Is Google Analytics illegal in Hungary?

Date

European Center for Digital Rights has filed complaints against dozens of companies across the EU for using Google Analytics because it doesn't comply with the GDPR. Three of these companies are located in Hungary.

These complaints are still in progress, however the Swedish court has already ruled a fine of 1,000,000 EUR against Tele2 and 30,000 EUR against CDON for using Google Analytics on their websites. Other EU countries (such as Austria and France) have made similar decisions to declare that Google Analytics violates the GDPR. This means that companies using Google Analytics can be fined.

  1. Why are EU countries making Google Analytics illegal?
  2. Does the GDPR affect Hungary?
  3. GDPR: What's all the fuss about?
  4. Conclusions

Why are EU countries making Google Analytics illegal?

Google Analytics has been declared illegal in many EEA countries, such as France, Finland, Denmark, Italy, Austria, the Netherlands, and Norway. Courts in EU countries are adopting a similar approach to the GDPR, so it is possible that other countries will follow.

Courts declare Google Analytics illegal because of the CLOUD Act which allows U.S. federal law enforcement agencies to compel U.S.-based companies to provide requested data, regardless of whether the data is stored in the U.S. or on foreign soil, such as in the EU.

The other issue with Google Analytics is the transfer of personal data outside the European Union. The GDPR allows the transfer of personal data outside of the EU as long as the countries in question offer an adequate level of data protection, however the United States is not included in that list.

Does the GDPR affect Hungary?

The EEA GDPR applies to all 27 member countries of the EU, including Hungary, as well as to any company operating or targeting the Hungarian market. If you use Google Analytics and your websites target audience are Hungarian people - you may be in breach of the GDPR!

However, privacy-friendly Google Analytics alternatives exist. Swetrix allows you to collect important metrics without gathering any personal data. This way, you'll remain GDPR compliant, as GDPR doesn't apply to the data you process.

GDPR: What's all the fuss about?

The General Data Protection Regulation (GDPR) came into force on 25 May 2018, and now affects almost every business in the EU. The GDPR builds on the existing Data Protection Act of 1996, and places more importance on the handling of personal data. Now, all businesses and organisations must ensure that all personal data is stored securely and protected.

The recent wave of rulings regarding the legality of the use of Google Analytics in the EU is part of a broader issue regarding data transfers between the European Economic Area and the United States. According to the GDPR, the personal data of European residents can only be transferred to countries with an adequate level of data protection. The problem is that the US legal system allows the collection of personal data and surveillance (such as the CLOUD Act or FISA) on foreign citizens.

The EU and the US previously had two data transfer frameworks, Safe Harbor and Privacy Shield, which facilitated GDPR-compliant data transfers. However, in 2015 and 2020, the Court of Justice of the European Union (CJEU) declared EU-US data transfers illegal. This retroactive stance means that virtually all data transfers between the European Union and the United States from 2000 to 2023 were unauthorised.

The newly proposed "Trans-Atlantic Data Privacy Framework" appears to be a rehash of previous failed agreements. Despite claims of progress, little has changed in US law or the EU's approach, especially concerning FISA 702 surveillance and the protection of non-US individuals' rights. The negotiations between the EU and the US resulted in a one-page agreement in principle. However, this agreement fails to address key privacy concerns. Although the agreement includes cosmetic changes and renaming oversight bodies, it fundamentally lacks meaningful reform. As a result, data transfers and privacy rights remain in a precarious state. Legal challenges to this framework are expected, and its future remains uncertain as it heads back to the Court of Justice.

Following the CJEU judgement, the majority of EU companies continued their regular operations with US-based service providers. Nyob filed complaints in all 30 EU and EEA member states against 101 European companies which continued using Google Analytics or Facebook Connect services. Some complaints led to a decision not to use Google Analytics in several EU countries, such as France and Italy. Therefore, it is likely that other countries' Personal Data Protection Agencies will also rule against Google Analytics in a similar way.

Conclusions

In light of these developments, it's important to consider alternatives to Google Analytics that prioritise user privacy and compliance with GDPR regulations. Fortunately, such alternatives do exist and Swetrix is one of them.

We are a cookie-less service that allows you to get all the analytics insights you need without collecting personal information or tracking individual users. Here's a live demo page so you can see for yourself.

Unlike the tech giants, we charge an affordable price for our services, rather than offering them for free and then absurdly monetising the data. We provide a 14-day free trial without requiring payment details, and our pricing begins at only $5 per month. Feel free to give us a try.