The Austrian Data Protection Authority has ruled that continued use of Google Analytics violates Europe’s privacy law, the General Data Protection Regulation (GDPR), a decision that could have a significant impact on US cloud services.
This is according to privacy advocacy group Noyb, which brought the matter to the authority and published the decision on its website on Thursday (January 13). The group, led by privacy activist Max Schrems, called the decision “unprecedented”.
“This is a very detailed and sound decision,” said Schrems, whose group has taken similar actions against Apple and Facebook.
“The bottom line is this: companies can no longer use US cloud services in Europe. It’s been 1.5 years now that the Court of Justice has ratified this for the second time, so it’s high time that the law even applies.”
Read more: European privacy advocate files legal dispute over Apple’s tracking tool
The DPA found that the IP addresses and identifiers in the cookie data are personal data of a visitor and thus are subject to data protection legislation.
The matter stems from a health website called netdoktor.at, which – according to the DPA – had not properly set up the IP “anonymization” function. In addition, the authority maintains that IP address data is personal data, as it can be combined with other digital data to determine the identity of the visitor.
The DPA stated that the site thus violated GDPR by exporting visitor data to the US by implementing Google Analytics.
“US intelligence services use certain online identifiers (such as an IP address or unique identification number) as a starting point for monitoring individuals,” the authority says.
“In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
Noyb says the decision is relevant to almost every website in the European Union, as Google Analytics is the most common statistics program.
“While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thus forward their user data to US multinationals,” the group said. “The fact that data protection authorities can now gradually declare US services illegal puts additional pressure on EU companies and US providers to move towards safer and legal alternatives such as hosting outside the US.”