Google Analytics Determined to Breach GDPR Rules Covering Data Transfers to Third Countries

GDPR violation penalties

The Austrian and French Data Protection Authorities (Datenschutzbehörde and Commission nationale de l’informatique et des Libertés) have both ruled this year that the use of Google Analytics is not compliant with the General Data Protection Regulation (GDPR).

The Austrian DPA ruled in January 2022 that the use of Google Analytics by an Austrian website was illegal, as personal data was sent by the Google Analytics platform to the United States and could be provided by Google to US authorities. The issue is due to the Schrems II ruling in 2020 that signaled the end of the EU-US Privacy Shield, under which EU data could be transferred to US companies that were certified.

The Austrian DPA said in its decision over the case that the Austrian website used Google Analytics for tracking website visitors and provided personal data to Google. The website operator maintained personal data was not transferred to the United States, but had failed to properly anonymize the IP addresses of website visitors or ask visitors to consent to data transfers to Google. The decision does not make the use of Google Analytics in Austria illegal, only that it can be in certain cases.

In February, CNIL similarly ruled that the use of Google Analytics by an unnamed website was illegal as it violated Article 44 of the GDPR, which prohibits transfers of personal data outside the EU unless the recipient country has appropriate data protection laws. As was the case in Austria, the transfer of data to the US was not permitted as personal data could be provided to US authorities under data surveillance laws.

It is unclear at this stage if a financial penalty will be issued, but the website owner has been instructed to stop using Google Analytics under the current conditions, with the website owner given one month to comply. CNIL determined that the supplementary measures announced by Google to ensure the privacy of EU citizens’ data while transported to the U.S. were inadequate and that the data could still be provided to US authorities, which posed a risk to French website users.

As was the case with the Austrian DPA decision, CNIL does not prohibit the use of Google Analytics on French websites, but if the platform is used, only anonymous statistical data can be transferred. Alternatively, other data analytics tools could be used that do not transfer personal data outside of the EU.

CNIL has also announced that it is currently evaluating website audience measurement services to determine which would be exempt from the need to obtain user consent and is likely to issue guidance on the platforms that are considered to be GDPR-compliant in the future.

While these cases involve Google Analytics, there are implications for users of other website tools that transfer non-anonymized data outside of the EU. That means that all tools that transfer data to U.S. companies pose a regulatory risk, and the use of those tools could put companies at risk of a fine for non-compliance. CNIL is currently investigating the use of Facebook Connect, which has been the subject of multiple complaints.

“It’s interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarly,” said Max Schrems, founder and honorary chair of NYOB.