Austria started it now France follows – the use of Google Analytics has now also been classified as non-GDPR-compliant by the French data protection authority CNIL . So – which country is next to take a stand against the popular web analysis tool? And above all – who will be the next service be targeted by data protection officers?

Further decisions are to be expected in any case, after all, the data protection NGO NOYB under Max Schrems has filed a whopping 101 complaints in 30 EU countries on the subject of Google Analytics and Facebook Connect.

Waiting for Privacy Shield Reloaded…

After the failure of Privacy Shield and its predecessor Safe Harbor, the legal situation regarding the transfer of personal data to the USA is – Let´s say – difficult.

Wether IP addresses of German users and their surfing behavior is important to US secret service? That is a point to argue about – but the discussion has probably already gone beyond that.

Anyone who wants to continue to use Google Analytics should hope for a successor to the Privacy Shield, which will hopefully not be pulverized again after a few years. Well, it lasted 4 years, so you could definitely lean back a little then…

The successor is not really foreseeable at the moment, so maybe you should look into alternatives.

What about other services?

If you follow the logic applied by the data protection officers when it comes to Google Analytics, then all external services with an operator in the USA are problematic. The popular Google Tag Manager probably wouldn’t be rated any different either, especially given that the two services are closely intertwined.

As a result, all tracking tags that come from providers based in the US are also critical – conversion and retargeting tags can be found on many sites, as well as tags for advertising. Let’s be honest – how many tags on your website can you assign to a provider and a company headquarters without a doubt? In particular, since when it comes to advertising and retargeting, third-party providers who are not even recognizable in the original tag are often loaded.

We continue with fonts and Javascript – if fonts are not stored locally on the web space, but integrated via the server of a third party, you should pay attention to where this third party is based. The same applies to Javascript libraries, which are often integrated via CDNs – where is the operator based?

hosting and cloud services

If it is not in order under data protection law to integrate a third party based in the USA on your website, what does this mean for the hosting of your own website? When you call up a website, the same data accumulates as when you call up a third-party provider. So, if you follow logic, you need to give serious thought to using a US-based provider to host your website. Many of the big players with the simple modular systems are right there – do tens of thousands of small websites have to move to become data protection compliant?

But large sites are also affected – many rely on cloud solutions to make their website scalable and quickly accessible worldwide. After the European cloud didn’t quite work out (or is someone already hosting on Gaia-X?), many companies rely on US providers.

Who is in charge now?

Data protection is important – no question. The problem for many website operators is that there are very few clear guidelines. The GDPR feels like a construct that is constantly changing, always producing new resolutions and requiring constant adjustments – it reminds you a bit of the corona virus with its mutations.

Depending on who you ask about a data protection topic, the answer can be completely different – simply because the GDPR leaves a lot of room for interpretation. A decision like the current one on Google Analytics then causes activism again, but does not solve the general problem.

Legal uncertainty combined with fines that tend to be high – that probably sums up the situation best. Of course there are checklists that you can work through – preferably every few months. But these checklists only reflect the level of knowledge and the assessment of the creator – legal certainty looks different.

Either you create clear and binding rules, or you at least get rid of the issue of fines and the risk of warnings.

Conclusion

It will probably take a while until things get moving – as the operator of a website, I now try to avoid everything that takes place outside of my server. There are alternatives, for example with Matomo for web analysis and recently also for tag management. Fonts and scripts can be integrated locally, tracking can be set up using server2server interfaces.