What’s happening with GDPR right now?
The big question the last few years has been whether you can send personal data to the US or use American tools for collecting personal data. If you’ve missed all the back and fourths and legal rulings, we have a quick summary below. You can also learn what GDPR is and how it affects collecting website data in general.
Nothing is currently happening regarding GDPR, though there are many uncertainties. The primary one being the future of the EU-US Data Privacy Framework, which is the sole reason American companies are allowed to handle personal data about EU citizens. The framework is questioned as it may not be sufficient to protect personal data, and there were many concerns after the framework was reviewed in 2024.
Besides the framework, there are also proposed changes to GDPR that, if approved, would affect how data can be collected and handled.
This article will be updated as there is more news.
GDPR and the US – a quick history
2016
To replace the Data Protection Directive from 1995, the EU adopted the General Data Protection Regulation (GDPR) in April. In July, the EU-US Privacy Shield came into effect. The framework allowed for transfers of personal data to the US.
2018
After two years of implementation time, GDPR came into full effect as law in all EU countries.
2020
The EU Court of Justice ruled that the Privacy Shield couldn’t sufficiently protect personal data, making the framework invalid. The case is more popularly known as Schrems II, after the activist and co-founder of None Of Your Business (noyb) Max Schrems.
2022
Austria was the first country to ban the use of Google Analytics as a result of Schrems II, since the use now violated GDPR. France, Italy, and Denmark soon banned Google Analytics too.
At the same time, the EU and US agreed upon a new framework: The EU-US Data Privacy Framework (DPF). Later that year, US president Biden signed an executive order to implement the framework.
2023
In July, The Swedish Data Protection Authority decided that in four specific cases, the use of Google Analytics violated GDPR. That meant the use of Google Analytics was indirectly banned.
However, only a week later, DPF was declared adequate. Personal data could once again be sent to the US or US controlled servers in the EU.
With that, all bans of Google Analytics became invalid.
The future for DPF?
Unknown, is the simple answer. Soon after it was declared adequate, noyb announced they’d challenge the framework. This opens up for a Schrems III.
At the same time, the framework rests on the executive order by Biden, which isn’t legislation and can therefore easily be overturned by the current president. Trump has already overturned many of Biden’s executive orders.
To further complicate things, the European Data Protection Board reviewed the framework in 2024. In its report published in November 2024, the conclusions include several concerns:
-
Lack of monitoring activities.
-
Insufficient guidance for DPF-certified companies, and some of the certified companies may not be aware of the requirements for lawful transfers of personal data.
-
More guidance regarding how to process HR data is also needed.
-
Safeguard recommendations presented by PCLOB were not incorporated in the Reform Intelligence and Securing
-
America Act passed in 2024, which was not viewed favorably by the board.
What is GDPR and why does it exist?
To protect the individual’s rights and control over their own personal data, the EU adopted GDPR, which came into effect in 2018. Prior to GDPR, companies were allowed to collect as much data as they could without asking for consent. It may sound harmless, and in many cases it was, but when you start combining data from many sources, you can suddenly learn an awful lot about an individual.
A common use case was advertising, which could then be very specific. As the company placing the ad, a very specific audience means a higher likelihood of them purchasing your products. As the ad company, being able to target a very specific audience meant you could charge more for the ads. Win-win, until you ask the audience if they liked it too. A more harmful example is Cambridge Analytica, a consulting firm hired to use the extensive data collected from Facebook for political campaigns.
GDPR restricts how personal data is collected, handled, and stored. Personal data is any data that could be used to identify the individual, such as address, age, name, etc. In general, companies are no longer allowed to collect unnecessary personal data without consent, which includes sharing their data with other parties. This only applies to EU citizens, but that means that every non-EU company collecting data about EU citizens have to comply with GDPR too.
Violating GDPR can be very costly, as the highest fine is either €20 million or 4% of the global revenue – whichever is the highest. On top of the fine, the data subjects have the right to seek compensation for damages. Meta Platforms Ireland Limited was fined €1.2 billion in 2023 for insufficient legal basis for data processing, which is the highest fine to date.
How does GDPR affect website analysis?
To understand how your visitors use and experience your website, you need data from a representative population. However, you also need consent to collect analytics and survey data. Those two can be difficult to combine, as you can’t know if the group of visitors who accept cookies is a good representation of all your visitors or if there are differences between the two groups.
You can still track visitors without cookies, which means the data is fully anonymous and can be collected without consent. Though, in order to fully anonymize the data, you also lose the connection between the data points, meaning you can’t dig deeper and segment your data. In other words, you have to choose between tracking every visitor with low data quality or only tracking some visitors but with high data quality.
It’s also difficult to get an exact number of how many reject cookies, but somewhere between 25-50% is a good estimation. That’s a lot of visitors, but for almost any other context, a sample size of 50-75% would be considered a good sample size. The data you collect will still be good enough for your data analysis and help you to improve your website. For surveys, an even smaller sample size can be representative of all your visitors.