Lax laws and sweetheart deals are becoming a thing of the past for big tech firms, particularly in Europe where a series of rulings is posing a major threat to one of Google’s flagship products.
More than half of the world’s websites use Google Analytics to help their owners understand the behaviour of users.
The software, which deploys cookies to track user behaviour, costs nothing in cash terms — though the vast trove of data helps to fuel Google’s massive profits.
But activists have filed dozens of cases with regulators in Europe arguing that the tool breaches privacy laws by transferring data to the United States.
Regulators in several countries agree with activists and have ruled Google Analytics incompatible with European data privacy regulation (GDPR).
The rulings leave many European firms in a bind.
They can ditch Google and move to a privacy compliant option that costs money, or wait it out and hope for a solution from Google, the regulators or the politicians.
– Potential fixes –
Last week, Google said it would release a new version of its software that would not store IP addresses, the unique code that can identify individual computers.
The US firm has also built data centres in Europe.
However, the impact of these potential fixes is unclear. Regulators have not yet commented.
“Data protection authorities do not have the solution,” says Florence Raynal of French regulator CNIL, which has ruled against Google.
“That solution must be provided by governments at a political level.”
US companies are subject to a law known as the Cloud Act that allows US security agencies to access the data of foreign citizens regardless of where it is stored.
Although Google has argued that the risk posed by the Cloud Act is theoretical, it nevertheless makes it difficult for US firms to comply with the GDPR.
– ‘At a crossroads’ –
Marie-Laure Denis, head of CNIL, which is seen as a leader whose rulings are followed by other regulators, summed up the dilemma at a conference of the International Association of Privacy Professionals (IAPP) in Paris last week.
She said of American companies that “their business model should evolve, or the American legal framework should evolve”.
But she accepted that the situation for European firms using Google Analytics was “complicated”.
Pascal Thisse, who runs an agency advising companies on how to comply with GDPR, says firms find themselves “at a crossroads” with no clear idea of the path to take.
“If you tell a client who uses Google Ads to remove Google Analytics, everything collapses because it is the foundation of the system,” he says.
But to comply with European rulings, companies would need to prove that US intelligence is not interested in the data collected — an undertaking well beyond the means of small firms.
Max Schrems, the Austrian lawyer whose NGO filed the cases with the data protection regulators, also accepts there is no easy fix.
“It’s hard for us because usually we try to litigate stuff where there is a solution and in this case we have a political problem,” he told a virtual event last week.
He said US law allowed mass surveillance on non-American citizens, which clashed with the EU’s charter on fundamental rights.
“Either the US changes its laws or the European Union changes its fundamental founding principles,” he said.
Although he regarded neither option as overly realistic right now, he added: “I see more potential in the US for change because there should be a huge business interest in the US to have data from foreigners treated fairly.”