How European rulings imperil flagship Google product

Lax laws and sweetheart deals are becoming a thing of the past for big tech firms, particularly in Europe where a series of rulings is posing a major threat to one of Google's flagship products.

More than half of the world's websites use Google Analytics to help their owners understand the behaviour of users.

The software, which deploys cookies to track user behaviour, costs nothing in cash terms—though the vast trove of data helps to fuel Google's massive profits.

However, in 2020 the framework overseeing how personal data is transferred from the EU to US was struck down by EU judges over concerns about snooping by US spy agencies.

Activists have since filed dozens of cases with regulators in Europe arguing that the tool breaches the fundamental rights of EU nationals.

Regulators in several countries have ruled in favour of the activists and declared Google Analytics incompatible with European data privacy regulation (GDPR).

The rulings leave many European firms in a bind.

They can ditch Google and move to a privacy-compliant option that costs money, or wait it out and hope for a solution from Google, the regulators or the politicians.

On Friday, the US and EU announced they had agreed in principle a new framework to allow data transfers, but did not provide further details.

Austrian lawyer Max Schrems, who spearheaded the campaign to invalidate the previous agreements, wrote on Twitter that it seemed like another "patchwork" approach with no substantial reform to US snooping rules.

"Let's wait for a text, but my first bet is it will fail again," he wrote.

Potential fixes

Last week, Google said it would release a new version of its software that would not store IP addresses, the unique code that can identify individual computers.

The US firm has also built data centres in Europe.

However, the impact of these potential fixes is unclear. Regulators have not yet commented.

"Data protection authorities do not have the solution," says Florence Raynal of French regulator CNIL, which has ruled against Google.

"That solution must be provided by governments at a political level."

US companies are subject to a law known as the Cloud Act that allows US security agencies to access the data of foreign citizens regardless of where it is stored.

Although Google has argued that the risk posed by the Cloud Act is theoretical, it nevertheless makes it difficult for US firms to comply with the GDPR.

'At a crossroads'

Marie-Laure Denis, head of CNIL, which is seen as a leader whose rulings are followed by other regulators, summed up the dilemma at a conference of the International Association of Privacy Professionals (IAPP) in Paris last week.

She said of American companies that "their business model should evolve, or the American legal framework should evolve".

But she accepted that the situation for European firms using Google Analytics was "complicated".

Pascal Thisse, who runs an agency advising companies on how to comply with GDPR, says firms find themselves "at a crossroads" with no clear idea of the path to take.

"If you tell a client who uses Google Ads to remove Google Analytics, everything collapses because it is the foundation of the system," he says.

But to comply with European rulings, companies would need to prove that US intelligence is not interested in the data collected—an undertaking well beyond the means of small firms.

Lawyer Schrems also accepts there is no easy fix.

"It's hard for us because usually we try to litigate stuff where there is a solution and in this case we have a political problem," he told a virtual event last week before the US-EU announcement.

He said US law allowed mass surveillance on non-American citizens, which clashed with the EU's charter on fundamental rights.

"Either the US changes its laws or the European Union changes its fundamental founding principles," he said.