We originally wrote this blog in 2020. Since then, Google Analytics has fallen under further scrutiny in Europe. As such, we've refreshed this piece with up-to-date information to help guide your choice when adopting a new marketing automation or analytics system.
The BBC reported a major agreement governing the transfer of EU citizens' data to the United States has been struck down by the European Court of Justice (ECJ). As such, we're advocating that companies should immediately begin avoiding US-based marketing automation systems.
Indeed, the EU-US Privacy Shield let companies sign up to higher privacy standards, before transferring data to the US. Following this, a privacy advocate challenged this agreement, arguing that US national security laws did not protect EU citizens from the government's big brother behaviour.
Max Schrems, the Austrian behind the case, called it a "win for privacy".
Meaning, companies will have to sign some non-negotiable contractual clauses written by Europe for use in countries not limited to the US. In fact, this is a big slapdown for US-based platforms, including automated marketing systems.
Avoiding US-based marketing automation systems - Which ones?
Until now, this EU-US Privacy Shield let US organisations like HubSpot and Salesforce operate with little to no impact on their businesses even in the face of tightened EU privacy regulations. As such, the validity of this has been questioned by the EU Commission.
The SGPO (Swedish Government Procurement Office) said the use of such services from US entities is in direct breach of GDPR. Consequently, the Privacy Sheild is designed for those US entitles to transfer data lawfully from European citizens over to the States in such a way that is compliant with EU privacy laws.
So, this impacts most major US players in marketing automation including HubSpot, Salesforce and Marketo.
European companies who use any of the above for marketing automation or CRM services should be aware that your data entrusted to them is being both stored and replicated by and across your vendor's US-based data centres.
US-based email marketing services don't seem to be getting the same treatment yet. However, any sensible marketing agency based in Europe should move over to EU-based services now.
Two years on - 2022
The French data protection watchdog, the Commission Nationale de l'Informatique et des Libertés (CNIL), stated last week (February 2022) that Google does not guarantee GDPR-compliant data protection. It looked at the circumstances under which data is sent to the US through Google Analytics, a programme that tracks how many times a person visits a website.
After receiving no less than 101 complaints from NYOB in the 27 EU Member States and three additional European Economic Area (EEA) states against 101 data controllers allegedly transferring personal data to the US, CNIL and its European counterparts launched an investigation.
The European Court of Justice issued a significant ruling in 2020, raising the bar for the region's privacy watchdogs after the ECJ raised misgivings about American surveillance laws and the safeguards in place to protect people's data from unwanted access. The transfer of Internet users' data to the United States, according to CNIL, is in violation of Article 44 et seq. of the GDPR, which governs transfers of personal data to foreign countries or international organisations that do not provide similar privacy safeguards.
Despite Google's new procedures to govern data flow, the existing process is inadequate to prevent US intelligence agencies from obtaining the data, according to the report.
The CNIL ordered the website management under investigation to comply with the GDPR by either discontinuing usage of Google Analytics or switching to a method that does not entail data transfer outside the EU.
Last month, Austria’s data protection regulator similarly declared EU-US data transfers by Google Analytics to be unlawful. In early January, the European Data Protection Supervisor issued a decision finding that the European Parliament's use of Google Analytics on its COVID testing website was in violation of EU data protection law. As a result of these changes, Google Analytics services in the European Union may be phased out.
The solution? GDPR marketing automation systems
Matomo is an alternative to Google Analytics that safeguards your data and the privacy of your customers. It's a a robust web analytics software that provides you complete control over your data. It's great because You have complete control over how and where your sensitive data is stored. Your customers will be grateful to you for protecting their sensitive personal information; with peace of mind knowing that your website is GDPR and CCPA compliant. You get more information, endless websites, API access, and other benefits with Matomo.
Mautic marketing automation
At it's core, Mautic is an (open source) emailing tool with wider marketing automation capabilities. The programme includes all of the necessary capabilities, such as lead management, campaign management, contact and email management, and responsive email production. Currently, Mautic is currently the only self-hosted platform for marketing automation. This easily replaces the need for systems like HubSpot, Salesforce and Marketo.
And because Mautic is open source, its code is made public for the developer community to review and secure. The system remains solely in your control. Third-parties do not have access to data-mine without clear and explicit consent given by your contacts.
We use it ourselves and we're proud to support trusted open-source systems whilst avoiding US-based marketing automation systems.