Austria just decided that Google Analytics is illegal.

The EU waited long enough: now GDPR is putting its shoes on.

This day was always going to come of course, and now a precedent has been set.

In a landmark ruling by the Austrian Data Protection Authority (ADPA), the transfer of information from European data subjects to be stored and processed in the US by Google Analytics, constitutes a breach of several statutes in the EU’s privacy law, which was implemented 4 years ago in 2018.

Specifically, Google Analytics is understood to breach almost all of Chapter V of the GDPR legislation.

That’s kind of a big deal.

Why is Google Analytics *illegal*, though?

Why, when someone clicks and agrees for Google to to process their data? Isn’t it a user problem?

Nope.

The problem arises in just how personal that data is.

And it also arises in how murkily that data agreement is made.

Finally, the problem also arises in how easy it is to track someone directly through Google Analytics.

It doesn’t matter whether that ‘I agree’ box has been ticked.

The exploitation of a user’s need for expediency (“I just need to click to receive the unprotected services I require!”) is now perceived as exactly that: user exploitation.

If you haven’t been made fully aware of where and when and how your data is used — nor how your data won’t be stored and processed only in the EU — then that’s a breach.

This could see other European data legal eagles follow suit for their nations.

As if waking from a coma, lawmakers in the EU are finally cottoning on to the fact that IP addresses, cookies, device information and geolocation are highly sensitive items of personal data. Even if they are fragmented pieces of personal data.

But does that mean Google Analytics is illegal?

In the case reviewed by…