What you need to know:

• Google Analytics is being squeezed in EU markets – Austria, France, Italy and Denmark are the first to issue directives to companies which use GA that they are in breach of GDPR and to stop using the tool because user data is transferred outside EU countries - in these instances to the US.
• Data transfer breaches – from Europe to the US – by Google Analytics was the catalyst for the regulatory push but is now spreading to issues of consent and the purpose of user data collection around GA.
• There are major implications for Australian companies as current proposals for privacy reform by the Federal Attorney General go further than GDPR. For Australian companies operating across Europe, the compliance risk is urgent.
• “If you want to comply with the new Privacy Act that is coming in Australia and comply with any privacy laws around the world, you need to look at the global picture,” per the Paris-based Global Chief Privacy Officer at subscription and analytics platform, Piano, Louis-Marie Guerif. 
• Google says Google Analytics has "not been outlawed in EU markets" - technically correct although in a highly nuanced and complex regulatory context, companies risk fines and culpability if they use GA in their current practices and without changing how it is used. A number of EU countries have made clear rulings on GA's GDPR breaches and ordered companies to stop using GA under their current use cases.  

Analytics storm

Australian company websites, ecommerce players and publishers are in a three week countdown to sunset their use of Google Analytics Universal (GAU) and switch to the massively Google Analytics 4 (GA4) overhaul, which underpins the user analytics, ecommerce reporting and campaign performance of thousands of websites.

But there’s a bigger storm looming as Australian industry wrestles with the proposed Australian privacy reforms currently swirling Canberra and corporate corridors. 

The Federal Attorney General’s new privacy proposals are broadly considered to move beyond Europe’s GDPR regime, enacted in 2018, and that elevates a new risk for those using Google’s ubiquitous web analytics platform – among a host of compliance issues, GA violates rules transferring user data to servers in the US and is being pinged by a growing number of EU jurisdictions. 

If Australia’s privacy proposals which match or expand on the EU’s GDPR rules are enacted, users of GA4 will face the same cliffhanger – Google’s servers are in Taiwan and Singapore and ultimately Australian user data could pass through the US.

“The Australian privacy proposals are extremely comprehensive – they cover a lot of ground and are regarded as being almost 100 per cent based on GDPR,” said Tim Rowell, the APAC boss of subscriber and analytics platform Piano. “I don't think this is imminent, it's not going to happen the next couple of months but as GDPR has developed over the last five years this debate will happen and is likely to have an impact within Australia.” 

GDPR precedents

In Europe Piano Analytics has been one of the firms benefiting from the regulatory restrictions on Google Analytics because it has been granted an exemption for collecting user data for a single purpose – whereas Google Analytics user data is bundled into other Google products and services – and complies with GDPR data transfer laws. Other analytics platforms looking to nip at GA's giant base include Matomo and Fathom Analytics. “I'm not downplaying the challenge,” Rowell said. “For Australian businesses who are operating with customers in Europe this is a real issue now. I can't reveal names but there's one industrial group which signed a contract with us in Europe recently and now the Australian arm has gone ‘okay, we need to be in on this as well’.”

Piano’s Global Senior VP, Analytics, Marie Fenner said while the catalyst for Europe’s GA clampdown was an Austrian publisher using GA in which its audience data was illegally transferred to Google servers in the US – as was the case with Meta’s mega fine last month – the impact was hitting companies in all sectors. “It's not just a publishing problem, it's happening everywhere across many different industry verticals,” she said. “Companies are just getting rid of Google Analytics tags so that they are not being fined. Publishers, retail, oil and gas companies – Shell, Tata, you name it – are moving on this.”

One of the challenges for these firms is finding alternatives to Google Analytics that can cover both audience and ecommerce capabilities. Fenner said a workaround being proposed by Google under GDPR is machine learning-based Market Mix Modelling, but uncertainty remains on what that option looks like and how it could be applied. 

Fenner said slow but now intensifying regulatory enforcement of GDPR breaches is a “positive thing” for European citizens. “We have a right to know where our data is being held and we have the right to erasure – if I don't want a company to hold my data, I have every right to request access and erasure and that this isn't being blatantly ignored or just not done by companies and media companies who are using certain wording.”

Google counters

Google's position is unsurpisingly different. "Google Analytics has not been outlawed in EU markets," an Australian spokesperson said. "We support customers in their compliance with the strong legal, organisational and technical measures that we offer for Google Analytics. Google Analytics helps publishers and website owners understand how well their sites and apps are working for their visitors -- but not by identifying individuals or tracking them across the web. These organisations, not Google, control what data is collected with these tools, and how it is used. We’ve supported ongoing efforts by both the U.S. and EU governments to find workable solutions to protecting privacy and ensuring transatlantic data flows.” 

Google said the key issue wasn't about Google Analytics but rather EU-US data transfer laws and argues it is "firmly a privacy-safe tool". Google said "notably" that GA4 "does not store IP addresses".

The tech giant rejected claims user data collected in GA is applied for other purposes such as tracking. "Google Analytics is a processor product - [Google] customers own and control the data collected on their properties and Google does not use this data other than to protect and provide the service," the Australian spokesperson said. "Even when customers explicitly enable data sharing with Google, that data is not used for our own marketing or ad targeting purposes." The data controller and processor terms, although technical, have significant implications. If a company, not Google, is deemed as the data controller on data transfer outside the EU or on the collection of personal information without consent, or beyond the purpose that consent from a user is granted, the company is in breach of GDPR and liable for fines, not Google. 

The Australian spokesman said in the EU, GA allows companies - or data controllers - to adjust their GA settings so that their website or ecommece user data, for example, does not leave EU borders. Piano’s Paris-based global Chief Privacy Officer, Louis-Marie Guerif, said Google Analytics had introduced new data control features and that there were "some positive signs".  

Data transfer contagion

But from here it gets fuzzy. Guerif said his early takeout on Australia’s proposed overhaul of the Privacy Act meant companies here would likely face the same “earthquake” as European firms are now. He said the early ruling on GA’s data transfer breaches was widening to GA's user tracking, personal identifiable information and user consent practices. 

“We see two major issues currently in Europe – data transfer and also tracking without consent [for analytics specifically]. That is not permitted under certain conditions in Europe," he said. 

“If you want to comply with the new Privacy Act that is coming in Australia and comply with any privacy laws around the world, you need to look at the global picture, not only about one topic,” he said. ”So yes, the current situation in Europe is I would say accelerating because of those complaints regarding data transfer. But new complaints have just been launched at the beginning of this year regarding other topics about Google Analytics." 

Although the Google Australia spokesperson said Google did not use GA data "for our own marketing or ad targeting purposes", Guerif said "fines have been lodged against platforms using Google Analytics because of tracking usage, without consent. So there is a [data] transfer issue. But more important than the transfer issue, maybe there is a purpose limitation issue. Google Analytics shared and reused the analytics data to cross that with Gmail data, with [Google] search data and with other products of Google."

He said after looking at the proposed Australian privacy overhaul, it was clear that what North America and Commonwealth countries called personal identifiable information [PII] was shifting closer to the GDPR definition of personal data. "As soon as you have one ID in the end users terminal, the cookie ID, the mobile ID, this is considered as personal data under GDPR. And these become considered as personal data in new privacy laws all around the world. So we need to shift from directly identifiable information - email, first name, last name - everything that we used to use in our digital industry that was okay before because it wasn't directly identifiable, I can't use that without consent. So we have a huge, huge issue with that on Google Analytics. It’s been an earthquake."