In a recent ruling, the Austrian data regulator declared the use of Google Analytics unlawful based on EU GDPR regulation. While the ruling is very specifically argued and worded, its implications go well beyond this particular case.
At the heart of the Austrian data regulator ruling, which hinges on a 2020 ruling by the European Court of Justice, is the argument that the transmission of personal data to the US breaks the requirement of their adequate protection due to US surveillance laws.
The Second Respondent [Google], as providers [of] electronic Communications services within the meaning of 50 US Code §1881 and, as such, is subject to surveillance by US intelligence agencies pursuant to 50 US Code §1881a (“FISA 702”).
Section 702 of the Foreign Intelligence Surveillance Act (FISA) establishes that any non-US person located abroad can be the target of surveillance activities, and this without special requirements like being a suspect terrorist, spy, or agent of a foreign power. FISA also regulates how US government agencies such as the NSA, FBI, or CIA can require and get access to transferred data directly from service providers, e.g. Apple or Google.
This is not the whole story, though. In fact, the Austrian regulator also considers that additional measures taken to protect the data, such as data encryption at rest in Google's datacenters, are not effective since they do not eliminate the monitoring and access possibilities by US intelligence services.
This is a very tough strike against the usual approach that major US-based companies take to enforce the idea they reasonably protect the data they receive from their customers. What the Austrian DPA comes to say is that EU data travelling to the US do not receive adequate protection regardless of what service providers may attempt to do.
While the Austrian DPA ruling is of application exclusively within Austrian borders, nevertheless it finds its grounding in the aforementioned ruling from the European Court of Justice (ECJ), which substantially knocks down the idea of an adequate "Privacy Shield" existing between the EU and the US. This leads to think that the Austrian ruling could be easily mirrored in other EU countries.
It is not clear at the moment how US-based Cloud service providers could change the way they handle their EU-based customers' data in a way that is compliant with the GDPR, and it is surely appropriate to wait for their attempt to comply with the GDPR. Yet, it may be reasonable for EU-based companies which have mostly an EU-based audience to start thinking of alternatives granting higher privacy standards.
This may include services and tools hosted and/or developed in the EU by European companies. On the front of analytics services, for example, some alternatives to Google Analytics are Fathom, Plausible, SplitBee, and others. The list of alternative services and tools developed in the EU is much longer, though, and encompasses a number of categories, including SaaS, monitoring, VPNs, CDNs, and more.
Albeit not yet final, the Austrian DPA ruling can be seen as only the most recent step in a confrontation that has been going on for at least 15 years, and saw first the dismissal of the "Safe Harbor" doctrine, then of the "Privacy Shield".