DPA Decision on D155.027, 2021-0.586.257.

Created by Thomas Hörantner, LL.M. |
Business Law

The use of the Google Analytics data analysis tool by a website operator constitutes a violation of the General Data Protection Regulation (GDPR).

1. Background

As part of a complaint procedure, the Data Protection Authority (DPA) investigated the compatibility of Google Analytics and the General Data Protection Regulation (GDPR).

The background to this was that personal data from a website accessed was transmitted to Google servers in the USA via the Google Analytics tool. According to U.S. law, intelligence agencies can inspect this data.

On the occasion of a decision by the European Court of Justice[1], 101 complaints were filed across Europe against the use of Google Analytics on European websites. Due to the high number of complaints, the European Data Committee set up a task force to enable uniform processing of complaints in Europe.

 

[1] EuGH 16.7.2020, C-311/18, Data Protection Commissioner/ Facebook Ireland Limited und Maximilian Schrems

 

2. The decision of the data protection authority

  • The DSB stated in the decision that personal data (such as IP address or browser parameters) were transmitted by the website operator to Google's servers, which are located in the USA.
  • Since the ECJ's decision on Schrems II[1], a data transfer to the USA can no longer be made on the basis of the adequacy decision ("Privacy Shield").
  • Standard data protection clauses concluded between the website operator and Google would not provide adequate protection within the meaning of the GDPR, as Google is subject to constant control by the US intelligence services on the basis of US law.
  • Even contractual, organizational and technical measures taken beyond this would not have been effective enough to eliminate the possibilities of surveillance and access by the U.S. intelligence services.
  • As a result, in the opinion of the data protection authority, this data transfer to Google constituted a breach of the general principles of data transfer set out in Section 44 of the GDPR.

 

[1] EuGH 16.7.2020, C-311/18, Data Protection Commissioner/ Facebook Ireland Limited und Maximilian Schrems

 

3. Consequences of the decision

It should be noted that the DSB's decision is not yet final. However, it can be assumed that the decision will be appealed.

The DPA has not yet decided on a possible penalty. The GDPR provides very high penalties of up to € 20 million or up to 4% of the total worldwide annual turnover of the preceding business year for violations of Art 44 GDPR.

Against this background, it would in any case seem reasonable for operators of websites that work with web analytics tools to look into alternative European providers of web analytics tools.

It is quite conceivable that - due to the aforementioned European cooperation in the processing of complaints - the data protection authorities of other member states will make similar decisions.