Privacy NGO noyb filed complaints against four Dutch websites, complaining that Google Analytics is not GDPR compliant.
The complaints haven’t been decided yet. However, four European data protection authorities already ruled against the use of Google Analytics in similar complaints by noyb and another (the Danish Datatilsynet) practically banned Google Analytics from Denmark in a press release. These authorities follow a coordinated approach, so other EEA and EU countries, such as the Netherlands, may follow.
Additionally, the Autoriteit Persoonsgegevens announced in a January 2022 press release (Dutch only) that it was investigating the use of Google Analytics, so we can expect a decision at some point.
- Should I worry about the GDPR in the Netherlands?
- What is the Dutch privacy legislation?
- What is all the GDPR fuss about?
- Final Thoughts
Let’s dive in!
Should I worry about the GDPR in the Netherlands?
The Netherlands is a Member State of the European Union, so the GDPR applies to all data processing activities from Dutch companies.
The GDPR also applies to any service targeting the Dutch market. Additionally, if your website’s target audience includes the Netherlands and you use Google Analytics, it also applies to you.
But there’s a catch- it only applies if you process personal data. Privacy-friendly analytics tools such as Simple Analytics allow you to get valuable insights without processing any personal data. This way, you do need to comply with the GDPR because it doesn’t apply to the data you process in the first place.
What is the Dutch privacy legislation?
Aside from the GDPR, the Netherlands have its own privacy legislation, which includes The Dutch GDPR Implementation Act. Privacy legislation is enforced by the Dutch DPA (Autoriteit Persoonsgegevens).
The Netherlands are also subject to Article 7 and 8 of the Charter of Fundamental Rights of the European Union, which protect privacy and grant a right to the protection of personal data.
The Netherlands is also a Member State of the Council of Europe. As such, the Netherlands ratified the European Convention on Human rights, which protects private life and correspondence. The Netherlands also ratified Convention 108 of the Council of Europe, which is the only binding international agreement on data protection.
What is all the GDPR fuss about?
The decisions against Google Analytics are part of a legal puzzle that is much bigger than Google Analytics and the Netherlands.
The EU Court of Justice cracked down on US data transfers in the landmark Schrems I and II rulings. The rulings do not go as far as to ban data transfers to the US, but they make these transfers much more difficult.
In a nutshell, the rulings acknowledge that US law allows for extensive, invasive surveillance over foreign data with minimal oversight from US courts. In fact, this surveillance is not simply allowed- it actually took place with the PRISM and UPSTREAM programs, as documented by the Snowden files.
So, transferring data to the US threatens data confidentiality. This in turn creates a legal problem under the GDPR because the law only allows for third-country data transfers on the condition that the data are kept safe.
For some services, this problem can be solved by encrypting the data or by localizing its handling to European infrastructure. But neither option works for Google Analytics.
This was highlighted in a recent wave of strategic litigation from privacy NGO noyb, leading to six EU Member States practically banning Google Analytics. Right now authorities in Austria, France, Italy, Finland and Sweden ruled against websites using Google Analytics, and the Danish authority embraced the same views in a press release.
Crucially, the authorities that took a stance against Google Analytics include the French CNIL and the Italian GPDP. These authorities are well respected and their example often influences other authorities- which means that others are likely to follow their example (in fact, three Nordic countries did already). Last but not least, Italy and France are also key European markets for many companies.
In all cases, privacy authorities examined the "safeguards" that Google emplys for data transfers and reached the same conclusion: it's all meaningless compliance fluff with no real impact. This strategic litigation created a very uncertain situation, as countless websites and companies rely on a web analytics service that is practically banned in some EU Countries.
The data transfer saga came to a temporary halt in 2023, as the EU and the US have set up a new legal framework to transfer data between them (against the strong opposition of the EU Parliament). But the new framework will surely undergo legal challenges. And without substantial changes to US legislation, it will likely be invalidated- as was the case for older frameworks in the Schrems I and II rulings.
In other words, we are all waiting for Schrems III. And we the ruling comes around, we will more likely than not be back to square one, in a decade-long game of GDPR circumvention that wastes precious time and prolongs the uncertainty for European companies.
Gathering actionable insights and identifying opportunities from website analytics is possible without tracking individual website visitors. Want to see what that looks like? Check out our live dashboard here.
We believe in making the internet a safer place that is friendly to website visitors. If this resonates with you, feel free to give us a try