attempt to agree upon data transfer conditions between the two blocks so that data can continue to flow between continents.
But, what does this mean for you and your business while these issues are being hashed out? First and foremost, you can confirm where your data is being sent to determine if you need to find alternative storage or tracking solutions. Then you can begin to address the bigger question of what those alternatives might be and how and when to implement them.
ObservePoint can help you with that initial assessment with our Privacy Compliance solution. Our easy-to-use, visual report for Technology Geolocation allows you to quickly confirm the physical location of all network request endpoints. You can set up custom rules for specific locations and get notified if your rules are broken. For more information, fill out the form for a demo or sample audit.