In January, Austria’s data protection authority ruled that a local web publisher’s implementation of Google Analytics did not provide an adequate level of protection, on the grounds that U.S. national security agencies have a theoretical ability to access users' personal data. While this decision covers only one particular publisher and its specific circumstances, we recognize it poses challenges to other Google Analytics customers who are concerned that the DPA’s logic could be applied to any US-based analytics provider, and indeed any EU-US user data transfers.
People increasingly rely on data flows for everything from online shopping, travel, and shipping, to office collaboration, customer management, and security operations. For these to continue, the European Union and the U.S. government must soon agree on a new data framework.
While we remain convinced that the extensive supplementary measures we offer to our customers ensure the practical and effective protection of data to any reasonable standard, we are committed to providing our customers with controls that allow them to determine what data is collected and how it is used, allowing them to meet their unique business and compliance needs. That’s why we are working to add additional controls that will allow customers to further customize the analytics data they collect, thereby enabling them to continue to use Google Analytics in a manner consistent with their compliance objectives. We plan to share further details in the coming weeks.
Update: May 19, 2022
Analytics now includes controls to manage the collection of granular location and device data and Google-signals data on a per-region basis.