Privacy NGO noyb filed complaints against three Irish websites, complaining that the use of Google Analytics is not GDPR compliant.
The complaints haven’t been decided yet. However, four European data protection authorities already ruled against the use of Google Analytics in similar complaints by noyb and another (the Danish Datatilsynet) practically banned Google Analytics from Denmark in a press release. These authorities follow a coordinated approach, so other EEA and EU countries, such as Ireland, may follow.
Additionally, the Irish data protection authority (DPC) drafted a decision to interrupt data transfers for Meta and submitted it to the European Data Protection Board in October 2022. The case's core issues are essentially the same involved in noyb’s complaints against Google Analytics. Should the Board endorse the DPC’s decision, the case would set an important precedent at a European level, even more so in Ireland. Such a precedent would have far-reaching consequences for the entire EU since many multinational tech giants have European headquarters or subsidiaries in the Republic of Ireland.
- Should I worry about the GDPR in Ireland?
- What is the Irish privacy legislation?
- What is all the GDPR fuss about?
- Final Thoughts
Let’s dive in!
Should I worry about the GDPR in Ireland?
The Republic of Ireland is a Member State of the European Union, so the GDPR applies to all data processing activities from Irish companies.
The GDPR also applies to any service targeting the Irish market. Additionally, if your website’s target audience includes Ireland and you use Google Analytics, it also applies to you.
But there’s a catch- it only applies if you process personal data. Privacy-friendly analytics tools such as Simple Analytics allow you to get valuable insights without processing any personal data. This way, you do not need to comply with the GDPR because it doesn’t apply to the data you process in the first place.
What is the Irish privacy legislation?
The main data protection framework is the GDPR of the European Union. The Republic also has its own privacy legislation, including the 2018 Data Protection Act, which implements the GDPR. The Data Protection Commission and the Irish courts enforce this legislation.
The Republic of Ireland is also subject to Articles 7 and 8 of the EU Charter of Fundamental Rights, which protects privacy and data protection.
The Republic of Ireland is also a Member State of the Council of Europe. As such, the Republic ratified the European Convention on Human rights, which protects private life and correspondence. Ireland also ratified Convention 108 of the Council of Europe, which is the only binding international agreement on data protection to date.
What is all the GDPR fuss about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. So this is much bigger than individual countries such as the Republic of Ireland, and it’s bigger than Google Analytics too. We wrote about this extensively already on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred outside the EEA when done safely. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance over the data of foreign citizens, including Irish] citizens.
Two data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will certainly face a legal challenge. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, Irish companies and European companies in general must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here).
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, NGO noyb filed 101 complaints about data transfers against European websites using Google Analytics and Facebook Connect to nudge authorities toward stricter enforcement of the Schrems II ruling.
Data protection authorities coordinated their approach at a European level to handle the complaints coherently. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in very similar decisions, and the Danish DPA essentially did the same in a press release. While the decisions address an individual controller, they all set a precedent that practically amounts to a State-wide ban, as we explained here. Should the DPC do the same, its decision would set a similar precedent for Ireland. The same will likely happen if the EDPB endorses the DPC’s draft decision against Meta.
Without tracking individual website visitors, gathering actionable insights and identifying opportunities from website analytics is possible. Want to see what that looks like? Check out our live dashboard here.
We believe in making the internet a safer place that is friendly to website visitors. If this resonates with you, feel free to give us a try.