Roughly 85% of all websites that use web-analytics use Google Analytics, which makes it still the most popular website tool for spying on users‘ behavior. Just recently, Google admitted that all data collected with Google Analytics is sent to the US and processed there.
Why did Google admit this?
The data protection organization nyob has filed a complaint against Google with the Austrian supervisory authority (DPA). The latter then addressed 20 questions to Google. Among other things, Google announced that they are still strongly committed to keeping data exclusively in the USA. Why Google is doing this is relatively easy to explain:
The legal situation
In ruling C-311/18 on July 16, 2020, the European Court of Justice (ECJ) declared the Privacy Shield between the EU and the US as invalid (with immediate effect). As a result, the USA is considered an unsafe third country and any transfer of personal data requires consent. On websites, there is always a transfer of personal data, since the IP address (according to the highest court decision) is in fact personal. Storage of this data therefore requires the clear consent of the visitor.
The US is considered an unsafe third country because it has legal remedies that allow US authorities (such as intelligence agencies) to access the data of US companies. So if, for example, a company from Germany stores customer data with an American service, the American authorities can access it.
The above-mentioned legal remedy that legitimizes the U.S. authorities to access data are, in particular, the Foreign Intelligence Surveillance Act (FISA) and Executive Order EO12333. For both regulations, Google clarifies in its response to the supervisory authority that they only allow access to data stored outside the USA. Or simplified: Google stores all data in the USA and due to FISA and EO12333 no access can take place. So your data is safe with Google.
Is your data safe in the U.S.?
Based on FISA and EO12333, the American authorities have the option of carrying out what is known as an upstream collection. In simplified terms, this involves tapping into a transatlantic cable through which data flows into the U.S. from everywhere. Without consent, this is of course illegal and the persons concerned would have to be informed about this. Furthermore, the data subjects (according to the GDPR) would have to have a right to object, among other things. However, this is gallantly ignored by the American authorities. For this reason alone, consent for Google Analytics would have to be requested before the tool is even loaded. So whether the data is safe with Google in the USA is very questionable.
What is the alternative?
Admittedly, this article may read like a science fiction novel from the future, but the above-mentioned methods and processes are used every day and definitely need more public attention. Obtaining effective consent for Google Analytics seems difficult. Most cookie-banners, notifications or consent tools are not only annoying, but in most cases they are also non-compliant and consequently no data protection is guaranteed. Website operators rely too much on such consent tools and do not ensure compliance with data protection rules (e.g. the simple installation of a cookie plugin is not sufficient).
At nilly, we make it possible to analyze website visitors without collecting and storing personal data. No IP-tracking, no cookies, no fingerprinting, consequently also with no consent request – that means no more annoying cookie banners and fully compliant with data protection rules. nilly is completely operated and hosted in Switzerland (or optionally also Germany) and there are no points of contact with the USA.
If you care about your and your visitors‘ privacy, we strongly recommend that you stop providing free data to Google. Choose web analytics with 100% privacy that belong to you. Protect your privacy with nilly!
