Europe has been hit with a series of Google Analytics restrictions in recent months. There are several incidents in different countries, but the most widely spread incidence was related to the regulations in Italy, France, and Austria, where data protection regulators said that the use of Google Analytics is not GDPR compliant.
In this article, I want to talk about the regulations prohibiting the data transfer of European users to US companies. I will also cover how you can use Stape Europe to set up an EU proxy server for server GTM that will help make the use of Google Analytics GDPR compliant.
The legal story of data sharing between EU and US companies started in 2016 when the European Commission approved the Privacy Shield (a legal framework that regulates data transfer for commercial purposes between US and EU companies).
In 2020 the European Court of Justice declared that Privacy Shield has a disability. It happened since US law does not offer sufficient personal data protection for European residents.
The extensive discussion in this ruling was about Google services (like Google Analytics or Google Fonts) which can’t guarantee that EU user data is safe.
Regulators declared that asking for user consent (or standard contractual clauses) on the site and triggering a US-based intelligent tracking tool based on user consent won’t make it GDPR compliant.
The two most famous incidents related to data transfer of EU users to the US were in Italy and France. Let’s start with the French one.
The French data protection authority (CNIL) received complaints from French users who asked if the use of Google Analytics (an intelligence tool that belongs to the USA company) complies with the GDPR rules.
The CNIL stated that using Google Analytics by French websites resulted in a data transfer of European users to US companies. This violates the GDPR rules since US companies do not provide enough evidence that the personal data of EU users are safe. Besides that, the CNIL has confirmed that Google's implementation of SCCs is not enough to meet the GDPR requirements.
The situation in Italy is somehow similar. The Italian SA regulator received questions from several users on whether a particular Italian site's use of Google Analytics falls under the GDPR. After the lengthy investigations, the Italian regulator warned companies to stop using Google Analytics or set up GA in a GDPR-compliant way in 90 days.
Besides that, the Italian regulator released a public notice that they received multiple complaints about the data transfer to the USA companies. All Italian website owners should consider this in implementing US-based intelligent tracking tools. Otherwise, penalties may be applied.
So, to sum up, the data transfer of EU users to US companies is not GDPR compliant. The biggest question relates to using Google Analytics since it’s the most widely spread analytics tool.
Comments