How European rulings imperil flagship Google product

Lax laws and sweetheart deals are becoming a thing of the past for big tech firms, particularly in Europe where a series of rulings is posing a major threat to one of Google's flagship products.

More than half of the world's websites use Google Analytics to help their owners understand the behaviour of users.

The software, which deploys cookies to track user behaviour, costs nothing in cash terms -- though the vast trove of data helps to fuel Google's massive profits.

However, in 2020 the framework overseeing how personal data is transferred from the EU to US was struck down by EU judges over concerns about snooping by US spy agencies.

Activists have since filed dozens of cases with regulators in Europe arguing that the tool breaches the fundamental rights of EU nationals.

Regulators in several countries have ruled in favour of the activists and declared Google Analytics incompatible with European data privacy regulation (GDPR). The rulings leave many European firms in a bind.

They can ditch Google and move to a privacy-compliant option that costs money, or wait it out and hope for a solution from Google, the regulators or the politicians.

On Friday, the US and EU announced they had agreed in principle a new framework to allow data transfers, but did not provide further details.

Austrian lawyer Max Schrems, who spearheaded the campaign to invalidate the previous agreements, wrote on Twitter that it seemed like another  "patchwork" approach with no substantial reform to US snooping rules.

"Let's wait for a text, but my first bet is it will fail again," he wrote.

Last week, Google said it would release a new version of its software that would not store IP addresses, the unique code that can identify individual computers. The US firm has also built data centres in Europe.

However, the impact of these potential fixes is unclear. Regulators have not yet commented.

"Data protection authorities do not have the solution," says Florence Raynal of French regulator CNIL, which has ruled against Google.

"That solution must be provided by governments at a political level."

US companies are subject to a law known as the Cloud Act that allows US security agencies to access the data of foreign citizens regardless of where it is stored.

Although Google has argued that the risk posed by the Cloud Act is theoretical, it nevertheless makes it difficult for US firms to comply with the GDPR.

Marie-Laure Denis, head of CNIL, which is seen as a leader whose rulings are followed by other regulators, summed up the dilemma at a conference of the International Association of Privacy Professionals (IAPP) in Paris last week.

She said of American companies that  "their business model should evolve, or the American legal framework should evolve".