Η Ευρώπη εναντίον της Google Analytics

The Austrian website of medical news company NetDoktor works like millions of others. Load it up and a cookie from Google Analytics is placed on your device and tracks what you do during your visit. This tracking can include the pages you read, how long you are on the website, and information about your device—with Google also assigning an identification number to your browser that can be linked to other data.

NetDoktor can use this analytics data to see how many readers it has and what they’re interested in—the website picks what it collects. But by using Google Analytics, the tech giant’s traffic monitoring service, all this data passes through Google’s servers and ends up in the United States. For data regulators in Europe, the shipping of personal data across the Atlantic remains problematic. And now a small Austrian medical website finds itself at the center of an almighty tussle between US laws and Europe’s powerful privacy regulations.

On December 22, the Austrian data regulator, Datenschutzbehörde, said the use of Google Analytics on NetDoktor breached the European Union’s General Data Protection Regulation (GDPR). The data being sent to the US wasn’t being properly protected against potential access by US intelligence agencies, the regulator said in a decision that was published last week. Days earlier it was revealed that European Parliament’s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe, according to a decision from the European Data Protection Supervisor (EDPS).

The two cases are the first decisions following a July 2020 ruling that Privacy Shield, the mechanism used by thousands of companies to move data from the EU to the US, was illegal. These landmark cases will likely pile pressure on negotiators in the US and Europe who are trying to replace Privacy Shield with a new way for data to flow between the two. If an agreement takes too long, then similar cases across Europe could have a domino effect, with cloud services from Amazon, Facebook, Google, and Microsoft all potentially being ruled incompatible, one country at a time. “This is an issue that touches all aspects of the economy, all aspects of social life,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank