2 minutes read

Major concern for US firms using Google Analytics on EU located customers or users.

Major concern for US firms using Google Analytics on EU located customers or users.

 
image of tablet with Google logo
Many US firms selling into the EU will be aware of the commercial difficulties caused by the EU’s privacy legislation known as GDPR.  Its effects have been widespread, and has affected how US corporations, both large and small, sell their products and services into the EU.  Facebook and Google have been badly hit, but so have smaller US companies.

 

The latest news will be a huge disappointment across-the-board for US businesses.  After having to put cookie dashboards on their websites, appoint Data Protection Officers and legally mandated EU Representatives, and set out specific privacy policies in order to satisfy EU privacy regulators, US businesses now face further pressure from the EU.

 

The French privacy regulator (the CNIL), which along with the Irish privacy regulator (the DPC) is one of the most powerful regulators in the EU has now issued a ruling that prohibits the transfer of EU personal data from the EU to the US via the Google Analytics tool.

This follows on from a similar ruling from the Austrian regulator early last month.

 

The Irish privacy regulator, the DPC, which is the lead privacy regulator for more US companies doing business in the EU than any other regulator, has yet to issue a ruling.

 

The case to the French CNIL was brought by Max Schrems, an Austrian privacy campaigner, who has previously scuppered the two previous international agreements between the US and the EU for the transfer of EU data.

 

What can US companies do to secure their EU business?

Firstly, they need to take the obvious step of ensuring that their front-facing documentation and processes look compliant.  This will involve the appointment of an EU Representative and in many cases a Data Protection Officer (DPO).  The good news is that only the EU Representative needs to be based in the EU.  The DPO can be based in the US.

 

Secondly, they need to review their data handling practices to see if they can organise them in a way which makes it less likely to fall foul of EU privacy law, or attract the attention of EU privacy regulators.  In most cases, this is possible, and can be done a commercially sensible way.

 

The alternative is to risk GDPR fines of up to 4% of the gross annual turnover of the business.