Security Experts:

Connect with us

Hi, what are you looking for?



How European Rulings Imperil Flagship Google Product

Lax laws and sweetheart deals are becoming a thing of the past for big tech firms, particularly in Europe where a series of rulings is posing a major threat to one of Google’s flagship products.

More than half of the world’s websites use Google Analytics to help their owners understand the behavior of users.

Lax laws and sweetheart deals are becoming a thing of the past for big tech firms, particularly in Europe where a series of rulings is posing a major threat to one of Google’s flagship products.

More than half of the world’s websites use Google Analytics to help their owners understand the behavior of users.

The software, which deploys cookies to track user behavior, costs nothing in cash terms — though the vast trove of data helps to fuel Google’s massive profits.

However, in 2020 the framework overseeing how personal data is transferred from the EU to US was struck down by EU judges over concerns about snooping by US spy agencies.

Activists have since filed dozens of cases with regulators in Europe arguing that the tool breaches the fundamental rights of EU nationals.

Regulators in several countries have ruled in favor of the activists and declared Google Analytics incompatible with European data privacy regulation (GDPR).

[ Read: Has Facebook Sidestepped GDPR’s User Consent Requirements? ]

The rulings leave many European firms in a bind.

They can ditch Google and move to a privacy-compliant option that costs money, or wait it out and hope for a solution from Google, the regulators or the politicians.

On Friday, the US and EU announced they had agreed in principle a new framework to allow data transfers, but did not provide further details.

Austrian lawyer Max Schrems, who spearheaded the campaign to invalidate the previous agreements, wrote on Twitter that it seemed like another “patchwork” approach with no substantial reform to US snooping rules.

[ Read: Europe’s Hypocrisy Over Personal Data Privacy Exposed ]

“Let’s wait for a text, but my first bet is it will fail again,” he wrote.

Potential fixes

Last week, Google said it would release a new version of its software that would not store IP addresses, the unique code that can identify individual computers.

The US firm has also built data centres in Europe.

However, the impact of these potential fixes is unclear. Regulators have not yet commented.

“Data protection authorities do not have the solution,” says Florence Raynal of French regulator CNIL, which has ruled against Google.

“That solution must be provided by governments at a political level.”

US companies are subject to a law known as the Cloud Act that allows US security agencies to access the data of foreign citizens regardless of where it is stored.

Although Google has argued that the risk posed by the Cloud Act is theoretical, it nevertheless makes it difficult for US firms to comply with the GDPR.

‘At a crossroads’

Marie-Laure Denis, head of CNIL, which is seen as a leader whose rulings are followed by other regulators, summed up the dilemma at a conference of the International Association of Privacy Professionals (IAPP) in Paris last week.

She said of American companies that “their business model should evolve, or the American legal framework should evolve”.

But she accepted that the situation for European firms using Google Analytics was “complicated”.

Pascal Thisse, who runs an agency advising companies on how to comply with GDPR, says firms find themselves “at a crossroads” with no clear idea of the path to take.

“If you tell a client who uses Google Ads to remove Google Analytics, everything collapses because it is the foundation of the system,” he says.

But to comply with European rulings, companies would need to prove that US intelligence is not interested in the data collected — an undertaking well beyond the means of small firms.

Lawyer Schrems also accepts there is no easy fix.

“It’s hard for us because usually we try to litigate stuff where there is a solution and in this case we have a political problem,” he told a virtual event last week before the US-EU announcement.

He said US law allowed mass surveillance on non-American citizens, which clashed with the EU’s charter on fundamental rights.

“Either the US changes its laws or the European Union changes its fundamental founding principles,” he said.

RelatedGDPR Fines Surged Sevenfold to $1.25 Billion in 2021: Study

RelatedEuropean Police Pounce After Cracking Crime Chat Network

RelatedFacebook, GDPR and Max Schrems – Under the Hood of GDPR Legal Processes


RelatedAustrian Regulator Says Google Analytics Contravenes GDPR

Written By

AFP 2023

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...