The Irish Data Protection Commission (the DPC) issued a €1.2 billion fine to Meta on May, 22nd 2023 for violating the General Data Protection Regulation (GDPR).
The regulator ruled that Meta was unlawfully transferring European users’ data to its US-based servers and taking no sufficient measures for ensuring users’ privacy.
Meta must now suspend data transfer within five months and delete EU/EEA users’ personal data that was illegally transferred across the border. Or they risk facing another round of repercussions.
Meta continued to transfer personal user data to the USA following an earlier ruling of The Court of Justice of the European Union (CJEU), which already address problematic EU-U.S. data flows. Meta continued those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”), adopted by the European Commission in 2021.
The Irish regulator successfully proved that these arrangements had not sufficiently addressed the “fundamental rights and freedoms” of the European data subjects, outlined in the CJEU ruling. Meta was not doing enough to protect EU users’ data against possible surveillance and unconsented usage by US authorities or other authorised entities.
Why European Regulators Are After The US Big Tech Firms?
GDPR regulations have been a sore area of compliance for US-based big tech companies.
Effectively, they had to adopt a host of new measures for collecting user consent, ensuring compliant data storage and the right to request data removal for a substantial part of their user bases.
The wrinkle, however, is that companies like Google and Meta among others, don’t have separate data processing infrastructure for different markets. Instead, all the user data gets commingled on the companies’ servers, which are located in the US.
Data storage facilities’ location is an issue. In 2020, the CJEU made a historical ruling, called the invalidation of the Privacy Shield. Originally, international companies were allowed to transfer data between the EU and the US if they adhered to seven data protection principles. This arrangement was called the Privacy Shield.
However, the continuous investigation found that the Privacy Shield scheme was not GDPR compliant and therefore companies could no longer use it to justify cross-border data transfers.
The invalidation of the Privacy Shield gave ground for further investigations of the big tech companies’ compliance statuses.
In March 2022, the Irish DPC issued the first €17 million fine to Meta for “insufficient technical and organisational measures to ensure information security of European users”. In September 2022, Meta was again hit with a €405 million fine for Instagram breaching GDPR principles.
2023 began with another series of rulings, with the DPC concluding that Meta had breaches of the GDPR relating to its Facebook service (€210 million fine) and breaches related to Instagram (€180 million fine).
Clearly, Meta already knew they weren’t doing enough for GDPR compliance and yet they refused to take privacy-focused action.
Is Google GDPR Compliant?
Google has a similar “track record” as Meta when it comes to ensuring full compliance with the GDPR. Although Google has said to provide users with more controls for managing their data privacy, the proposed solutions are just scratching the surface.
In the background, Google continues to leverage its ample reserves of user browsing, behavioural and device data in product development and advertising.
In 2022, the Irish Council for Civil Liberties (ICCL) found that Google used web users’ information in its real-time bidding ad system without their knowledge or consent. The French data regulator (CNIL), in turn, fined Google for €150 million because of poor cookie consent banners the same year.
Google Analytics GDPR compliance status is, however, the bigger concern.
Neither Google Univeral Analytics (UA) nor Google Analytics 4 are GDPR compliant, following the Privacy Shield framework invalidation in 2020.
The regulatory rulings not just affect Google, but also GA users. Because the product is in breach of European privacy laws, people using it are complacent. Privacy groups like noyb, for example, are exercising their right to sue individual websites, using Google Analytics.
How to Stay GDPR Compliant With Website Analytics
To avoid any potential risk exposure, selectively investigate each website analytics provider’s data storage and management practices.
Inquire about the company’s data storage locations among the first things. For example, Matomo Cloud keeps all the data in the EU, while Matomo On-Premise edition gives you the option to store data in any country of your choice.
Secondly, ask about their process for consent tracking and subsequent data analysis. Our website analytics product is fully GDPR compliant as we have first-party cookies enabled by default, offer a convenient option of tracking out-outs, provide a data removal mechanism and practice safe data storage. In fact, Matomo was approved by the French Data Protection Authority (CNIL) as one of the few web analytics apps that can be used to collect data without tracking consent.
Using an in-built GDPR Manager, Matomo users can implement the right set of controls for their market and their industry. For example, you can implement extra data or IP anonymization; disable visitor logs and profiles.
Learn more about GDPR-friendly website analytics.
Since the GDPR came into effect in 2018, over 1,400 fines have been given to various companies in breach of the regulations. Meta and Google have been initially lax in response to European regulatory demands. But as new fines follow and the consumer pressure mounts, Big Tech companies are forced to take more proactive measures: add opt-outs for personalised ads and introduce an alternative mechanism to third-party cookies.
Companies, using non-GDPR-compliant tools risk finding themselves in the crossfire of consumer angst and regulatory criticism. To operate an ethical, compliant business consider privacy-focused alternatives to Google products, especially in the area of website analytics.