![](\"https:\/\/media.wired.com\/photos\/61e8456b50297725e779e796\/master\/pass\/security-google-analytics.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Wed, 19 Jan 2022 17:11:58 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n The Austrian website<\/span> of medical news company NetDoktor works like millions of others. Load it up and a cookie from Google Analytics is placed on your device and tracks what you do during your visit. This tracking can include the pages you read, how long you are on the website, and information about your device\u2014with Google also assigning an identification number to your browser that can be linked to other data.<\/p>\n NetDoktor can use this analytics data to see how many readers it has and what they\u2019re interested in\u2014the website picks what it collects. But by using Google Analytics, the tech giant\u2019s traffic monitoring service, all this data passes through Google\u2019s servers and ends up in the United States<\/a>. For data regulators in Europe, the shipping of personal data across the Atlantic remains problematic. And now a small Austrian medical website finds itself at the center of an almighty tussle between US laws and Europe\u2019s powerful privacy regulations.<\/p>\n On December 22, the Austrian data regulator, Datenschutzbeh\u00f6rde, said<\/a> the use of Google Analytics on NetDoktor breached the European Union\u2019s General Data Protection Regulation (GDPR)<\/a>. The data being sent to the US wasn\u2019t being properly protected against potential access by US intelligence agencies, the regulator said in a decision that was published last week. Days earlier it was revealed that European Parliament\u2019s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe, according to a decision<\/a> from the European Data Protection Supervisor (EDPS).<\/p>\n The two cases are the first decisions following a July 2020 ruling that Privacy Shield<\/a>, the mechanism used by thousands of companies to move data from the EU to the US, was illegal<\/a>. These landmark cases will likely pile pressure on negotiators in the US and Europe who are trying to replace Privacy Shield with a new way for data to flow between the two. If an agreement takes too long, then similar cases across Europe could have a domino effect, with cloud services from Amazon, Facebook, Google, and Microsoft all potentially being ruled incompatible, one country at a time. \u201cThis is an issue that touches all aspects of the economy, all aspects of social life,\u201d says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.<\/p>\n NetDoktor isn\u2019t unique\u2014but it is the clearest hint yet that European regulators still don\u2019t like the way US tech companies send data across the Atlantic. Current US surveillance laws, including Section 702 of the Foreign Intelligence Surveillance Act<\/a> and Executive Order 12333<\/a>, don\u2019t protect data held on people living outside the US as well as they do those living inside it. \u200b\u200bIn short: It\u2019s theoretically possible for US surveillance agencies to collect huge amounts of data that\u2019s moved to the country.<\/p>\n \u201cWhat they do right now would be a violation of the Fourth Amendment if it's for US citizens,\u201d claims Max Schrems, honorary chair of legal nonprofit organization noyb, who launched the legal cases that brought down Privacy Shield in 2020 and its predecessor Safe Harbor in October 2015<\/a>. \u201cJust because people are foreigners it's not a violation of the US Constitution.\u201d One outcome of the 2020 Privacy Shield ruling is that companies moving data from the EU to the US must make sure there are extra measures in place to protect that information. Now the Austrian Data Protection Authority has determined that the technical measures put in place by Google Analytics\u2014including limiting access to data centers and encrypting data as it moves around the world\u2014don\u2019t do enough to stop it potentially being scooped up by US intelligence agencies.<\/p>\n Because Google could access data in plain text, the data wasn\u2019t protected from potential surveillance, the body\u2019s decision says. \u201cThis transfer was found to be unlawful because there was no adequate level of protection for the personal data transferred,\u201d says Matthias Schmidl, the deputy head of the Austrian data regulator. He adds that website operators cannot use Google Analytics and be in line with GDPR.<\/p>\n At the moment, the decision applies only in Austria and isn\u2019t final. Websites across Europe aren\u2019t suddenly going to stop using Google Analytics. NetDoktor didn\u2019t respond to a request for comment. \u201cWhile this decision directly affects only one particular publisher and its specific circumstances, it may portend broader challenges,\u201d says Kent Walker, Google\u2019s senior vice president for global affairs and chief legal officer. In a blog post published on January 19<\/a>, Walker says that the company believes the technical measures it has put in place protect people\u2019s data, and that this kind of decision could impact how data flows across the \u201centire European and American business ecosystem.\u201d<\/p>\n And this is just the beginning. When noyb filed the complaint against NetDoktor in August 2020, it also filed 100 other cases with other data protection authorities across Europe. \u201cIt's not specific to Google Analytics. It's basically about outsourcing to US providers in general,\u201d Schrems says.<\/p>\n Regulators in 30 European countries are currently investigating the other cases, which cover both the use of Google Analytics and Facebook Connect, the company\u2019s tool to link your account to other sites. Country-specific websites belonging to Airbnb, Sky, Ikea, and The Huffington Post are also subject to complaints. \u201cThe majority of these decisions will have the same or similar outcomes,\u201d says Zanfir-Fortuna. This is likely, she says, as noyb used the same legal arguments for all of its cases, and in response data protection regulators formed a task force to discuss the legal issues. \u201cWe expect that this is going to mobilize country by country, wherever it drops,\u201d Schrems says.<\/p>\n The Dutch data protection authority, Autoriteit Persoonsgegevens, says it is finalizing its investigation and hasn\u2019t ruled out the possibility that the use of Google Analytics in its current form will be banned. In Germany, where data issues are regulated by region, Hamburg\u2019s data protection authority received two complaints from noyb and says in one case the website has removed Google Analytics, so it \u201cdoes not plan to issue any orders or a fine\u201d in this case. It is still investigating the other case.<\/p>\n Despite coordination by data regulators, there may be some differences of opinion, says Simon McGarr, director of data compliance for Europe at McGarr Solicitors. \u201cThe Austrian position is probably at one end of a spectrum of opinion\u2014and it would probably represent the most radical end,\u201d he says, adding that other data bodies will either endorse, amend, or reject that line of reasoning. Disagreement across the EU\u2019s 27 GDPR enforcers is not uncommon: Last year an Irish Data Protection Authority fine against WhatsApp was increased by \u20ac175 million after other regulators disagreed with the decision. McGarr says it\u2019s possible other EU regulators looking at the noyb cases may come to different conclusions based on the facts of each case.<\/p>\n A spokesperson for the EDPS says its view is that personal data moving to the US needs to be protected by \u201ceffective supplementary measures.\u201d The body is also currently investigating how official EU organizations use Amazon Web Services and Microsoft Office 365<\/a>.<\/p>\n So what happens next? The Austrian decision\u2014and other similar cases currently being considered\u2014highlight the tensions between Europe\u2019s strong privacy laws and what happens to data once it leaves the bloc. Some are optimistic that it could reduce Europe\u2019s reliance on major US technology companies, while others say it highlights the importance of making sure negotiators from both sides strike a new deal that allows data sharing before data flows and economies are disrupted.<\/p>\n Companies are likely to look at the decision by the Austrian authority and potentially consider alternatives while they wait for further rulings from other national data bodies, says Guillaume Champeau, director of public affairs at cloud architecture platform Clever Cloud. \u201cIt could really help change the business landscape to make competition fairer in Europe,\u201d he adds. Champeau argues there are plenty of European cloud-based analytics businesses that don\u2019t get as much attention as Google Analytics, which is estimated to be used by 28 million websites<\/a> worldwide.<\/p>\n Schrems says that if similar decisions keep dropping in the next year, he expects that some large companies, such as banks, may start to question who should be responsible for their GDPR problems. \u201cIf people invest millions of euros into some cloud solution that then turns out to be illegal, there's going to be huge questions about who pays the bills in the end,\u201d he says. The Austrian regulator did not say if it had fined NetDoktor, but the case is yet to be fully finalized.<\/p>\n Wider than this, Schrems says he does not expect Silicon Valley companies to change their technology or attitudes yet. \u201cThere is simply no willingness by Silicon Valley to adapt to these rules,\u201d he claims. Internal Facebook documents seen by Politico<\/a> show that the company thinks there aren\u2019t any problems with shipping EU data to the US, and that the company\u2019s lawyers think US laws protect data from the EU as well as if it were staying in the bloc. A Google spokesperson says the company has \u201cno plans to share,\u201d when asked if it intends to change where European data is processed.<\/p>\n It\u2019s more likely that EU and US negotiators will broker a new data sharing deal before major technology firms radically change their approach. The EU and US have been discussing what should replace Privacy Shield since it was struck down in July 2020. But these discussions are yet to result in many concrete proposals. Officials have floated greater oversight of US security agencies<\/a>, including judges who decide whether the collection of EU data is legal. \u201cThe easiest way would be to say there needs to be some judicial approval of surveillance, and so on, as it is for American citizens,\u201d Schrems says.<\/p>\n Negotiations have intensified in recent months and are a priority for both sides, says a European Commission spokesperson. There are red lines though: It is unlikely the commission would want a Privacy Shield successor to be defeated in court again. \u201cOnly an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic,\u201d the commission spokesperson says. US representatives had not replied to a request for comment at the time of publication.<\/p>\n Zanfir-Fortuna says the Austrian decision is likely to put more pressure on negotiators but adds it is unlikely there will be any legislative changes in the US. A federal US privacy law<\/a> appears to be some way off and there may not be much appetite for entirely reforming surveillance laws. Instead, Zanfir-Fortuna says, changes that allow for Privacy Shield to be replaced may come from executive orders that can be passed with less political debate.<\/p>\n