Alternatives to Google Analytics could stand to benefit if the rest of the EU decides – like the Austrian and French data protection authorities already have – that the tool can no longer be used because it does not comply with EU privacy standards. EURACTIV France reports.
Whether or not the decisions of the French and Austrian data protection authorities finding Google Analytics illegal mark the start of its inevitable departure in Europe, the competing services are pleased with past and future decisions by EU data protection authorities.
France’s data protection watchdog, known as CNIL, was the latest to find the use of Google Analytics illegal, particularly because Google’s data transfers to the United States was contrary to the EU’s General Data Protection Regulation (GDPR).
In the absence of a specific agreement with the EU, the additional measures taken by Google to regulate these transfers “are not sufficient to exclude the possibility of access to these data by the American intelligence services”, the French authority said on 10 February, almost a month after its Austrian counterpart reached the same conclusions.
“So far, the various rulings in the EU have been great news for us,” said Marko Saric, co-founder of Plausible Analytics, an open-source web analytics tool that operates without cookies and stores data in Germany.
This is good news for the competition since Google Analytics had 86.5% of the market share in February 2022, according to data from W3Techs. But other companies are reportedly already seeing a shift.
Contacted by EURACTIV, several web services that analyse audience engagement are pointing to the same trend. “Many French companies are looking to migrate their web analytics to Matomo,” said Matthieu Aubry, founder of Matomo, a service that is exempted by the CNIL from collecting the consent of users.
The CNIL’s decision, made public since the announcement, was taken under the “cooperation procedure” provided for in Article 60 of the GDPR, meaning it consulted with its counterparts across the bloc.
“This draft [decision] did not give rise to any relevant and reasoned objections,” the CNIL said, suggesting its peers across the EU have been drawing similar conclusions.
Trevor Kaufman, CEO of another web analytics tool, Piano, told EURACTIV that “concerns about Google’s handling of customer data are not new, and this is just the latest evidence”.
In his view, the decisions taken in recent weeks are “entirely justified”, although he would have preferred to see big tech companies being reformed before penalising companies that use their services.
Working around things
Is this, then, the death of Google Analytics in Europe?
“As things stand, perhaps yes, insofar as there is now a transfer of data from the EU to the US, based on ineffective technical measures for data protection,” Alexandre Fievée, a lawyer at law firm Derriennic, told EURACTIV.
Martin Tournoij of Goatcounter, an open-source analytics platform, was more cautious:
“It remains to be seen what will happen. I would be surprised if it has that much effect because either Google will ‘work around’ things” by creating a European offering, fighting in court or through a new Privacy Shield, he said.
The EU Court of Justice invalidated in July 2020 the system in place between the EU and the US known as the “Privacy Shield”, finding that the interference by US authorities in the data processed by their companies – wherever they operate – did not meet EU standards. Under Privacy Shield, US companies were exempt from these additional guarantees.
However, in the absence of breakthroughs in discussions about a future compliance system, “one could envisage new technical measures that would make this transfer legal,” legal expert Fiévée added.
According to the lawyer, this could involve encrypting data processed on US soil without Google having access to the decryption keys or ensuring the data is anonymised.
For the time being, however, Google’s proposed encryption techniques in its data centres and so-called “pseudonymisation” have not convinced the French data watchdog. According to the CNIL, the US giant can always provide decryption keys if requested by a US authority, making pseudonymisation alone not enough.
To be in line with the GDPR, it would be necessary to be able to “guarantee that no American public authority can access unencrypted data,” Fievée added.
The last possible technical option is to obtain specific consent from the user for the transfer of their data to the US.
“We thought that the first to fall would be a provider in the advertising sector, but we are pleased to see that the regulator has first targeted one of the services that probably routes the most data of European citizens to the United States,” said Maciej Zawadziński, the head of Piwik Pro, a solution CNIL also said did not require consent.
Until now, Google has been very discreet on the topic.
Contacted by EURACTIV when the CNIL’s decision was issued, the company did not wish to comment. Instead, it simply shared two posts published on its blog, the first reaffirming their commitment to privacy and the second stressing the need for a new data transfer framework decision.
[Edited by Luca Bertuzzi/Zoran Radosavljevic]