What has been decided?
Various data protection authorities in Europe have classified the use of Google Analytics as a breach of the GDPR. Or in simpler terms: the use of Google Analytics is illegal.
The civil rights organisation under Max Schrems, noyb.eu, has submitted a total of 101 model complaints to the various data protection authorities throughout Europe in 2020 and provides ongoing information on the decisions that have been made.
Updates
13 January 2022
the decision of the Austrian data protection authority, read here.
10 February 2022
the decision of the French data protection authority, read here.
23 June 2022
the decision of the Italian data protection authority, read here.
The legal basis for the decision is the Schrems II ruling of the European Court of Justice (ECJ) from 2020, which concerns data transfers from the EU to the USA. The European Court of Justice has determined that the transfer of personal data (or personally identifiable Information, PII) from the EU to the USA must be refrained from, as no adequate level of protection can be guaranteed. This affects the majority of all EU websites, as Google Analytics is still the most widely used web analytics tool. However, these decisions do not only affect Google Analytics but applies to all data traffic from the EU to the US.
Do these decisions only affect companies in the EU?
No, these decisions affect any company that gets data traffic from the EU.
Is my website affected?
If you answer YES to one of the two questions below, then your website is in breach of the General Data Protection Regulation (GDPR, for companies in the EU) or, from the end of 2023, the Federal Data Protection Act (FDPA, for companies in Switzerland) and you need to take action:
- Is the provider or developer of your web analytics tool a US company?
- Are your web analytics hosted by a US company?
Important: it does not matter if the servers of this provider are located in the EU, they still belong to the US company and are subject to FISA 702 and EO 12.333, which means that your data is accessible by the US law enforcement.
Google Analytics offers the option of IP anonymisation. Does this comply with data protection requirements?
No, this anonymization happens within the browser (client-side), the IP address is still sent with the HTTP request. This means that the anonymisation only takes place after the data has been transmitted to Google.
What can I do to make my website privacy compliant?
The easiest way: use web analytics for your website that do not transfer data from the EU (or CH) to the US. This way you ensure that your visitors‘ data is protected from US surveillance. After all, Google Analytics is „free“ for a reason.
With nilly this problem is solved automatically. Our company is based in Switzerland and our servers are hosted by local providers in Switzerland and Germany (you can choose your preferred location). At no time is there any connection with US providers and therefore US law enforcement. Furthermore, nilly was developed with the Privacy by Design approach, we do not collect any personal data in the first place. That means, we are fully compliant with all data privacy laws.