Alternatives to Google Analytics could have a lot to gain if Google’s market-dominant tool becomes unusable in the EU for failing to comply with privacy standards. block privacy.
Whether it’s a simple moment of weakness or the inevitable death of Google Analytics in Europe, alternatives to Google’s analytics tool welcome past and future decisions from data protection authorities. EU data.
The CNIL was the latest to judge that the use of Google Analytics, particularly because of data transfers operated by Google to the United States, was contrary to the General Data Protection Regulations (GDPR).
In the absence of a specific agreement with the EU, the additional measures taken by Google to regulate these transfers ” are not sufficient to exclude the possibility of access by the American intelligence services to this data “, estimated the authority, almost a month after its Austrian counterpart, the Datenschutzbehördecame to the same conclusions.
” So far, the various decisions issued in the EU have been great news for us says Marko Saric, co-founder of Plausible Analytics, an open source web audience analysis tool that works without cookies and whose data is stored in Germany.
Good news for the competition since, in fact, Google Analytics occupies 86.5% of the market in February 2022, according to data from W3Techs.
Contacted by EURACTIV, several audience analysis services pointed out this trend, like Matomo, whose service is exempted by the CNIL from collecting user consent. ” Many French companies are looking to migrate their web analytics to Matomo “, indicated its founder, Matthieu Aubry.
The decision of the CNIL, made public since the announcement, was taken within the framework of the ” cooperation procedure provided for in Article 60 of the GDPR, or in consultation with European counterparts.
” This project [de décision] did not give rise to relevant and reasoned objections “, notes the independent authority, which suggests that similar analyzes should be conducted throughout the EU.
” Concerns about how Google handles customer data are nothing new, and this is just the latest evidence says Trevor Kaufman, CEO of another web analytics tool, Piano, to EURACTIV. According to him, the decisions taken in recent weeks are “ completely justified “, even if he would have preferred that we attack first to really reform the big technological companies themselves before penalizing the companies having recourse to their services.
Google Analytics has not said its last word
Is this the death of Google Analytics in Europe? ” As things currently stand, perhaps yes, as there is today a transfer of data from the EU to the US, based on ineffective technical data protection measures “, deciphers the lawyer Alexandre Fievée of the cabinet Derrienic for EURACTIV.
“ It remains to be seen what will happen. I’d be surprised if it had that much effect, because either Google will “work around” things by creating a European offer, by fighting in court or thanks to a new “Privacy Shield”, according to Martin Tournoij of Goatcounter, an open source analysis platform.
Beyond the mere transfer across the Atlantic, it is the question of the interference of the American authorities in the data processed by their companies, regardless of where they operate, which had motivated the Court of Justice of the EU to invalidate the previous adequacy regime between the two continents, the “Privacy Shield”.
It allowed, until July 2020, American companies to free themselves from these additional guarantees.
In the absence of breakthroughs in the discussions around the future adequacy regime, ” new technical measures could be envisaged which would make this transfer legal observes Mr. Fievée.
This could be, according to him, to encrypt the data processed on American soil without Google having access to the decryption keys or to ensure that this data is anonymized.
For now, the encryption techniques in its data centers and the pseudonymization put forward by Google have not convinced the CNIL. In its deliberation, it noted that the company always had the possibility of providing the decryption keys with the encrypted data if an American authority asked it to do so and that pseudonymization, on its own, is not enough.
To comply with the GDPR, it would be necessary to be able to guarantee that no American public authority can access unencrypted data “Summarizes Me Fievée.
The last possible technical option is to obtain specific consent from the user for the transfer of their data to the United States.
” We thought the first to fall would be a service provider in the advertising industry, but we are happy to see that the regulator has first targeted one of the services which probably routes the most data from European citizens to the States -United “, observes Maciej Zawadziński, the boss of Piwik Pro, a solution also retained by the CNIL as not requiring the collection of consent.
Google has, for the time being, been very discreet on the subject. Contacted at the time of the CNIL’s decision by EURACTIV, the company had not wished to communicate, but had contented itself with redirecting to two posts on its blog, the first reaffirming their commitments in terms of respect for privacy and the second emphasizing the need for a new adequacy decision.