Ever since the GDPR came into effect in 2018, Google has been under fire in the EU. The GDPR, or General Data Protection Regulation, regulates and protects EU citizen’s data and privacy which was recently confronted by Google in order to meet demands overseas.
What began with complaints from Austria headed by Max Schrems and his case against Facebook, instigated other EU countries to disclose their incongruencies with Google Analytics. For instance, both in Norway and France, their Data Protection Authorities stated, due to ongoing research and regulation of websites, that the use of Google Analytics may be illegal.
After 101 complaints from the NOYB came flooding in, France’s Commission Nationale de l'Informatique (CNIL), in cooperation with its EU counterparts, came to the conclusion that data transfers to the United States are currently not sufficiently regulated, and are in fact illegal. The CJEU (Court of Justice of the EU) also highlighted the great risk posed to Europeans as well in the Schrems II judgement that proved GA invalidated the EU-US Privacy Shield.
Under the CLOUD Act and US law, US companies are required to give US government agencies and courts access to any data they store from foreign citizens. As the EU's GDPR requires that no third party has access to the data of a user without their consent, this act is fundamentally incompatible with EU law.” – From our previous blog here.
The analysis tool in itself is not in violation of GDPR, however in the way it is used. Due to the way Google Analytics works, it is actually not possible to use the analysis tool and at the same time comply with the GDPR.
According to Article 44 of the EU’s GDPR, companies that use GA do violate the law because private data from European citizens are being sent to the US without 'standard contractual clauses.’ Countless studies and leaks before, including the infamous Snowden leaks, have shown that European citizens’ personal data has been transferred to American intelligence agencies via US cloud services.
Google must have felt the increasing pressure brewing overseas, as as of last Wednesday, they have decided to sunset Universal Analytics* and introduce a brand new model – Google Analytics 4 or GA4 to take over in 2023.
*Universal Analytics and Google Analytics are the same thing. In short, Universal Analytics is just the new version of the old Google Analytics (Classic Analytics). Read more in detail here.
Google Analytics 4 may be the answer the EU has been waiting for. It will finally stop logging and storing IP address information as a mechanism for tracking and analytics. This is a breakthrough announcement as one of the top complaints and mutual disapproval of EU countries is that of IP address information. Ultimately, it will relieve the pressure on Google Analytics in the EU.
So, what does this mean?
Google will switch from deterministic user conversions to a more modeled, data-driven attribution which is natively integrated into GA4. Before, in GA, it used last-click attribution which was their default metric.
When a user enters a page, Google will infer the approximate location data and register that country or market to the page being browsed. The result is that this localized IP address visibility prevents the data from leaving the country, and thus cannot be given to the NSA or any other secret US government surveillance operation. These new country-level controls allow data collection to be fine-tuned by the local market and/or jurisdiction of EU law.
With Google’s reputation as being an unreliably secure Big Tech company regarding data privacy, we will continue to keep our eyes and ears peeled for where this leads and/or if there will be a catch or two along the way.
Following the announcement of the new GA4, it is clear that Google is fully aware of the issues at hand, its severity, and are trying to work on it. It’s not only reassuring that EU countries are getting heard from Silicon Valley and are getting taken seriously, but vital because with further complaints, court cases, and national government involvement, the EU would have surely seen to it that GA be made illegal, and Google would be looking at a loss worth millions overseas, not to mention serious lawsuits.
On the other hand, despite Google having the EU on its tail, from a consumer perspective they must meet the increasing consumer privacy standards on demand. Nowadays, people may not be necessarily worried on a daily basis about their private data being shared, but are more aware of companies keeping their data and want to have full transparency. As consumers are for the first time in ages at the top of the hierarchy, their wishes will be companies’ command.