Yes, Google Analytics is practically illegal in Austria. Here’s why.
In 2018 privacy NGO noyb filed complaints against three Austrian websites, complaining that the use of Google Analytics is not GDPR compliant. The first decision from the DSB (the Austrian data protection authority) came in December 2021. The authority agreed with the NGO and practically banned Google Analytics in Austria.
Here’s what the ruling is about, in a nutshell. The use of Google Analytics requires the data to be transferred to the US for parent company, Google to process data. The Schrems II decision made US data transfers trickier by invalidating an EU-US data transfer framework (the Privacy Shield) and by requiring effective safeguards for data transfers. In practice, such safeguards cannot be implemented for Google Analytics.
To be clear, the DSB did not declare Google Analytics illegal in and of itself. The Authority simply applied the rules from the GDPR and the Schrems II ruling and found that a website was not implementing effective safeguards to protect its visitor’s personal data. Technically, the ruling is an individual decision, and the use of Google Analytics was declared illegal only for one specific website. But in practice, no website can implement effective safeguards for Google Analytics, so the ruling sets a precedent that amounts to a Statewide ban. Privacy professionals are well aware of this, and that’s why the decision drew a lot of media attention.
Austria was just the start. After the DSB, three more authorities (the French CNIL, the Italian GPDP, and the Hungarian NAIH) also ruled against Google Analytics, and the Danish authority (Datatilsynet) embraced the same position in a press release. Authorities are coordinating their approach at a European level, so other Countries are likely to follow.
- Should I worry about the GDPR in Austria?
- What is the Austrian privacy legislation?
- What is all the GDPR fuss about?
- What about the new data transfer framework?
- Final Thoughts
Let’s dive in!
Should I worry about the GDPR in Austria?
Austria is a Member State of the European Union, so the GDPR applies to all data processing activities from Austrian companies.
The GDPR also applies to any service targeting the Austrian market. Additionally, if your website’s target audience includes Austria and you use Google Analytics, it also applies to you.
But there’s a catch- it only applies if you process personal data. Privacy-friendly analytics tools such as Simple Analytics allow you to get valuable insights without processing any personal data. This way, you do not need to comply with the GDPR because it doesn’t apply to the data you process in the first place.
What is the Austrian privacy legislation?
The main data protection framework is the GDPR of the European Union. Austria also has its own privacy legislation, including the 2000 Data Protection Act (Datenschutzgsetz). This legislation is enforced by Austrian courts and by the Austrian data protection authority (the DSB).
Austria is also subject to Articles 7 and 8 of the EU Charter of Fundamental Rights, which protect privacy and data protection.
Furthermore, Austria is a Member State of the Council of Europe. As such, Austria ratified the European Convention on Human rights, which protects private life and correspondence. Austria also ratified Convention 108 of the Council of Europe, which is the only binding international agreement on data protection to date.
What is all the GDPR fuss about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. So this is much bigger than individual countries such as Austria, and it’s bigger than Google Analytics too. We wrote about this extensively already on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred safely outside the EEA. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens, including Austrian citizens.
Two data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will certainly face a legal challenge. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, Austrian companies and European companies, in general, must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here).
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, NGO noyb filed 101 complaints about data transfers against European websites using Google Analytics and Facebook Connect to nudge authorities toward stricter enforcement of the Schrems II ruling.
As we said, data protection authorities coordinated their approach at a European level to handle the complaints coherently. As a result, the Austrian, French, Italian, Hungarian and Danish DPAs took a stance against data transfers. With coordination at a European level and the influential French and Italian authorities leading the way, other DPAs will likely follow the example and adopt a harder stance on Google Analytics.
What about the new data transfer framework?
In July 2023 the European Commission adopted an adequacy decision for the US. An adequacy decision is a unilateral act that enables the free flow of personal data to a non-EU Country.
Is the whole data transfer drama over? Not really. Schrems (yup, the guy from Schrems I and II) will certainly challenge the new framework in the Court of Justice, and will likely win.
Adequacy decisions are not merely political decisions. The Commission cannot sanction data flows towards a Country solely because they like it, or because it is a strategic ally. They need to make sure that the data are kept safe outside the EU, and this is not the case with the new data transfer framework in place between the EU and the US.
This is not the first attempt at a trans-atlantic data transfer framework, either. Two older frameworks (Safety Harbor and Privacy Shield) were both invalidated by the Court of Justice over surveillance concerns. This will probably happen again, as the new framework does not really offer the safeguards required to keep EU data safe against US surveillance
Long story short, Schrems III will come at some point, and the EU will be back to square one.
In the meantime, European companies must live with the uncertainty or invest in localization. And by the way, Microsoft is pouring billions into its EU Data Boundary Boundary program- they expect thousands of companies to rush to their EU-based cloud after Schrems III comes around.
Gathering actionable insights and identifying opportunities from website analytics is possible without tracking individual website visitors. Want to see what that looks like? Check out our live dashboard here.
We believe in making the internet a safer place that is friendly to website visitors. If this resonates with you, feel free to give us a try.