Austria’s Data Protection Authority (DSB) recently declared that the ongoing use of Google Analytics violates the GDPR. They were the first European DPA to decide that Google Analytics’ transfers of EU data—protected under the GDPR—to the United States are illegal. The decision was based on the 101 model complaints filed by noyb—the website run by Austrian privacy organization NOYB and refers back to the 2020 "Schrems II" decision when the European Court of Justice (CJEU) declared that US protection laws are not in line with the GDPR.
Not only does the tech giant fail to guarantee that European data remains stored in the EU, but US government surveillance laws specifically require US providers like Google or Facebook to provide the personal details of internet users to US authorities.
Further decisions from the DPA’s of other EU member states such as the French CNIL soon followed.
What are the risks to companies that continue using Google Analytics?
The DSB and CNIL concluded that transfers to the United States are currently not sufficiently regulated. Although Google has adopted additional measures to regulate data transfers in the context of Google Analytics, the current processes are still not adequate to meet the requirements set forth by GDPR. Therefore, if companies continue to use Google Analytics and by association export their data illegally, they will consider that these transfers are in breach of the GDPR.
A GDPR breach can incur the upfront costs of a fine which is €20M or 4% of worldwide turnover. There are also the long-tail costs which include investigation and escalation measures, notification communication costs, post data-breach response actions, lost business and irreparable damage to the company’s reputation. Furthermore, unlawfully collected data can be deleted or a data protection authority can request to stop the usage of such data. As a reminder, a supervisory authority may also request the deletion of data collected unlawfully, or the suspension of processing on such data.
What should businesses do to ensure they are on the right side of the GDPR?
Businesses that use data covered by the GDPR need to ensure they are working with a provider that is compliant with the regulation. Unlike Google Analytics, Piano Analytics is compliant with the GDPR and fully in line with the ePrivacy regulation proposals.
Here are the 5 Data Privacy Rules Every Business Needs to Understand to Maintain Compliance with the GDPR.
Why businesses are in safe hands with Piano Analytics
The GDPR is complex, with dozens of articles featuring rules and standards that businesses need to meet to remain privacy-compliant. Piano Analytics aims to simplify the understanding of some of the core components of the current privacy regulations so businesses can confidently assess what analytics solution is right for them.
Transparency on the processing of data
Under the GDPR, which states in article 5 that "Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject", companies need to provide complete clarity over how they collect, process and use data.
Piano Analytics is fully committed to respecting user privacy and promoting the fundamental values of data protection—with full disclosure over how we collect, process and use data, both on our websites and those of our customers using our digital analytics solution.
All Piano Analytics‘ data is also processed and stored in the EU. This is a contractual commitment made with our providers and we commit it also to our customers.
Piano’s definition of personal data
The GDPR’s official definition for Personal Data is “any information relating to an identified or identifiable (directly or indirectly) person, in particular by reference to an online identifier.” It also states in article 5 that "Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject". This means that all website and app publishers who gather personal data need to set out precisely how this information is collected and used.
Piano Analytics is explicit in the information we give to our customers for their end users and ensures that this information is easily accessible and expressed in a clear manner. We provide our customers with a Personal Data Processing Agreement (DPA) defining the roles and responsibilities of each of the parties as well as specific Privacy-related technical functions that ensure they have the optimum strategy for the processing of personal data.
Clear end-user rights
There are numerous articles in the GDPR designed to protect users’ rights and are enforceable for all companies working under the regulation. These include the right for users of data access, erasure, rectification, limitation of processing, portability and the right to object. They are designed to give them true ownership of their personal data and be able to retrieve and manage it at any time.
As a GDPR-compliant solution, Piano Analytics clearly sets out how it complies with the regulations in terms of the end rights of its users. Our DPA makes specific provisions for end-user rights in terms of all of the rights cited above.
Simple opt-out management
User consent for the processing of their data is one of the pillars of the GDPR and requires it to be “opt-in”. This means that consent has to be freely given, specific, informed and provided by a clear affirmative action which can be withdrawn by the data subject at any time. It is not acceptable to assign consent through the data subject’s lack of action or by supplying “pre-ticked boxes.”
Piano Analytics has clear 1st party opt-out methods available for platform owners to implement. If necessary, a third party link is also available. Through this we offer audiences an easy way to opt out from data tracking that is straightforward, user-friendly and compliant with the GDPR.
Support to help you comply
As well as the full transparency we provide as covered above, article 28 of the GDPR requires an analytics solution to give mutual support to its customers. Acting as a subcontractor, it’s necessary to provide all the necessary elements and information to its customers who are responsible for the data processing in order to demonstrate their full compliance.
It is therefore essential to work with a solution that is on your side, has clear and accessible documentation and contacts who are there to help you ensure the compliance of your solution.
Keep your business compliant with the GDPR with Piano Analytics
Piano Analytics has had a long-standing commitment to respecting user privacy and promoting the fundamental values of data protection. We are fully compliant with the GDPR and crystal clear over how we collect, process, store and use data, both on our websites and those of our customers using our digital analytics solution.
Piano Analytics is the first solution to have been accredited by the CNIL and is GDPR compliant. Interested in learning more about how Piano Analytics can keep your data compliant? Request a demo today!