Skip to content
All Blogs

Your data called - it wants to come home: Google Analytics violates GDPR

Author: Tiffany Staples

Has Google Analytics breached GDPR in Austria? The Austrian Privacy Regulator thinks so – Google Analytics has been accused of violating European privacy legislation.

To date, 101 charges have been filed regarding US data transfers, spurred by privacy foundation, noyb and filed in 2020 with several European privacy regulators. According to the Austrian watchdog, the measures taken by the search giant are not effective for preventing espionage from the United States.

GDPR legislation clearly states IP addresses and cookie data must not be sent to the US from Europe. Yet, Regulators believe Google has been doing just that, citing "sufficient encryption" as their justification for the overstep. There's a definite legal disconnect – the Austrian Privacy Regulator's definition of "sufficient encryption" doesn't align with Google's view.


The Austrian Privacy Regulator isn't the only one to call "foul" on these questionable practices – complaints have also been submitted in the Netherlands and Belgium. In January 2022, the Dutch Data Protection Authority floated a possible total ban on Google Analytics, warning that the use of Google Analytics 'may soon no longer be allowed'.

According to Max Schrems, Chairman of noyb, this decision extends further, banning companies from using US cloud services in Europe. "It has been more than a year and a half since the Court of Justice confirmed this for a second time, so it is good that it is now also enforced."

According to noyb, this decision has consequences for all European websites. "The fact that regulators are now gradually declaring US services illegal means that EU companies and US providers will feel more pressure to start using safe and legal options, such as hosting outside the US."


On the surface, it seems as if the Austrian Privacy Regulator is taking on Google Analytics solely, but is it really?! It's not as cut and dry as it seems; this isn't the first time 3rd party sources have been scrutinized – and it won't be the last. The accusations expose the larger issue: 3rd party data collection and the overall data journey. Where does data go once it's collected? Is it being shipped to the US or abroad without knowledge or consent? How's it being handled or managed?

Privacy and compliance aren't the overall focus of 3rd party solutions; inherently, these solutions look to the organization implementing their technology to choose how to use it and what data to capture. An organization has to know what data they are capturing and what technologies they are sending the data to. The speed at which digital transformation is occurring continues to accelerate and it's too easy for organizations to lose track of all the tech across their digital presence.


Data control is at stake, opening your organization and trusted clients to mismanagement, overexposure, privacy violation and potential scams and fraud. Keeping data practices in-house provides enhanced opportunities for compliance and security.

True 1st party solutions like Celebrus, are necessary for the overall management of data including data capture, dissemination and analysis. Full ownership of data allows organizations to build safeguards to ensure 100% GDPR compliance that adheres to an individual's preferences across channel and device. Customizable solutions allow data management variances such as data partitions based on country, division, and more.

Find out more

Subscribe to our blog for regular updates!