The Austrian Data Protection Authority has decided that the use of Google Analytics violates the General Data Protection Regulation (GDPR). Other EU member states could follow suit, as regulators cooperate in a task force in the European Data Protection Board.
The decision is based on several complaints that the Austrian NGO noyb filed in the wake of the European Court of Justice’s ‘Schrems II’ decision. The CJEU ruled that the US-EU data transfer agreement ‘Privacy Shield’ is not in line with EU data protection law and struck down the agreement in 2020, which rendered most data transfers to the US illegal.
However, the ruling has been partly ignored by Google. During the proceedings, the tech-giant admitted that “all data collected through Google Analytics […] is hosted (i.e. stored and further processed) in the USA,” which includes European users.
As many EU companies use Google Analytics, many have forwarded their data to Google, allowing it to be processed in the US.
The Austrian Data Protection Authority has now ruled that this behaviour constitutes a breach of EU law.
“Instead of adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options,” Max Schrems, honorary chair of noyb said in a statement.
“It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced,” Schrems added.
The decision by the Austrian authorities is only the first of 101 complaints that noyb filed in almost all EU countries. The NGO expects “similar decisions to now drop gradually in most EU member states,” Schrems said.
On Tuesday, the European Data Protection Supervisor reached a similar decision that said the European Parliament’s use of Google Analytics violates the GDPR.
(Oliver Noyan | EURACTIV.de)