Excursus: Data Tracking

As data tracking and cookie consents play a big role in developing deceptive design patterns* I would like to make an excursion and dive into privacy and data protection in today’s blogpost. Due to a recent ruling of the Austrian Data Protection Authority on a case filed by noyb, using Google Analytics violates the General Data Protection Regulation (GDPR, dt. DSGVO) and is therefore illegal. Other EU-countries are expected to follow this example. Reason for this is the ruling in 2020 that banned US providers within the European Union, because they violate the GDPR by giving away personal data to the US authorities.

What is noyb?

noyb is an organization founded by Max Schrems – an Austrian lawyer and privacy activist – that focuses on data protection and fights for compliance with the GDPR, thus actively protecting the privacy rights of individuals. The platform combines the work of lawyers, legal tech specialists, hackers and consumer right groups and uses PR and media as a tool to create awareness in order to force companies to comply with the European privacy laws set out in the GDPR. Their strategy is to analyze and find infringements all over Europe and litigate them afterwards. The main goal of the operation is to maximize privacy and digital freedom for all citicens. 

What is Google Analytics?

Like I already mentioned in the intro of this blogpost there has been a pioneer ruling in 2020 – the „Schrems II“ ruling – which legally defined that data transfer to US providers is violating the GDPR, making the „Privacy Shield“ inadmissible. The main reason for this decision was that US authorities have access to personal data, eg. user identification numbers, IP address and browser parameters, by US law. However the big players in the tech industry like Microsoft, Facebook, Amazon and Google tried to find loopholes by editing statements in their privacy policies instead of actually making their services comply with the new laws. Consequently Schrems filed 101 complaints in many European states to against those companies. The Austrian Data Protection Authority was the first one to react on this complaint by declaring Google Analystics an illegal service in Austria. As other countries are likely to follow this will create pressure on Google and other US providers to adapt their services and protections. If they don’t choose to adapt or host foreign data inside Europe, EU websites are forced to use different tracking tools, even if Google Analytics is the most common statistics program at the moment by far. For now there is no further information on possible penalties. In the long run the responses of the US government will determine wether US providers will eventually comply with the GDPR or there will be different products for US and EU in the future.

Sources:
https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-analytics-illegal
https://orf.at/stories/3243496/
https://www.derstandard.at/story/2000132495447/behoerde-google-analytics-verstoesst-gegen-die-datenschutzverordnung

* formerly called “dark pattern”