European data protection authorities raise eyebrows at Meta and Google. Should we care?

In January, Austria banned Google Analytics (GA) for violating the EU's General Data Protection and Privacy Regulation (GDPR) laws. Two weeks later, France did the same.

So?

So, nothing. Except, of course, the rest of the European Union will soon be raising eyebrows (internally, if not publicly yet) at the tech giant's website tracking and monitoring software. Google Analytics is undoubtedly (and rather unfortunately) the market leader of following and tracing your website visitors—where they come from, where they go next, and what colour shoes they're most likely to buy.

The true power of Google Analytics

Zoho doesn't use Google Analytics. Anymore. But we did a long time ago, and as someone who's taken a couple of Google Analytics courses, I think I know enough to say that it's definitely one of the most powerful and comprehensive website trackers available to businesses today. It's also free (although, is anything ever free?).

Google is the biggest database of the global population. And if you think about that statement, you'll know it's not an exaggeration. Google knows so much that it's scary. Most of their intel is garnered from our behaviour when we log into Google and/or open a website that has GA tracking codes. If the next website we visit also has GA tracking codes, we've become the connection between the two sites. For instance, if you read an article on news.com.au and then click a link in that article leading you to The Australian, you've just told Google how you've spent your afternoon. Now news.com.au and The Australian (they both use GA—we checked) may not know what else you did after you left their websites, but Google will.

The Austrian and French data protection authorities know that. So do the Australian and New Zealand authorities. So should you and I. The world is generally okay with Google behaving this way (Zoho isn't, but that's a separate blog post).

What ticked off the Austrians though, is that a local company used Google Analytics with their website. That's all they did. But because their website data is now in Google's hands, they also inadvertently sent their visitors' personally identifiable information (PII) to the United States without ensuring necessary protection. That's a big no-no according to GDPR.

Quite ironically, only a few weeks earlier, the European Data Protection Supervisor reprimanded the EU Parliament's Covid-19 website for violating GDPR. The website used Google Analytics and Stripe. Both of these are American companies that transferred EU data back to the US.

In essence, GDPR states that EU citizens' data should be stored and processed within the European Union. If you absolutely have to transfer data outside the EU, the recipient country should have solid data protection systems to convince European courts. Google Analytics didn't and is therefore banned.

But it wasn't always banned.

A quick rundown of history (and some epic German candour)

Google has been using the standard contract clauses (SCC) of the Privacy Shield to justify its EU-US data transfers. The Privacy Shield Framework was formed in 2016 by the US Department of Commerce, the European Commission, and the Swiss Commission to help businesses comply with the laws of EU-US and Swiss-US data transfers. This shiny framework was promising—mainly because it was several times better than its predecessor, Safe Harbour.

Max Schrems, a privacy advocate and the honorary chairman of none of your business (noyb), has been advocating for stronger data protection requirements for years. It was thanks to him that Safe Harbour was scrapped in October 2015. But that was just Schrems I.

In July 2020, as a result of more advocating, the Court of Justice of the European Union (CJEU) ruled that the Privacy Shield was invalid. That was Schrems II. The ruling noted that if EU data lives in the US, it'll be accessible to American surveillance systems. However, the ruling also stated that the SCC (which are part of the Privacy Shield) will still be valid. Huh? That makes no sense. The Germans agree:

"...The relabeling of the predecessor instrument Safe Harbor, which was declared invalid in 2015, with only marginal improvements, has not led to a rethink in the US government. Nothing was changed in the practice of mass surveillance without cause, nor was a substantial strengthening of the rights of those affected achieved. [...] Against this background, the ECJ's decision to retain the Standard Contractual Clauses (SCC) as an appropriate instrument is not consistent. If the invalidity of the Privacy Shield is primarily justified by the escalating secret service activities in the USA, the same must also apply to the standard contractual clauses."

Translated from the Hamburg Data Protection Authority website

Why Schrems II might not be enough

Google isn't the only tech giant to use SCC. Facebook and its meta list of subsidiaries also use SCC. So does the other giant cloud looming inside our homes and over our bookshelves: Amazon.

Though the court's ruling still recognised the standard contract clauses, it also tightened the requirements under SCC. This means that when companies transfer EU data to the US, they have to ensure that they're either not subject to American surveillance laws or that they provide "additional safeguards," as noted in this excellent and well-written summary from the European Parliament website. There's a reason for the quotation marks around "additional safeguards," which is that no one really knows what those should look like. When there are serious data violation concerns, EU's Data Protection Authorities (DPAs) investigate complaints on a case-by-case basis.
 
That's exactly what happened to Google Analytics in Austria and France.

That's also why it took me an additional 500 words to make sure I'm not misleading you. The fine print on these regulations is clearly ambiguous.

In a way, it's inevitable that companies will send data back to their home country. Unfortunately, that's how things work when your primary data centre is outside of the country you operate in. Coming back to Google, to comply with GDPR, the company now has to stop transferring data to the United States, and instead set up back-end systems inside the European Union.

At this point, no one knows how Google is going to handle this. You'd think, for a company as wealthy as Google, it shouldn't be too difficult or take too long. But Google is also highly influential, and they could use their negotiation skills to work out an alternative arrangement with European governments. Will they? Would they? Our guess is as good as yours.

What all of this means for Aussies and Kiwis

None of this has any direct implications on our websites and shoe-buying preferences, you might say. And you'll be right. We don't see how the EU's GDPR laws and rulings will affect us down under. For now.

But it will raise concerns. Which will raise questions. Which may result in countries in our region coming up with new regulations and amendments to our existing privacy laws—because what happens in Europe has personal consequences for many of us in Australia and New Zealand. Facebook, YouTube, Instagram, and WhatsApp were the top four apps Australians used on a daily basis, according to an Australian Media and Communications Authority (AMCA) survey in 2020—and that was when we were pandemic infants! Our usage hasn't gone down during the various lockdowns and masked-up, no-dancing gatherings-of-five. Mine certainly hasn't. COVID-19 has changed lives like nothing since the bubonic plague of the 14th century. I wouldn't be surprised if it created the next Shakespeare (except on Instagram, probably). We don't just use these apps for entertainment— we use them for connection. With the pandemic ongoing, many of us haven't been able to visit friends and family in France, Serbia, Germany, or any part of Europe. If there comes a time when we can't even chat with them because our go-to apps like Facebook Messenger, WhatsApp, and Gmail are banned in Europe, there's not much incentive for us to continue using them. Of course, Instagram may not disappear from our lives entirely, and many in our SME community will still use Google products, but these apps will gradually become far less alluring amid constant legal challenges.

Let's not forget—it's not as if Google and Facebook have a great relationship with Australian privacy regulators either. Even though most of us use Meta and Google, we still remember Google's threat to remove Search in Australia, and Facebook taking down the Bureau of Meteorology (among other essential service pages) just to prove a point. That's when many of us started to see these tech companies for what they are, and some of us even imagined an alternative reality—a metaverse, if you will—where Facebook doesn't exist. You don't take down our Bureau of Meteorology without facing severe consequences!

Despite all of that though, we still rely on Google and Meta for our daily interactions. Whether we're looking to borrow a lawn mower (all that rain!) or get rid of some tap dancing shoes we impulse bought on a drunken dare, Buy Nothing, Marketplace, local community groups, and Instagram-based small businesses are the lifeline of our existence. I've relocated to two Aussie states and set up homes from scratch with only the stuff I got from local Facebook groups.

The phrase "Google it!" is no longer a young person's catchphrase. My 70-year old neighbour is as Google-savvy as my 40-year-old friend in IT. That's how ingrained these companies have become in our lives.

To give up all of that would be terrible. Honestly.

But after all the drama around these big tech giants, I think more people are okay with the idea of going off Facebook. Although, this is slightly less true for Google.

We're not suggesting you quit drinking and impulse buying. That'd be preposterous. Instead, we're suggesting that it's probably time to read those Privacy Policies and Terms and Conditions before you sign up for a product. In its report (p. 42), Australia's Department of Industry, Science, Energy and Resources noted that two-thirds of Australians don’t read online privacy policies. Almost half of us don’t adjust our privacy settings on social media channels. We should be more conscious of what's happening to our information and who legally (and illegally) has access to it. It's astounding that Google can use my personal commute data to assess and tell a random person at the bus stop that their bus is delayed by one minute. Every time I look up a bus schedule on Google Maps and board a bus, that's invaluable data for Google. And it likely will never go away from their systems.

At what point does super helpful become slightly creepy?