[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_german-troubles-for-google-analytics_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"content":43,"inlineMedia":44,"id":46,"title":47,"excerpt":48,"locale":8,"slug":49,"authorSlug":10,"automaticTranslated":11,"publishedAt":50,"updatedAt":51,"doFollowLinks":11,"showIndex":25,"showCallToActions":25,"articleType":14,"languages":52},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Legal troubles for Google Analytics keep coming. The Cologne District Court \u003Cstrong>ruled against the use of Google Analytics\u003C/strong> on May 10. Two days later, the Austrian Federal Administrative Court reached the same conclusion and \u003Cstrong>confirmed a decision\u003C/strong> against a decision against Google Analytics from the Austrian data protection authority.\u003C/ContentEditable>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#the-german-decision\">The German decision\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#the-austrian-decision\">The Austrian decision\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#the-takeaway\">The takeaway\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#the-core-legal-issues\">The core legal issues\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#supplementary-safeguards-a-general-problem\">Supplementary safeguards: a general problem\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-about-the-new-data-transfer-framework\">What about the new data transfer framework?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#conclusions\">Conclusions\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaTwo />\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Let’s dive in!\u003C/ContentEditable>\n\u003CContentEditable  id=\"the-german-decision\" parent=\"\" tag=\"h2\" :articleId=\"601\">The German decision\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">The case was brought by \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.verbraucherzentrale.nrw/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">the consumer center of Nordrhein-Westphalen\u003C/a> against Deutsche Telekom, the largest telecom provider on the German market.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Deutsche Telekom’s website used Google Analytics and forwarded personal information to Google’s servers in the U.S. for processing. The consumer center argued for the obvious here: in light of the Schrems II ruling, \u003Cstrong>this data transfer was not compliant with the GDPR\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Unsurprisingly, the Court agreed and ordered Deutsche Telekom to stop forwarding personal information to the US for the purposes of marketing and web analytics. In practice, this amounts to an order to \u003Cstrong>dismiss the use of Google Analytics\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">The action also involved other privacy issues, including the confusing design of the website’s cookie banner, and the transmission of personal data to credit agencies. Only the claims related to Google Analytics were successful.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Given Deutsche Telkom’s resources and the amounts of personal data involved, we expect the company to appeal the decision.\u003C/ContentEditable>\n\u003CContentEditable  id=\"the-austrian-decision\" parent=\"\" tag=\"h2\" :articleId=\"601\">The Austrian decision\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">The Austrian decision stems from one of NGO noyb’s \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://noyb.eu/en/101-complaints-eu-us-transfers-filed?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">101 complaints\u003C/a> which we already discussed in depth. It is an appeal against a previous decision taken by the Austrian privacy authority (DSB)- in fact, the very first decision against Google Analytics’ data transfers from a European privacy authority.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">As for the facts, an individual represented by noyb complained that an unnamed website violated the GDPR’s rules on data transfer by transferring their personal data to the US through Google Analytics without sufficient safeguards. The complaint was upheld by the Austrian DPA and the decision was then appealed by the owner of the website.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">The Austrian Federal Administrative Court confirmed the DSB’s decision and rejected the defenses of the website owner, including the controversial** risk-based approach** to data transfers.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">According to the \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://gdprhub.eu/index.php?title=BVwG_-_W245_2252208-1%2F36E_and_W245_2252221-1%2F30E&mtc=today&utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">gdprhub\u003C/a>, the website owner intends to challenge the decision again before the Austrian Supreme Administrative Court.\u003C/ContentEditable>\n\u003CContentEditable  id=\"the-takeaway\" parent=\"\" tag=\"h2\" :articleId=\"601\">The takeaway\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">The two decisions add nothing new on the legal side, but they do show that the enforcement of Schrems II is not limited to privacy authorities: \u003Cstrong>courts are jumping in as well\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Something similar already happened a while ago when a German administrative court ruled against the use of Google Analytics. But the decision came with a sloppy motivation and was overturned on appeal.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">These two rulings are different. They come with a clear and well reasoned motivation and, in our opinion, stand good chances to be confirmed if challenged.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">And of course the Austrian decision, being an appeal, suggests that the DSB’s approach to the issue with data transfers is a sound one. Then again, this was \u003Cstrong>already evident\u003C/strong>. The Italian, French, Finnish, and Norwegian authorities adopted virtually identical decisions, and the Irish authority and the European Protection Board used the exact same criteria when evaluating Meta’s data transfers.\u003C/ContentEditable>\n\u003CContentEditable  id=\"the-core-legal-issues\" parent=\"\" tag=\"h2\" :articleId=\"601\">The core legal issues\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">The decisions are in now way new and merely apply the criteria already laid out in the notorious \u003Cstrong>Schrems II ruling\u003C/strong> of the EU Court of Justice. Data transfers are a long story and one we already \u003CNuxtLink to=\"/blog/how-to-move-forward-with-data-transfers-between-the-eu-us\"  >covered in detail\u003C/NuxtLink>, so we will keep things short here.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">\u003Cstrong>The GDPR requires extra-EU data transfers to be safe\u003C/strong>. However, European data (as well as all foreign data) transferred to the US are subject to extensive \u003Cstrong>State surveillance\u003C/strong>, as shown by the confidential files leaked by Edward Snowden. This surveillance system makes it hard for European organizations to transfer data to the US in a lawful and safe way.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">In both cases at hand the data transfers took place between Google Ireland and its US-based mother company Google LLC. In order to make this data transfer secure and lawful, Google used a specific safeguard called \u003Cstrong>standard contractual clauses\u003C/strong> (SCCs).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">SCCs are a data transfer mechanism set up by the GDPR. In a nutshell, they are clauses that tell companies what they can and cannot do with the personal data they receive. SCCs are incorporated in a contract and are binding on the company that receives the data. Because of their binding nature SCCs they can make up for a lack of privacy legislation for the private sector.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">But the Schrems II ruling highlighted a key problem with SCCs: they are not binding for the US or any other foreign State. On their own, \u003Cstrong>SCCs cannot protect personal data from State surveillance\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">This is why Schrems II requires organizations to adopt \u003Cstrong>supplementary measures\u003C/strong> when transferring data to the US, and other countries with extensive electronic surveillance.  But this is difficult for many services and \u003Cstrong>entirely impossible for Google Analytics\u003C/strong>, because Google LLC needs to access and analyze data \u003Cstrong>in the clear\u003C/strong> in order to provide the service.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">This lack of supplementary measures is at the core of every decision against Google Analytics’s data transfer. Whenever the issue of data transfers is brought up, privacy authorities stick to the Schrems II rules and look into supplementary measures. And they always found them to be lacking- because there are simply no measures that can keep data transfers for Google Analytics confidential.\u003C/ContentEditable>\n\u003CContentEditable  id=\"supplementary-safeguards-a-general-problem\" parent=\"\" tag=\"h2\" :articleId=\"601\">Supplementary safeguards: a general problem\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Data transfers and supplementary measures are broad problems. Implementing proper safeguards is tricky for some services and entirely impossible for others.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">This is the case for Google Analytics too. Under US legislation, surveillance agencies can require US communications providers (including Google) to \u003Cstrong>provide any foreign data they control\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Encryption can help, but not for Google Analytics. In order for the service to work, Google needs access to the data in the clear in order to analyze them. And under US legislation, Google can be required to provide an encryption key to the government as well. So any data Google can access in the clear, the government can access in the clear as well- it’s as simple as that.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">There are supplementary measures other than encryption, but when it comes to Google, none of them really fit- \u003CNuxtLink to=\"/blog/how-to-move-forward-with-data-transfers-between-the-eu-us#supplementary-measures-for-data-transfers\"  >as we explained here\u003C/NuxtLink>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">In a nutshell, \u003Cstrong>no solution works for Google Analytics\u003C/strong>. We have seen this again and again with the decisions against Google Analytics. The rulings from the Austrian, French, Italian, Norwegian, and Finnish data protection authorities all say the same thing: \u003Cstrong>Google Analytics cannot transfer data safely\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Furthermore, all these decisions result from \u003CNuxtLink to=\"/blog/the-complete-overview-from-101-noyb-complaints-to-banning-google-analytics#noybs-101-complaints-and-the-edpb-task-force\"  >a coordinated approach to the problem at a European level\u003C/NuxtLink>. And the very same approach recently led to \u003Cstrong>\u003CNuxtLink to=\"/blog/meta-hit-with-record-breaking-1-3-billion-fine-over-facebook-data-transfers-to-the-us#the-decision\"  >a landmark decision and a record fine against Meta\u003C/NuxtLink>\u003C/strong>, for the same exact legal issues that plague Google Analytics.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">The order issued against Meta is proof that for some services, \u003Cstrong>there is simply no solution\u003C/strong> to make data transfer safe until the legal situation changes. Meta is one of the biggest and richest multinational companies in the world, with access to all the legal and technical expertisew it could possibly want. The company had 1.2 billion good reasons to secure its data transfers, and yet failed to do so and is now facing the risk of an EU-wide Facebook blackout as a result\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Of course, you are free to try and do better than Meta. But how many millions is your compliance budget?\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-about-the-new-data-transfer-framework\" parent=\"\" tag=\"h2\" :articleId=\"601\">What about the new data transfer framework?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">In July 2023 the European Commission adopted an \u003Cstrong>adequacy decision for the US\u003C/strong>. An adequacy decision is a unilateral act that enables the free flow of personal data to a non-EU Country.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Is the whole data transfer drama over? Not really. Schrems (yup, the guy from Schrems I and II) will certainly challenge the new framework in the Court of Justice, and will likely win.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Adequacy decisions are not merely political decisions. The Commission cannot sanction data flows towards a Country solely because they like it, or because it is a strategic ally. They need to make sure that the data are kept safe outside the EU, and this is not the case with the new data transfer framework in place between the EU and the US.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">This is not the first attempt at a trans-atlantic data transfer framework, either. Two older frameworks (Safety Harbor and Privacy Shield) were both invalidated by the Court of Justice over surveillance concerns. This will probably happen again, as the new framework does not really offer the safeguards required to keep EU data safe against \u003Cstrong>US surveillance\u003C/strong>\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Long story short, \u003Cstrong>Schrems III will come at some point, and the EU will be back to square one\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">In the meantime, European companies must live with the uncertainty or invest in localization. And by the way, Microsoft is pouring billions into its \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://blogs.microsoft.com/eupolicy/2022/12/15/eu-data-boundary-cloud-rollout/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">EU Data Boundary Boundary program\u003C/a>- they expect thousands of companies to rush to their EU-based cloud after Schrems III comes around.\u003C/ContentEditable>\n\u003CContentEditable  id=\"conclusions\" parent=\"\" tag=\"h2\" :articleId=\"601\">Conclusions\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">Between Google Analytics’ never-ending legal issues with data transfers, and the upcoming \u003Cstrong>sunsetting of Universal Analytics\u003C/strong>, this is a good time to ditch Google Analytics in favor of another provider. And we have just the one for you!\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"601\">We at Simple Analytics believe that web analytics can be both privacy-friendly and ethical. This is why we build our service to provide great insights to our customers without collecting one bit of personal data from their visitors! If this sounds good to you, feel free to give us a try.\u003C/ContentEditable>\n","Legal troubles for Google Analytics keep coming. The Cologne District Court **ruled against the use of Google Analytics** on May 10. Two days later, the Austrian Federal Administrative Court reached the same conclusion and **confirmed a decision** against a decision against Google Analytics from the Austrian data protection authority.\n\nLet’s dive in!\n\n## The German decision\n\nThe case was brought by [the consumer center of Nordrhein-Westphalen](https://www.verbraucherzentrale.nrw/) against Deutsche Telekom, the largest telecom provider on the German market.\n\nDeutsche Telekom’s website used Google Analytics and forwarded personal information to Google’s servers in the U.S. for processing. The consumer center argued for the obvious here: in light of the Schrems II ruling, **this data transfer was not compliant with the GDPR**.\n\nUnsurprisingly, the Court agreed and ordered Deutsche Telekom to stop forwarding personal information to the US for the purposes of marketing and web analytics. In practice, this amounts to an order to **dismiss the use of Google Analytics**.\n\nThe action also involved other privacy issues, including the confusing design of the website’s cookie banner, and the transmission of personal data to credit agencies. Only the claims related to Google Analytics were successful.\n\nGiven Deutsche Telkom’s resources and the amounts of personal data involved, we expect the company to appeal the decision.\n\n## The Austrian decision\n\nThe Austrian decision stems from one of NGO noyb’s [101 complaints](https://noyb.eu/en/101-complaints-eu-us-transfers-filed) which we already discussed in depth. It is an appeal against a previous decision taken by the Austrian privacy authority (DSB)- in fact, the very first decision against Google Analytics’ data transfers from a European privacy authority.\n\nAs for the facts, an individual represented by noyb complained that an unnamed website violated the GDPR’s rules on data transfer by transferring their personal data to the US through Google Analytics without sufficient safeguards. The complaint was upheld by the Austrian DPA and the decision was then appealed by the owner of the website.\n\nThe Austrian Federal Administrative Court confirmed the DSB’s decision and rejected the defenses of the website owner, including the controversial** risk-based approach** to data transfers.\n\nAccording to the [gdprhub](https://gdprhub.eu/index.php?title=BVwG_-_W245_2252208-1/36E_and_W245_2252221-1/30E&mtc=today), the website owner intends to challenge the decision again before the Austrian Supreme Administrative Court.\n\n## The takeaway\n\nThe two decisions add nothing new on the legal side, but they do show that the enforcement of Schrems II is not limited to privacy authorities: **courts are jumping in as well**.\n\nSomething similar already happened a while ago when a German administrative court ruled against the use of Google Analytics. But the decision came with a sloppy motivation and was overturned on appeal.\n\nThese two rulings are different. They come with a clear and well reasoned motivation and, in our opinion, stand good chances to be confirmed if challenged.\n\nAnd of course the Austrian decision, being an appeal, suggests that the DSB’s approach to the issue with data transfers is a sound one. Then again, this was **already evident**. The Italian, French, Finnish, and Norwegian authorities adopted virtually identical decisions, and the Irish authority and the European Protection Board used the exact same criteria when evaluating Meta’s data transfers.\n\n## The core legal issues\n\nThe decisions are in now way new and merely apply the criteria already laid out in the notorious **Schrems II ruling** of the EU Court of Justice. Data transfers are a long story and one we already [covered in detail](https://www.simpleanalytics.com/blog/how-to-move-forward-with-data-transfers-between-the-eu-us), so we will keep things short here.\n\n**The GDPR requires extra-EU data transfers to be safe**. However, European data (as well as all foreign data) transferred to the US are subject to extensive **State surveillance**, as shown by the confidential files leaked by Edward Snowden. This surveillance system makes it hard for European organizations to transfer data to the US in a lawful and safe way.\n\nIn both cases at hand the data transfers took place between Google Ireland and its US-based mother company Google LLC. In order to make this data transfer secure and lawful, Google used a specific safeguard called **standard contractual clauses** (SCCs).\n\nSCCs are a data transfer mechanism set up by the GDPR. In a nutshell, they are clauses that tell companies what they can and cannot do with the personal data they receive. SCCs are incorporated in a contract and are binding on the company that receives the data. Because of their binding nature SCCs they can make up for a lack of privacy legislation for the private sector.\n\nBut the Schrems II ruling highlighted a key problem with SCCs: they are not binding for the US or any other foreign State. On their own, **SCCs cannot protect personal data from State surveillance**.\n\nThis is why Schrems II requires organizations to adopt **supplementary measures** when transferring data to the US, and other countries with extensive electronic surveillance.  But this is difficult for many services and **entirely impossible for Google Analytics**, because Google LLC needs to access and analyze data **in the clear** in order to provide the service.\n\nThis lack of supplementary measures is at the core of every decision against Google Analytics’s data transfer. Whenever the issue of data transfers is brought up, privacy authorities stick to the Schrems II rules and look into supplementary measures. And they always found them to be lacking- because there are simply no measures that can keep data transfers for Google Analytics confidential.\n\n## Supplementary safeguards: a general problem\n\nData transfers and supplementary measures are broad problems. Implementing proper safeguards is tricky for some services and entirely impossible for others.\n\nThis is the case for Google Analytics too. Under US legislation, surveillance agencies can require US communications providers (including Google) to **provide any foreign data they control**.\n\nEncryption can help, but not for Google Analytics. In order for the service to work, Google needs access to the data in the clear in order to analyze them. And under US legislation, Google can be required to provide an encryption key to the government as well. So any data Google can access in the clear, the government can access in the clear as well- it’s as simple as that.\n\nThere are supplementary measures other than encryption, but when it comes to Google, none of them really fit- [as we explained here](https://www.simpleanalytics.com/blog/how-to-move-forward-with-data-transfers-between-the-eu-us#supplementary-measures-for-data-transfers).\n\nIn a nutshell, **no solution works for Google Analytics**. We have seen this again and again with the decisions against Google Analytics. The rulings from the Austrian, French, Italian, Norwegian, and Finnish data protection authorities all say the same thing: **Google Analytics cannot transfer data safely**.\n\nFurthermore, all these decisions result from [a coordinated approach to the problem at a European level](https://www.simpleanalytics.com/blog/the-complete-overview-from-101-noyb-complaints-to-banning-google-analytics#noybs-101-complaints-and-the-edpb-task-force). And the very same approach recently led to **[a landmark decision and a record fine against Meta](https://www.simpleanalytics.com/blog/meta-hit-with-record-breaking-1-3-billion-fine-over-facebook-data-transfers-to-the-us#the-decision)**, for the same exact legal issues that plague Google Analytics.\n\nThe order issued against Meta is proof that for some services, **there is simply no solution** to make data transfer safe until the legal situation changes. Meta is one of the biggest and richest multinational companies in the world, with access to all the legal and technical expertisew it could possibly want. The company had 1.2 billion good reasons to secure its data transfers, and yet failed to do so and is now facing the risk of an EU-wide Facebook blackout as a result\n\nOf course, you are free to try and do better than Meta. But how many millions is your compliance budget?\n\n## What about the new data transfer framework?\n\nIn July 2023 the European Commission adopted an **adequacy decision for the US**. An adequacy decision is a unilateral act that enables the free flow of personal data to a non-EU Country.\n\nIs the whole data transfer drama over? Not really. Schrems (yup, the guy from Schrems I and II) will certainly challenge the new framework in the Court of Justice, and will likely win.\n\nAdequacy decisions are not merely political decisions. The Commission cannot sanction data flows towards a Country solely because they like it, or because it is a strategic ally. They need to make sure that the data are kept safe outside the EU, and this is not the case with the new data transfer framework in place between the EU and the US.\n\nThis is not the first attempt at a trans-atlantic data transfer framework, either. Two older frameworks (Safety Harbor and Privacy Shield) were both invalidated by the Court of Justice over surveillance concerns. This will probably happen again, as the new framework does not really offer the safeguards required to keep EU data safe against **US surveillance**\n\nLong story short, **Schrems III will come at some point, and the EU will be back to square one**.\n\nIn the meantime, European companies must live with the uncertainty or invest in localization. And by the way, Microsoft is pouring billions into its [EU Data Boundary Boundary program](https://blogs.microsoft.com/eupolicy/2022/12/15/eu-data-boundary-cloud-rollout/)- they expect thousands of companies to rush to their EU-based cloud after Schrems III comes around.\n\n## Conclusions\n\nBetween Google Analytics’ never-ending legal issues with data transfers, and the upcoming **sunsetting of Universal Analytics**, this is a good time to ditch Google Analytics in favor of another provider. And we have just the one for you!\n\nWe at Simple Analytics believe that web analytics can be both privacy-friendly and ethical. This is why we build our service to provide great insights to our customers without collecting one bit of personal data from their visitors! If this sounds good to you, feel free to give us a try.\n\n",{"data":45},null,601,"More troubles for Google Analytics","A German and an Austrian court both ruled against Google Analytics. Legal issues rooted in Schrems II and US surveillance.","german-troubles-for-google-analytics","2023-06-08T08:39:18.515Z","2024-01-03T13:24:19.398Z",{"en":53,"de":54,"fr":56,"it":58,"es":60,"nl":62},{"slug":49},{"slug":55},"mehr-probleme-fuer-google-analytics",{"slug":57},"plus-de-problemes-pour-google-analytics",{"slug":59},"altri-problemi-per-google-analytics",{"slug":61},"mas-problemas-para-google-analytics",{"slug":63},"meer-problemen-voor-google-analytics"]