Tuesday, January 18, 2022

Austria: Google Analytics Violates GDPR


In a groundbreaking decision, the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb in the wake of the so-called “Schrems II” decision.


In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.

Nick Heer:

[Datenschutzbehörde] specifically cited the risk of espionage by U.S. intelligence agencies as a reason why this publisher’s use of Google Analytics violates GDPR rules. That is not an unreasonable concern. While users in some countries may benefit from having the protections of the U.S. legal system to avoid domestic overreaches, it is detrimental for users in Canada and many European countries.

Update (2022-01-24): See also: Hacker News.

Update (2022-01-31): See also: Hacker News.

Update (2022-02-11): CNIL (via Hacker News):

After receiving complaints from the NOYB association, the CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions.

1 Comment RSS · Twitter

I have the greatest respect for Nick and his views on all things computing, but I fear that he and many other technologists under-estimate the EU’s determination to break away from the global Internet. What looks on the surface like an epic fight against American overreach into foreign networks is but a way to achieve total separation from the global web.

China and Russia are openly working towards sealing off their networks from the wider internet, mostly through technical means. Europe is choosing a legal approach, but it will end up in the same way. If GDPR as it is currently being interpreted is to be enforced to the letter, EU-based companies will find themselves unable to touch any kind of American technology — including operating systems, since both Windows and macOS are heavily integrated with services like Azure, AWS, and Akamai for essential functions. The press may jokingly report that “Google Analytics is now illegal,” but the rulings being discussed are truly all-encompassing and deeply concerning.

A German court recently managed to extend GDPR to private individuals, arguing that a private citizen can fall within the scope of the regulation if they rely on a commercial service to process data belonging to others. Taken to the letter, this means that using a Gmail or iCloud email address could get you in trouble and expose you to legal blackmail, even in a private capacity.

The EU’s goal of building a local “splinternet,” powered by old Linux boxes and incompetent service providers merely chosen on the basis of their location is a surveillance state’s wet dream. It has nothing to do with American overreach or consumer rights.

Leave a Comment