The Austrian Data Protection Authority (Datenschutzbehörde) has decided that the use of Google Analytics constitutes a violation of the GDPR. The Austrian privacy regulator ruled that when using Google Analytics, personal data (including user identifiers, IP addresses and browser parameters) are shared with Google in the US. Following the Schrems II ruling of the European Court of Justice, personal data may only be transferred to third countries if sufficient additional safeguards have been created. The user of Google Analytics in this case did not comply with this obligation.
Pursuant to the GDPR, personal data may only be transferred to countries outside the European Economic Area (EEA) if there is an adequate level of protection. That adequate level of protection can be ensured in various ways. In many cases, transfer to the US took place on the basis of the Privacy Shield. In the Schrems II judgment it was ruled that the transfer to the U.S. on the basis of the Privacy Shield is void because the U.S. does not offer a level of protection that is equivalent to the level within the European Union. Since June 2020, transfers to the US can only take place on the basis of approved binding corporate rules or the European Union's standard contractual clauses (SCC) provided that the transferring organization provides additional safeguards to ensure an adequate level of protection.
The Austrian regulator states that although SCC have been concluded between the user of Google Analytics and Google as well as that even though additional safeguards are in place, these are not sufficient given the US surveillance legislation . The Austrian regulator writes on its website: "The measures implemented in addition to the standard data protection provisions were not effective from the point of view of the DPA, since they did not exclude the possibilities of surveillance and access by U.S. intelligence agencies identified by the ECJ." The use of Google Analytics therefore violates the GDPR. This ruling could have far-reaching consequences if this position is adopted by more regulators.
The Dutch counterpart of the Datenschutzbehörde, the Autoriteit Persoonsgegevens (AP), already published a manual for the privacy-friendly setup of Google Analytics a few years ago. That manual has now been updated with a notice that, in response to two complaints, the AP is investigating the use of Google Analytics in the Netherlands. The AP writes that in early 2022 it will indicate whether the use of Google Analytics is permitted or not. To be continued!
If you have any questions regarding this message, please do not hesitate to contact Caro Mennen or one of the other members of the privacy team.