Breaking news: The Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB” or “DPA”) has ruled that Austrian website providers using Google Analytics are in violation of the GDPR.
This ruling stems from a decision made in 2020 by the Court of Justice of the European Union (CJEU) that stated that cloud services hosted in the US are incapable of complying with the GDPR and EU privacy laws. The decision was made because of the US surveillance laws requiring US providers (like Google or Facebook) to provide personal data to US authorities.
The 2020 ruling, known as “Schrems II”, marked the ending of the Privacy Shield, a framework that allowed for EU data to be transferred to US companies that became certified.
The tech industry was sent into a frenzy following this decision, but many US and EU companies decided to ignore the case. The choice to ignore is what landed one Austrian business in the DPA’s line of fire, damaging the brand’s reputation and possibly resulting in a hefty fine of up to €20 million or 4% of the organisation’s global turnover.
About the Austrian DPA’s Model Case
In this specific case, noyb (the European Center for Digital Rights) found that IP addresses (which are classified as personal data by the GDPR) and other identifiers were sent to the US in cookie data as a result of the organisation using Google Analytics.
This model case led to the DPA’s decision to rule that Austrian website providers using Google Analytics are in violation of GDPR. It is believed that other EU Member States will soon follow in this decision as well.
"We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week."
Max Schrems, honorary chair of noyb.eu
What does this mean if you are using Google Analytics?
If there is one thing to learn from this case, it is that ignoring these court rulings and continuing to use Google Analytics is not a viable option.
If you are operating a website in Austria, or your website services Austrian citizens, you should remove Google Analytics from your website immediately.
For businesses in other EU Member States, it is also highly recommended that you take action before noyb and local data protection authorities start targeting more businesses.
"Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."
Max Schrems
Removing Google Analytics from your site doesn’t mean that you need to give up website analytics altogether though. There are a variety of Google Analytics alternatives available today. Matomo in particular is a powerful open-source web analytics platform that gives you 100% data ownership and GDPR compliance.
Matomo is one of the best Google Analytics alternatives offering privacy by design on our Cloud, On-Premise and Matomo for WordPress. So you can get the insights you need while remaining compliant. As the GDPR continues to evolve, you can rest assured that Matomo will be at the forefront of these changes.
In addition, all Google Analytics data can be imported into Matomo so no historical data is lost. To make your migration as seamless as possible, we’ve put together a guide to migrating from Google Analytics to Matomo.
Ready to begin your journey to GDPR compliance? Check out our live demo and start your 21-day free trial now – no credit card required.
If you are interested in learning more about GDPR compliance and Matomo, check out our GDPR resources below:
- GDPR Manager user guide
- How to fill in the information asset registration when using Matomo
- How to make Matomo GDPR compliant in 12 easy steps
- How to not process any personal data with Matomo and what it means for you
- PII, personal data and GDPR. Discover what this means for your privacy
- How should I write my privacy notice for Matomo Analytics under GDPR
- Lawful basis for processing personal data under GDPR with Matomo
- How to complete your privacy policy with Matomo Analytics under GDPR
- GDPR compliance for Premium Features
- How to get your Matomo plugin ready for GDPR
- Subprocessors on Matomo Cloud (subprocessors not applicable to On-Premise)
- Privacy in Matomo
What does this mean if you are using Matomo?
Our users can rest assured that Matomo remains in compliance with GDPR as all data is stored in the EU (Matomo Cloud) or in any country of your choice (Matomo On-Premise). With Matomo you’re able to continue analysing your website and not worry about GDPR.
Final thoughts
For EU businesses operating websites, now is the time to act. While Google pushes out false narratives to try and convince users that it is safe to continue using Google Analytics, it’s clear from these court rulings that the data protection authorities across the EU disagree with Google’s narrative.
The fines, reputational damage and stresses mounting from using Google Analytics are imminent. Find an alternative to Google Analytics as this problem is not going away.
Getting started with Matomo is easy. Make the switch today and start your free 21-day trial – no credit card required.