Have you ever felt like someone’s watching you? That eerie feeling when you feel someone is behind you or following you, but you realise it's all in your head. It's not. Because we are constantly being tracked and watched by the cyber world. How long you spend reading this article, if you skip to a different article, if you search up something on Google, what are your most searched questions, what your gender is, your age and even where you live is all trackable by the device you are on right now. As scary, invasive and illegal as that may seem the legal system has barely updated their laws on data privacy. Through exponential globalisation you never know where or to whom your data is going to, and this international data privacy area is unchartered territory. I ask what’s the difference between a person being followed compared to a person’s personal data being shared?
Google Analytics is essentially a software (web analytics service) that 29 million (52.9% of websites) website owners use to collect data on the website’s users. This data offers statistics to the website owners, collecting user insights including their user audience’s demographics so that the website owners can observe trends and tailor their website to their audience. The privacy issue comes from the fact that in order to collect this data the software places a cookie (if accepted) on the user’s device that creates a unique code so that the user can be tracked over multiple websites. Then the data which specifically includes the user’s language, browser type, city, country, type of device, age, gender is sent to Google’s data collection servers in the US. Google’s tracking capacity intensified in October 2020 when a new version of Google Analytics was launched (GA4) which uses artificial intelligence (a very scary concept if you have seen Ex Machina (film) directed by Alex Garland) and additional codeless tracking features (making it easier to track users). There are many other similar softwares such as Adobe Analytics, Mixpanel, Matomo, Stripe and StatCounter, just to name a few. Whilst the first version of Google Analytics was launched way back in 2005, international and domestic privacy laws have not caught up with their tracking ways.
Most recently, a case involving a discrepancy between EU and US data privacy laws has crawled into this lawless territory. An Austrian privacy advocacy group, Noyb, has filed 101 complaints against websites that use Google Analytics or similar services to track its users to the Austrian Data Protection Authority. Whilst many of these cases have not been brought to the court yet, an Austrian medical news website, NetDoktor, has been found to have breached the EU General Data Protection Regulation for using Google Analytics. Originally, the EU considered Google to be liable for the breach, however Google argued that in Chapter 5 of the General Data Protection Regulation it states that a breach is only achieved by the data exporter (NetDoktor) not the data importer (Google). Therefore the Data Protection Authority found NetDoktor liable for the breach.
This breach was based on the fear that the EU data could be accessed by US intelligence agencies when the data was exported to the US, affirming that the data did not have “an adequate level of protection”, from Chapter 5 of the General Data Protection Regulation. Whilst the EU is quite progressive with their data laws, the US is surprisingly slow in their changes, which is quite ironic considering it is the country home to Silicon Valley, the capital of technological innovations in the world. The US could be utilising the lack of data protection laws to cover up their own unjust behaviour with data. Currently, under US law, section 702 of the Foreign Intelligence Surveillance Act or the Executive Order 12333, the data of non-US citizens is unprotected, allowing for the possibility for US surveillance agencies to collect, share and use this data. The EU claims that the General Data Protection Regulation travels with EU data no matter what country the data is exported to. The Dutch Data Protection Authority has already threatened to ban the use of Google Analytics in the Netherlands. Google’s Senior Vice President for Global Affairs predicts that this decision threatens the “entire European and American business ecosystem”. This prediction questions the stability of major services like Amazon, Meta, Google and Microsoft as they all use US web analytics services to handle EU data.
The Deputy head of the Austrian Data Protection Authority, Matthias Schmidl, says that the transfer of data to Google “was found to be unlawful”, making it impossible for website owners to use Google Analytics and abide by the General Data Protection Regulation. Whilst the EU is taking a very strong stance against the exportation of EU data, ironically the European Parliament’s COVID-19 testing website uses Google Analytics and Stripe cookies. This irony proves that these website analytic softwares are being used everywhere making it imperative for clear law to be created internationally.
Whilst Noyb’s filings of alleged breaches are yet to be met with a decision, this case alone questions the future and foundations of EU and US relationships. The positive outcome of this case is that by US website analytic softwares being too controversial and unstable for EU websites to use, it allows for a gap in the market for European website analytic softwares to rise up and become the new norm in Europe as they will keep EU data in the EU, abiding by EU laws. Google perhaps will implement heavier encryption to “ensure an adequate level of protection”, abiding by EU laws, or make the data that is collected anonymised so that it is no longer considered “personal data”. But overall I think the solution must come from US surveillance law, to be changed to protect the data of non-US citizens ensuring the stability of the economic and digital international landscape. Whilst there are US laws for non-US citizens to have the right to “protection against arbitrary or unlawful interference with privacy”, it questions why this law does not apply to their data, which is simply a representation of themselves.
This data privacy issue may have freaked you out, but there are some preventative measures you can take to ensure the protection of your personal data:
Download the Google Analytics Opt-Out Extension
Block website cookies when asked (or only allow a few that seem reasonable to you)
Install the “Block Yourself from Analytics” Chrome extension
Install an Ad Blocker
Use search browsers like Firefox, Brave, DuckDuckGo and Safari as they interfere with Google Analytics tracking you
Ultimately, while the legal world is still exploring this unchartered territory, we must all be responsible internet users, to protect ourselves, until a law will protect us.
By Sophia Marosszeky