UPDATE: Further EU DPA orders stop of Google Analytics

Data Transfers
 /  05 July 2022
101 complaints update

UPDATE: Further EU DPA orders stop of Google Analytics

The Italian DPA (GPDP) has joined the consensus shared by the EDPS, as well as the French and Austrian DPA and has banned the use of Google Analytics (GA). Following our 101 complaints on data transfers, the GPDP concluded that websites using GA collected user interactions and transferred user data to the US; a country without an adequate level of data protection, making said transfer unlawful.

Garante is fourth DPA to side with noyb on data transfers. The Italian DPA rendered the use of Google Analytics as illegal, as website operators using GA collected user data via cookies and transferred these to the USA. In determining that the processing was unlawful, the Italian DPA reiterated that an IP address is personal data and would not be anonymised even if it were shortened – given Google’s capabilities to enrich such data through additional information it holds.

EDPS sanctions Parliament on transfers. Early this year, the European Data Protection Supervisor (EDPS) issued a decision after a complaint was filed by noyb, confirming that the European Parliament violated data protection law on its COVID testing website. The EDPS highlighted that the use of Google Analytics violated the Court of Justice's (CJEU) "Schrems II" ruling on EU-US data transfers. The ruling marked one of the first decisions implementing Schrems II and paved the way for similar rulings.

Austrian DPA decision followed. After the Austrian DPA published their decision that rendered the use of GA as illegal for the first time, the DSB issued a second decision, declaring the use of Google’s IP anonymisation a useless protection measure for data transfers between the EU and the United States. The DSB also rejected the notion of a “risk based approach”, which Google had argued for and would allow the transfer of supposedly “low-risk cases”, e.g. when online-identifiers or IP-addresses are transferred.

French CNIL orders compliance. Only weeks after the Austrian decision, the French CNIL ordered three websites to comply with the GDPR and omit the use of Google Analytics. After receiving complaints from noyb.eu, the CNIL aimed at collectively drawing the consequence of the Schrems II judgment by the CJEU and highlighted the risk that American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.

National approaches despite European task force. The DPAs were planning to take a coordinated approach regarding noyb’s 101 complaints, but the installed taskforce didn’t seem to deliver: while the Italian, the Austrian and the French DPA thoroughly investigated the tools used to transfer personal data, the Spanish DPA dismissed a complaint because the website provider has removed Google Analytics from the website after the complaint. Similarly, the DPA of Luxembourg dismissed three complaints regarding data transfers to Facebook servers in the U.S, because the websites had removed the tools. So far, no DPA has rejected the material arguments of noyb or declared transfers legal.