European analytics: why the replacement conversation is accelerating

The enforcement period that changed the calculation

The shift in the European web analytics market began in December 2021, when the Austrian data protection authority issued the first formal finding that the use of Google Analytics on European websites constituted an illegal transfer of personal data to the United States under GDPR. The finding was based on the Schrems II ruling — the Court of Justice's 2020 judgment invalidating the Privacy Shield framework and establishing that data transfer mechanisms to the US require a case-by-case assessment of whether US surveillance law creates real risk for EU data subjects. The Austrian authority concluded that Standard Contractual Clauses were insufficient to address that risk given the breadth of US intelligence gathering authorities, and that the transfer should stop.

What followed over the next eighteen months was a series of equivalent findings from the French CNIL, the Italian Garante, and the Danish Datatilsynet, each reaching the same conclusion about Google Analytics through their own procedural processes. The coordination was not accidental — the findings were the output of a taskforce established by the European Data Protection Board specifically to address coordinated enforcement across EU member states.

By mid-2023, the legal position for European businesses using Google Analytics without a documented and defensible transfer mechanism was clear. The tool had been found, by multiple supervisory authorities with enforcement powers, to constitute an illegal data transfer in its standard configuration. The EU-US Data Privacy Framework, which entered into force in July 2023, addressed some of the underlying legal basis by providing a new transfer mechanism. What it did not address is the risk of invalidation — the Framework is a third attempt at a legal structure that has been struck down twice, and the legal challenge filed by NOYB in August 2023 is working through the courts with a ruling expected within the next eighteen months.

What EU-native analytics provides that legal mechanisms cannot

The legal mechanism debate — whether SCCs or the Data Privacy Framework provide sufficient basis for transfer — matters for companies whose core operations depend on US-based infrastructure. For a European company managing a marketing or product analytics stack, the more practical question is whether the entire transfer mechanism management exercise is necessary at all.

EU-native analytics platforms process analytics data on EU infrastructure by design. Plausible Analytics, incorporated in Estonia, and Simple Analytics, based in Amsterdam, are fully cookieless — they produce accurate traffic data without personal data collection, which removes both the GDPR transfer question and the consent management overhead that cookie-based analytics requires. Piwik PRO, based in Wrocław, serves the enterprise segment with session tracking, conversion attribution, and custom event recording on EU infrastructure, with ISO 27001 and SOC 2 certification for procurement requirements. Pirsch, a small German team, provides a developer-oriented cookieless tool for operators who want accurate data without compliance overhead. Mouseflow, founded in Copenhagen in 2010 and profitable, adds session recording and heatmaps to the EU-native stack for teams who need behavioural data alongside traffic data.

The shift from managing a legal risk to removing it structurally is a meaningful difference in a procurement context. Every quarter spent monitoring DPF litigation, maintaining transfer mechanism documentation, and managing the possibility of another Privacy Shield-style invalidation is a quarter that organisations using EU-native tools do not spend.

The AI dimension that was absent from the original enforcement period

The EU AI Act's Article 50 transparency obligations, enforceable from 2 August 2026, add a layer to the analytics choice that did not exist in 2022. Analytics platforms incorporating AI features — automated anomaly detection, AI-generated traffic summaries, predictive audience segmentation — become AI systems in the Act's meaning when those features are in active use. The data those features process and the outputs they produce fall within the Act's scope.

A European operator using a US-based analytics platform with AI features enabled faces both the GDPR transfer question and the emerging AI Act requirements simultaneously. EU-native platforms whose processing remains within EU jurisdiction remove the GDPR transfer layer entirely, leaving only the AI Act compliance question — which is more tractable when the data and the system operate under European jurisdiction with a clear audit trail.

The practical state of the market

The analytics market has absorbed the enforcement period without the disruption that was predicted in 2022. The EU-native alternatives are mature products, not compliance workarounds. The cookieless tools — Plausible, Simple Analytics, Pirsch — produce data that is, in practice, more accurate than consent-subjected GA4 data, because cookieless measurement does not suffer from the systematic undercount that results when users decline tracking. The enterprise tools — Piwik PRO, Mouseflow — carry the feature depth and certification posture that enterprise procurement teams require.

The tools exist. The legal risk of not using them is actively enforced. The replacement conversation is no longer about ideology or preference. For a substantial portion of the European market, it is about when the risk becomes manageable only by addressing it at the source.