Will the use of Google Analytics no longer be permitted?

20 Jan '22

Author(s): Nina Witt, Lars Boer,

The Austrian Data Protection Authority (DSB) ruled on Thursday, January 13, 2022, that the use of Google Analytics (cookies) violates the General Data Protection Regulation (GDPR). This is mainly due to the transfer of personal data to the United States (US), which does not meet the requirements of the GDPR. Strikingly, the Dutch Data Protection Authority (Dutch DPA) has also posted a warning on its website that the use of Google Analytics may soon no longer be permitted. 

The DSB's decision followed one of 101 complaints filed by None of Your Business (NOYB) with various data protection authorities in Europe. NOYB filed these complaints following the European Court of Justice's Schrems II ruling, which made data transfers from Europe to the US (or other "third countries" outside the EEA) more complex. The measures that Google had taken in that context, were deemed insufficient by the DSB to guarantee the level of protection required by the GDPR. This was partly because of the possibility for the US government to access processed personal data.

Possible impact

Many companies use Google Analytics to obtain statistical data on website visits. What the impact of the aforementioned development will be is not entirely clear yet. Given the warning issued by the Dutch DPA on its website, as well as the fact that a task force has been established within Europe to discuss these complaints of NOYB, and a recent similar message from the European privacy supervisor, it is reasonable to assume that the Dutch DPA will publish a similar vision in the near future. This will probably also have an impact on the use of services provided by other parties vested in the US.

NOYB's communication states that, according to NOYB, US service providers are currently largely failing to ensure the required level of protection. Therefore, according to NOYB, the use of these service providers should be considered prohibited until the service providers (or the U.S. government) have implemented a significant change in data protection. Therefore, European companies would probably be better off looking for European alternatives to the services (for now). However, we also identified a number of ‘ifs and buts’ whilst reading the decision, which may imply that the judgement of (now) the DSB might not be considered applicable in every situation. For instance, it is conceivable that on the basis of (properly regulated) consent and/or further limitation of the processing activities by Google, the use of Google Analytics and similar services could still take place. In this respect it is relevant to note that it has been indicated that there will be further examination on whether the Google services meet the requirements of the GDPR, other than those for international transfer (which outcome may also be of importance in this regard).

What to do now?

The results of the Dutch DPA's investigation are expected "early 2022". In case the DPA would indeed decide that Google Analytics may no longer be used, alternative solutions should be considered. It can do no harm to already map out which service providers your company uses that are based in the US (e.g. relating to the use of cookies). It may also be useful to consider whether there is a sufficient European alternative for these purposes. This way, if necessary, action can be taken quickly once the Dutch DPA comes to a decision. In addition, you could check whether you are actually using all the cookies placed on your website and whether your cookie banner and privacy and cookie statement are still up to date. For example, what do these documents say about the processing of personal data outside the EEA? Furthermore, it is wise to keep an eye on the publications of the Dutch DPA, because this will undoubtedly be continued in the near future.

In any case, the Austrian decision emphasized that the controller (in most cases meaning: your company) is responsible for the export of personal data and therefore obliged to arrange this properly in accordance with the GDPR. This is nothing new, but because this can be complex, it is advisable - also more generally - to ask for legal advice about this.

Please do not hesitate to contact us, in order to discuss what the most practical approach for your company may be, or in case you would have any other questions about cookies and/or international data transfers.

privacy@ploum.nl 

Contact

Attorney at law

Nina Witt

Expertises:  IT-Law,Privacy law,Intellectual property rights,Cybersecurity , Food,Health Care & Life Sciences, E-health,E-commerce,

Attorney at law

Lars Boer

Expertises:  IT-Law,Privacy law,Procurement law,Cybersecurity , Technology, media and telecom, Commercial contracts,

Upcoming events

Share this article

Stay up to date

Add these interests to My Ploum.

Expertise(s)

Subject(s)

Author(s)

Ask a question

Subscribe to our newsletter

Personal data

 

Company details

For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Change your details' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.

* This field is required

Interested in

Create account

Get all your tailored information with a My Ploum account. Arranged within a minute.

I already have an account

Benefits of My Ploum

  • Follow what you find interesting
  • Get recommendations based on your interests
  • Subscribe quickly to knowledge events and Ploum Academy
  • Use question and answer options in articles

*This field is required

I already have an account

Benefits of My Ploum

Follow what you find interesting

Receive recommendations based on your interests

Quick registration for knowledge events and Ploum Academy

Post comments on articles


Why do we need your name?

We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.

Password

A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.