Using Google Analytics would be a GDPR violation, according to Austria

The decision is made for the Austrian data protection authority: the use of Google Analytics goes against the GDPR.

Google Analytics in the sights of the Austrian authorities! © Aleksei – stock.adobe.com

The use of Google Analytics questioned following several complaints

The Austrian authority considers the use of Google Analytics to be a violation of the GDPR (General Data Protection Regulation). This decision comes after several complaints filed by the Austrian NGO NOYB (None Of Your Business), highlighting the non-compliance with the “Schrems II” judgment of the CJEU (European Union Court of Justice) dating from 2020. As a reminder, this judgment invalidates the data transfer regime between the EU and the United States. This is the refusal of the Privacy Shield agreement.

It is a very detailed and wise decision. The bottom line is that companies can no longer use US cloud services in Europe. It has been a year and a half since the Court of Justice confirmed it a second time, so it is high time that the law was also applied, underlines the president of the NGO NOYB.

Indeed, many companies in the EU use Google Analytics and have transmitted their data to Google, which allows them to process it in the United States. Today, the Austrian data protection authority considers that this behavior constitutes a violation of EU law.

Another news that has just been unveiled on the same issue: on Tuesday, the European Data Protection Supervisor (EDPS) concluded that the European Parliament had not complied with the legislation by authorizing cookies from Google Analytics and Stripe. It would not have taken the necessary steps to ensure that data transfers to the United States comply with the Schrems II judgment, which we referred to above.

The CJEU decision partly ignored by American companies

During the proceedings, Google admitted that “All data collected via Google Analytics […] are hosted (ie stored and further processed) in the United States ”, which means that this also applies to European users.

Instead of tailoring services to be GDPR compliant, US companies have simply tried adding text to their privacy policies and ignoring the court of law. Many EU companies have followed suit instead of moving to legal options, said Max Schrems, Honorary Chairman of NOYB in a statement.

Similar actions could be taken in other EU countries

Since 2020, NOYB has lodged a total of 101 complaints in almost all EU countries. The NGO expects similar decisions to be taken in other states.

As Max Schrems points out, EU data protection authorities have coordinated their response to issues regarding data transfers. There will therefore probably be actions from EU countries, which will directly impact the use of US cloud services in the coming months. To follow closely!

Receive all digital news by email

Leave a Comment