Google Analytics has been deemed illegal by the EU DPA. Undicat is a British company, operated fully on European infrastructure.

May 18., 2022·4m 12s

EU GDPR Update

Website analytics are becoming an even greater issue as the Austrian DSB ruled against using Google Analytics. What are business owners’ options?
Levente Ludvig
Levente LudvigPRO
Share article

The European Union General Data Protection Regulation is the official regulation in EU law on privacy and security in the world. It went into effect on May 25, 2018, replacing the 1995 Data Protection Directive which was established at a time when the internet was in its infancy. They are in charge of protecting individuals’ data and have the power to order organizations to delete their personal data. Basically, data is everywhere and every aspect of our life revolves around data. From government, banks, and retailers, to social media companies. Different organizations have your name, address, credit card number, and more details about you. They collect, analyze, and store these details when you are registering for an application, trying to purchase things online, and so on. The GDPR is in place to give EU citizens more control over their personal data. It is in control of regulating the digital economy for both citizens and individuals.

What happened?

You may be wondering what led to the establishment of the EU GDPR. There was a case that happened on the 16th of July, 2020 where the CJEU (Court of Justice of the European Union) issued a verdict regarded as Schrems II. Here they examined the validity of the EU-US Privacy Shield in relation to the requirements of the GDPR.

The Shield being in place meant that data transfers across the Atlantic were considered to comply with European protection standards. It was later stated by the CJEU that the provisions of US laws did not meet the requirements that are essentially equal to those important under the EU law.

The transfers violate articles 45 to 49 of the GDPR. Articles 45 to 49 of the GDPR include several regulations to ensure that data transfers to third countries comply with EU data protection standards, such as adequacy decisions adopted by the EU.

This results into an argument as Google Analytics run on more than 85% of all websites would end up being illegal.

Due to that case, the Austrian Data Protection Authority (in German Datenschutzbehorde or DSB) disclosed the continuous use of Google Analytics to violate the GDPR in December 2021. This happened because noyb (none of your business), a European non-profit filed 101 complaints on 17th August 2020. These complaints were filed against Google Analytics and Facebook Connect integrations in web pages of EU controllers.

eu flag on a macbook


According to US law (FISA 702 and EO 12333), the US government is permitted to conduct targeted surveillance of foreign persons located outside the US, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information.

This law was passed in 2008 and it was essentially stated that all US-owned companies must act according to it. So, all the information including personal details, such as IP addresses is collected and stored. They may be used for surveillance and investigation, regardless of where the data is physically stored.

The consequences

Generally speaking, the EU is trying their best on making data and privacy protection much better for its citizens. The move to establish a safer website is still in progress, with Austria on the leading edge. However, more European countries are expected to join the train. Investigations have started in the Netherlands.

France’s Commission Nationale Informatique & Libertes is warning websites against using Google Analytics due to GDPR incompliances. Germany is also taking measures to ensure the transfer of data is safe, this is being currently done on a case-by-case basis called e-Tracker.

According to Simon McGarr, the director of data compliance for Europe, “The Austrian position is probably at one end of a spectrum of opinion and it would probably represent the most radical end”. He explained that Austria is unlikely to remain alone stating, ‘We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all member states”.

A more thorough ban could easily change the landscape of the European web. Any company that stores or possesses data in the US could be severed by strict rulings.


The solution regarding website analytics is quite straightforward, avoiding any US-owned or based companies. Although as simple as this may sound, it is quite complicated. The problem is not about being non-US-owned, there are many other options available. The real challenge comes down to storing the data. The vast majority of these services use purely US-owned (or based) server providers.

This way, the collected data still ends up in the United States, where the cloud infrastructure is located and is subject to the Foreign Intelligence Surveillance Act mentioned above.

Choosing to anonymize data is not also a viable solution, as the IP address is still openly used for transfers due to HTTP messages. When you visit most websites these days, you first get the notification to accept cookies which in turn give them access to your data. Because of these cookies that have been widespread, the solution recommended above does not seem like a long-term fix. Explicit contents can only legally exclude occasional and necessary data transfers from GDPR laws.

The only way that solution stands is to establish the use of EU-based providers when it comes to European data and that is what we do here. So far, Austria has not introduced any kind of penalty for breaking these laws specifically, but one could easily be in the making. However, not strictly following GDPR rules has its own consequences. The fines can cost up to $20 million.

The Austrian DSB’s ruling does not affect Austrian websites, but any sites available in the country. So, nearly all companies will need to rethink their approach to website analytics.

What we provide

We are a small group determined to build a perfect solution to this problem by outstandingly managing the collected anonymized data. All this while staying 100% transparent. We guarantee that no European database records ever leave the EU. If you have questions, we recommend checking out this article about our data journey.

Share article

Simple, transparent and honest pricing

No contracts. No suprise fees.

Events / month200,000
Total sum:$2000/month
$2000/ month

Perfect for smaller businesses and for personal projects

Infinite data retention
Unlimited Seats
Unlimited Sites
$2500/ month

Perfect for larger businesses with a higher visitor count

Infinite data retention
Unlimited Seats
Unlimited Sites
$3000/ month

Tailored for agencies managing many sites

Infinite data retention
Unlimited Seats
Unlimited Sites

Can't find a suitable plan?

Contact us

We will find a suitable solution for you and your business

Fill the form

By signing up you agree to our privacy policy