In January 2022, the Austrian Data Protection Authority ruled that the use of Google Analytics violates EU privacy law. The complaint was brought by a non-profit organization called Noyb. The organization issued 101 complaints in almost all EU countries. Data Protection Authorities will deliver a judgment in the next 12 months. This happened in a context in which there is still no data transfer agreement between US and EU.
KJ-1 It is highly likely that other EU countries will declare the use of Google Analytics unlawful in the next 12 months.
- Google Analytics is a web analytics service that provides analytical tools for search engine optimization and marketing purposes. Companies use it mainly to track website performance and collect visitor insights. [source]
- In 2020, the non-profit organization Noyb brought a complaint before the Austrian Data Protection Authority. It argued that the use of Google Analytics is in violation of European Union’s General Data Protection Regulation (GDPR).
- In January 2022, the Austrian Authority ruled that the use of Google Analytics does not comply with GDPR rules. Its use is therefore unlawful. The reason for this decision is that US surveillance law requires providers to dispense personal data to US authorities. This goes against EU privacy safeguards (as declared by the Court of Justice of the EU). [source]
- The Austrian authority’s decision is only the first of 101 complaints that Noyb filed in almost all EU countries. It is highly likely that in the next 12 months similar decisions will follow in other Member States. [source]
- Google Analytics is the most used statistics programme in the EU. If EU data protection authorities will gradually declare the use of the service illegal, this will result in a complete ban of the service in the EU. Therefore, EU companies and US providers will have to move towards safer and legal alternatives. There seems to be two options. First, US providers will have to host foreign data outside of the EU. Second, EU businesses will have to use European cloud-based analytics services. [source]
KJ-2 It is highly unlikely that Google Analytics will be able to comply with GDPR rules in the next 12 months.
- The key compliance issue with Google Analytics with the GDPR is the collection of personal user data. More importantly, US surveillance law obliges providers such as Google, to allow US authorities to access personal data stored in US-based cloud serves.
- If the US and EU cannot agree on transfer of personal data, many companies including Google will use standard contractual clauses (SCCs), to safeguard data sent to the US. However, as Google Analytics cannot prevent US authorities from accessing personal data of EU residents, it would still violate the GDPR. [source].
- Therefore, it is highly unlikely that in the next 12 months Google Analytics will be able to comply with EU privacy law.
KJ-3 It is highly unlikely that the US and EU will conclude an agreement on data transfer in the next 12 months.
- In 2016, the EU Commission adopted the Adequacy Decision on the EU-US Privacy Shield. This decision allowed for free transfer of data to companies certified in the US under Privacy Shield. [source]
- In 2020, the Court of Justice of the EU invalidated the adequacy decision. Therefore, the US-EU agreement was declared to be no longer a valid mechanism to transfer personal data. The reason of the invalidation was that US law does not afford an adequate level of protection compared to the GDPR. This is because companies cannot guarantee that personal data would be protected from US intelligence. [source]
- In 2020 the EU Commission and the US Government started negotiations for a new agreement on data transfer. However, US officials have been reluctant so far to change the US law that obliges providers to provide personal data to US authorities.