European businesses face uncertainty over the use of a popular analytics tool from Google after a regulator found it breached privacy laws, the latest salvo by the European Union against big U.S. tech companies.
The ruling from Austria’s data-protection regulator, published last week, could upend business practices for companies across Europe as regulators in the 27 EU countries are also preparing legislation on social-media content. Lawmakers are set to vote this week on a draft of the bill, which includes provisions clamping down on targeted online advertising.
The Austrian regulator ruled that an Austrian website, which it didn’t name, violated the EU’s General Data Protection Regulation by using Alphabet Inc.’s Google Analytics, a tool that tracks how people use websites, and transferring personal data to the U.S. from the EU.
The decision is part of a long-running conflict between strict EU privacy laws and U.S. surveillance measures. The Austrian website used cookies to collect data such as IP addresses and other information that could identify users, and the information could potentially be accessed by U.S. intelligence authorities upon request, the regulator said.
The decision has implications beyond Austria. “I’m sure the practices of Google Analytics are pretty much the same across the EU, so they’d be infringing the GDPR across the EU,” said David Martin Ruiz, senior legal officer at the European Consumer Organisation, a Brussels-based advocacy group.
EU businesses could take several steps to comply with the decision. They could stop using Google Analytics and switch to European alternatives, or they could encourage Google and other U.S. technology providers to set up data centers in the EU in partnership with local businesses, ensuring that consumer data stay within the bloc.
“It’s a slippery slope towards European digital isolation. If Europe wants to become a global data hub you need to be connected with the outside world,” said Alexandre Roure, senior manager for public policy at the Brussels office of the Computer and Communications Industry Association, a trade group whose members include Google. “There are immediate effects for European and U.S. businesses,” Mr. Roure said.
The Austrian regulator rejected Google’s safeguards, including promises to challenge government requests for data. The Austrian website using Google Analytics hadn’t properly configured the tool to anonymize IP addresses, the regulator said. Despite that technicality, the regulator said an IP address is personal data because it can be combined with other information to identify a website user.
Google said in a blog post published Wednesday that it has “offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received” the kind of demand for user data from U.S. national security agencies that the Austrian regulator considers a risk.
A Google spokesman referred to the blog post when asked to comment on the regulator’s decision. The blog post called for the EU and the U.S. to agree on a new data framework to keep information between them flowing. It didn’t say whether Google would appeal the ruling.
Jeroen Terstegge, a partner at Netherlands-based consulting firm Privacy Management Partners Coöperatie UA, said it can be tricky for companies to figure out which privacy protections apply to U.S. data transfers. “You never know exactly when the safeguards are sufficient,” he said.
The Austrian regulator’s decision is the latest rebuff of companies that transfer personal data to the U.S. In 2020, the EU’s top court ruled that Privacy Shield, a widely used arrangement for moving data across the Atlantic, was illegal. Since then, regulators have said companies must use alternative legal options and implement safeguards to ensure Europeans’ data is kept away from American government surveillance.
EU regulators have issued several rebukes to big U.S. tech companies in recent months. This month, France’s privacy watchdog fined Google $169 million and Meta Platforms Inc.’s Facebook $67 million for making it too difficult for website users to reject cookies, which are used to track their browsing behavior.
The Austrian regulator’s decision was published by NOYB, a Vienna-based privacy nonprofit—whose name stands for “None of Your Business”—that brought the complaint against the Austrian website. NOYB has said it filed 100 other similar complaints with EU regulators last year.
On Jan. 13, the same day that NOYB released the Austrian decision, the Dutch privacy authority said it was investigating two complaints into Google Analytics. “The use of Google Analytics may soon not be allowed,” the Dutch regulator wrote in an update to an online guide to using Google Analytics and respecting privacy.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8