EU GDPR law

The legal basis of the statistics service Google Analytics is proving shaky across the EU. The Austrian data protection censor has determined that the use of Google Analytics' on websites in the European Union is not compatible with the General Data Protection Regulation (GDPR). Now the Dutch Authority for Personal Data (AP) has warned: Please note: The use Google Analytics' may soon be banned.

Google Analytics is a free service providing websites with detailed information about usage such as key information about how many users a site has and which pages they are reading. The websites allow Google to place cookies on their behalf that allow Google to track websites visits. It is that tracking that may transgress GDPR rules and note that it also one of the reasons for those silly cookie consent pop-ups that merely serve to train web users to mindlessly click on any pop-up that impedes their viewing.

The Dutch data protection censor has updated its Google Analytics privacy-friendly setup guide and has announced that it is investigating two complaints about the use of Google Analytics in the Netherlands. The AP would like to conclude this investigation in the near future, namely early 2022. Then itwill be able to say whether Google Analytics is allowed or not.

Meanwhile Germany and Austrian data protection censors are also wrestling with a related case. A complaint about data usage by an Austrian website spilled over to Germany when the website withced to Germany. The censors are now debating both the data complaint and the jurisdiction issues.

The GDPR is a reprehensible and bureaucratic law that is impossible to fully comply with, and dictates an onerous process of risk assessments that are enforced by inspection and audits. It is not the sort of thing that you would wish on your grandmother. So the law makers built in an important exclusion such that the law does not apply to the processing of personal data by a natural person in the exercise of a purely personal or household activity.

But now a Dutch court has weighed in and decided that this important exclusion does not applying to posting family pictures on the likes of Twitter.

The court got involved in a family dispute between a grandmother who wanted to post pictures of her grand children on social against the wishes of the mother.

The court decided that the posting of pictures for public consumption on social media went beyond 'purely personal or household activity'. The details weren't fully worked out, but the court judgement suggested that they may have taken a different view had the pictures been posted to a more restricted audience, say to Facebook friends only. But saying that such nuance doesn't apply to Twitter where posts are by default public.

The outcome of the case was that the grandmother was therefore in the wrong and has been ordered to remove the pictures from her social media accounts.

But the horrible outcome of this court judgement is that anyone posting pictures of private individuals to Twitter must now register as a data controller, so requiring submission to the full bureaucratic nightmare that is the GDPR.