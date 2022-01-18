



The integration of Google Analytics into your website violates the General Data Protection Regulation (GDPR). This is due to a recent decision by the Australian Data Protection Agency (DSB). This is Noyb, a profit organization submitted by the Viennese to the data protection officer Max Schrems in the process of making the so-called “Schrems II” decision across Europe. In 2020, the European Court of Justice (ECJ) ruled that the use of US providers violates the GDPR, as required by US surveillance law. US providers such as Google and Facebook send personal data to US authorities.

After the model complaint, an interesting debate arose: Is the use of Google Analytics illegal in the EU? According to Max Schrems, the transmission of unique user ID numbers, IP addresses, and browser parameters is not adequately protected by the standard protection clauses provided by Google. In other words, Austrian data protection officials said Google’s tools for analysis violated the European GDPR by transferring users’ personal data to Google in the United States.

The DSB is not protected from access by US authorities as the analytics software sends personal user information to Google headquarters in the United States and considers it to be in breach of Section 44 of the GDPR. Currently, there are many opinions that Austrian companies are no longer licensed. With proper use of Google Analytics, DSB decisions from individual cases (about netdoktor.at in 2020) can be forwarded to all other web services of European companies.

This is not true, according to the electronic dialog of an agency that specializes in Google and data-driven advertising and has branches in Vienna, Desseldorf and Zurich. “Current news falsely reports that Google Analytics is no longer compliant with data protection after a decision by the Austrian data protection authorities,” said the current mailing and blog post to the agency’s customers. .. This statement should not be generalized. You can continue to use Google Analytics in the EU in compliance with data protection. For example, in the case of Netdoktor, there was no cookie approval mechanism during the relevant period referenced by the DSB’s decision. This is now standard on many websites.

5 points to consider

According to the agency E-dialog, website operators can continue to use Google Analytics, considering the following:

Accept DPA from Google: Google has updated the Google Data Processing Terms for all Google Products (DPA) to reflect the new version of the standard contract terms. Accept the new Google DPA in your Google Analytics settings. References to the possibility of data transfer to third countries in data protection rules Obtain user consent: “This means that Google Analytics can only be launched with consent and information about it can be stored and provided. Meaning. The Consent Management Platform (CMP) facilitates this process, says e-dialog. Correct configuration of Google Analytics: According to e-dialog experts, personal data goes to Analytics during setup. No inflow. Therefore, you need to take advantage of IP anonymization. Switch to server-side tracking: “Server-side tracking extends the life of first-party cookies and bypasses some tracking blockers. Not only is it a good solution, but there is also the option to adapt the data before it is sent to Google Analytics, says e-dialog. “Specifically, this means that the data is sent to Google Analytics, for example. This means that the user’s IP address will be permanently removed. ”Data catalyst: According to Klaus Mller, co-CEO and co-founder of startup Jentis, attention should be paid to the details. Server-side tracking from Google on Google Cloud is not enough and requires a data catalyst before. Google’s anonymizing data – and Jentis provides such a tool. Whether Google Cloud is in Europe, for example, data is on a server in Europe, US authorities can access your data through the US Cloud Act.

“That’s why it’s so important to pre-anonymize or encrypt your personal or relevant data and encrypt it externally to Google using European compliance tools that aren’t externally accessible. This is the only way to ensure that your enterprise properly protects relevant data. This step represents an obligation for businesses to take additional steps if necessary to close the protection gap in third-country legal systems, “Mller said. However, e-dialog’s Siegfried Stepke says that the server-side part of Google Analytics can also be set to be compliant. Middleware is not always necessary.

Of course, DSB’s decision is also an opportunity to find possible alternatives to Google Analytics. Trend topics will quickly give you an overview.

Note: Added e-dialog and Jentis details on server-side tracking, compliance, and middleware.

