← All posts

Use Google Analytics and risk fines, after CJEU ruling on Privacy Shield

• Written by Gsanalytic
Privacy Stories Fastmail

EU websites using Google Analytics and Facebook are being targeted by European privacy group noyb after the invalidation of the Privacy Shield. They filed a complaint against 101 websites for continuing to send data to the US.

“A quick analysis of the HTML source code of major EU webpages shows that many companies still use Google Analytics or Facebook Connect one month after a major judgment by the Court of Justice of the European Union (CJEU) - despite both companies clearly falling under US surveillance laws, such as FISA 702. Neither Facebook nor Google seem to have a legal basis for the data transfers.”

The Privacy Shield previously allowed for EU data to be transferred to the US. However, this was invalidated by the Court of Justice of the European Union (CJEU) on July 16, 2020. The CJEU deemed it illegal for any websites to transfer the personal data of European citizens to the US.

They also made it clear in a press release that “data subjects can claim compensation for inadmissible data exports (marginal no. 143 of the judgment). This should in particular include non-material damage (“compensation for pain and suffering”) and must be of a deterrent amount under European law.” Which puts extra financial pressure on websites to take the new ruling seriously.

Immediate action is required after Google Privacy Shield invalidation

The Berlin Commissioner for Data Protection and Freedom of Information therefore calls on all those responsible under its supervision to observe the decision of the ECJ [CJEU]. Those responsible who transfer personal data to the USA - especially when using cloud services - are now required to immediately switch to service providers in the European Union or in a country with an adequate level of data protection.

As the ruling is effective immediately, there’s a pressing need for websites using Google Analytics to act, or face getting fined.

What does this mean for you?

If you are using Google analytic the safest best is to stop using it immediately

Neither Google Analytic nor Facebook connect are necessary for the operation of these websites and could therefore have been replaced or at least deactivated in the meantime.

If you still need to use it, then you will need to inform your vistor via a clear consent screen. This banner needs to make clear their personal data will be send to US, and to educate them about any potential risk related to this. They will then need to explicitly agree to this.

Another downside of cookies consent screens is that you may also suffer a damaging loss of vistors. After implementing cookies consent best paractices, the UK’s data regulator the Information Commissioner’s Office found a 90% drop in traffic, “implying a ninety percent drop in opt-in rates.”

With an acceptance rate for such consent screen being lower then 10% your analytics becomes guesswork rather than science

Looking for a privacy-respecting alternative to Google Analytics?

Privacy compliant GsAnalytics is one of the best Google Analytics alternatives availalble.

With Gsanalytic you are able to continue using analytics without facing the wrath of both the GDPR and the CJEU. Gsanalytic On-Premise lets you choose where your data is stored, so you can ensure no data is processed in the US.

Gsanalytic is privacy-friendly and can be tweaked to comply with all privacy laws. Including the GDPR, HIPAA, CCPA and PECR. The benefits of this include: not needing to use tracking or cookie consent screens (like with GA); and avoiding fines because no personal data is collected. You also get 100% accurate data and the ability to protect your user’s privacy.

Written by Gsanalytic

Email me your next post


Build and hosted in the EU 🇪🇺
100% self-funded and independent
Built by @gsanalytic