The issue would be, that the website developers / their management contributes to the issue, by enabling partier to do that spying. If no data was send to another party, then spying on that data is much harder and probably unattractive for most use-cases. GA data becomes valuable through collecting from many many senders.
While the people doing the spying are already doing something ethically very questionable, the person deciding what data is collected on a webservice can still make the decision to contribute to the problem, or be vigilant about data protection.
So you are saying the US intelligence agencies have some unfettered access to all of GA data? Or that it is sent unencrypted and intercepted in transit?
It's not the DNS calls or phone companies that are more to worry about?
If US intelligence wants to have access, they will, via their law, as far as I understand. They will require Alphabet to give the data, Alphabet will get it from Google, and that is it. No need to listen or intercept anything.
Best thing you can do is not to make use of GA in the first place, so that no such data of visitors of your websites exists in Google infrastructure.
I think your understanding of US intelligence and forcing companies into compliance needs updating.
First, it is exaggerated, which is not surprising in today's media and outrage climate. Second, things have changed since Snowden and the congressional oversight had been rolled out. Third, GA is not that valuable compared to other sources.
Your chief complaining would be better spent about how Google uses the data rather than intelligence agencies.
Also note that Google fights against overly broad intelligence / police requests and publishes data on how many they get and comply with.
I agree, that one should be more worried about how Google uses the data.
I think I wrote about the US intelligence thingy, because it was closer to the topic. The question, why the court ruling went this way and what it rests on. If there was no possibility for the US to access the data, then Google could probably simply pinky finger swear, that they are not doing anything evil with the data and EU law might be fine with it.
Does it matter, whether the scenario is "exaggerated"? If it is possible, it needs to be considered by the law. Otherwise it might soon become less exaggerated and more reality than we would wish.
While the people doing the spying are already doing something ethically very questionable, the person deciding what data is collected on a webservice can still make the decision to contribute to the problem, or be vigilant about data protection.