Ruling: Google Analytics Violates Privacy Law

The Austrian Data Protection Authority has ruled that the continuous use of Google Analytics violates Europe’s privacy law, the General Data Protection Regulation (GDPR), a decision that could have a significant impact on U.S. cloud services.

That’s according to the privacy advocacy group noyb, which had brought the case before the authority and published the decision on its website Thursday (Jan. 13). The group, led by privacy activist Max Schrems, called the decision “groundbreaking.”

“This is a very detailed and sound decision,” said Schrems, whose group has taken similar action against Apple and Facebook.

“The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

Read more: European Privacy Advocate Files Legal Disputes Over Apple’s Tracking Tools

The DPA found that IP addresses and identifiers in cookie data are a visitor’s personal data and thus fall under the data protection law.

The case stems from a health website called netdoktor.at, which — according to the DPA — did not properly set up an IP “anonymization” function. Aside from that, the authority says IP address data is personal data, since it could be paired with other digital data to determine a visitor’s identity.

The DPA said the site had thus violated the GDPR by exporting visitor data to the U.S. by implementing Google Analytics.

“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” the authority says.

“In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”

Noyb says the decision is relevant for almost every EU website, as Google Anaytics is the most common statistics program.

“While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational,” the group said. “The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US.”