Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Austrian DPA Ruling against Google Analytics Paves the Way to EU-based Cloud Services

Austrian DPA Ruling against Google Analytics Paves the Way to EU-based Cloud Services

This item in japanese


In a recent ruling, the Austrian data regulator declared the use of Google Analytics unlawful based on EU GDPR regulation. While the ruling is very specifically argued and worded, its implications go well beyond this particular case.

At the heart of the Austrian data regulator ruling, which hinges on a 2020 ruling by the European Court of Justice, is the argument that the transmission of personal data to the US breaks the requirement of their adequate protection due to US surveillance laws.

The Second Respondent [Google], as providers [of] electronic Communications services within the meaning of 50 US Code §1881 and, as such, is subject to surveillance by US intelligence agencies pursuant to 50 US Code §1881a (“FISA 702”).

Section 702 of the Foreign Intelligence Surveillance Act (FISA) establishes that any non-US person located abroad can be the target of surveillance activities, and this without special requirements like being a suspect terrorist, spy, or agent of a foreign power. FISA also regulates how US government agencies such as the NSA, FBI, or CIA can require and get access to transferred data directly from service providers, e.g. Apple or Google.

This is not the whole story, though. In fact, the Austrian regulator also considers that additional measures taken to protect the data, such as data encryption at rest in Google's datacenters, are not effective since they do not eliminate the monitoring and access possibilities by US intelligence services.

This is a very tough strike against the usual approach that major US-based companies take to enforce the idea they reasonably protect the data they receive from their customers. What the Austrian DPA comes to say is that EU data travelling to the US do not receive adequate protection regardless of what service providers may attempt to do.

While the Austrian DPA ruling is of application exclusively within Austrian borders, nevertheless it finds its grounding in the aforementioned ruling from the European Court of Justice (ECJ), which substantially knocks down the idea of an adequate "Privacy Shield" existing between the EU and the US. This leads to think that the Austrian ruling could be easily mirrored in other EU countries.

It is not clear at the moment how US-based Cloud service providers could change the way they handle their EU-based customers' data in a way that is compliant with the GDPR, and it is surely appropriate to wait for their attempt to comply with the GDPR. Yet, it may be reasonable for EU-based companies which have mostly an EU-based audience to start thinking of alternatives granting higher privacy standards.

This may include services and tools hosted and/or developed in the EU by European companies. On the front of analytics services, for example, some alternatives to Google Analytics are Fathom, Plausible, SplitBee, and others. The list of alternative services and tools developed in the EU is much longer, though, and encompasses a number of categories, including SaaS, monitoring, VPNs, CDNs, and more.

Albeit not yet final, the Austrian DPA ruling can be seen as only the most recent step in a confrontation that has been going on for at least 15 years, and saw first the dismissal of the "Safe Harbor" doctrine, then of the "Privacy Shield".

About the Author

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Getting complicated for average website maintainer.

    by Alex Ivanovs,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    I think it's good that "privacy-friendly" is trending, but I can't help but think these regulations are making things harder for the average webmaster.

  • Finally!

    by Bas Groot,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    When the GDPR legislation was still in the making I already found that Google Analytics is a major privacy gobbler and I always wondered why no one bothered to address Google while mostly well-intended European-domestic sites were punished hard.

  • Re: Getting complicated for average website maintainer.

    by Sergio De Simone,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Sure it is getting harder. A recent ruling by Belgium DAP also found IAB Europe in breach of GDPR and fined them with 250k+€. On the other hand, we have had a few years to take this seriously. Maybe the time has come for the Ad industry to understand that people do not want to be tracked. If they just apply that knowledge in the first place (instead of trying to circumvent rules as IAB seems to have done, appeal pending), things will get easy, I think.

  • Re: Finally!

    by Sergio De Simone,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    I completely second your thought. Actually, it seems that Google's and Facebook's (and others') practices have been under scrutiny for quite some time now. Indeed, the "safe harbour" policy was introduced in an attempt to allow those companies to retune their practices under a specific legal umbrella. I can hardly imagine the money spent for lawyers to argue in court for a favorable interpretation of the law.

    What is new is that, after further review, it is the very sheer practice of transferring data across the Atlantic that is considered now a breach of the GDPR. This sounds quite radical, although, as it happens with all legal matter, it is also hard to foresee how things can evolve.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p