Add to My interests
20 Jan '22
Nina Witt, Lars Boer,
The Austrian Data Protection Authority (DSB) ruled on Thursday, January 13, 2022, that the use of Google Analytics (cookies) violates the General Data Protection Regulation (GDPR). This is mainly due to the transfer of personal data to the United States (US), which does not meet the requirements of the GDPR. Strikingly, the Dutch Data Protection Authority (Dutch DPA) has also posted a warning on its website that the use of Google Analytics may soon no longer be permitted.
The DSB's decision followed one of 101 complaints filed by None of Your Business (NOYB) with various data protection authorities in Europe. NOYB filed these complaints following the European Court of Justice's Schrems II ruling, which made data transfers from Europe to the US (or other "third countries" outside the EEA) more complex. The measures that Google had taken in that context, were deemed insufficient by the DSB to guarantee the level of protection required by the GDPR. This was partly because of the possibility for the US government to access processed personal data.
Many companies use Google Analytics to obtain statistical data on website visits. What the impact of the aforementioned development will be is not entirely clear yet. Given the warning issued by the Dutch DPA on its website, as well as the fact that a task force has been established within Europe to discuss these complaints of NOYB, and a recent similar message from the European privacy supervisor, it is reasonable to assume that the Dutch DPA will publish a similar vision in the near future. This will probably also have an impact on the use of services provided by other parties vested in the US.
NOYB's communication states that, according to NOYB, US service providers are currently largely failing to ensure the required level of protection. Therefore, according to NOYB, the use of these service providers should be considered prohibited until the service providers (or the U.S. government) have implemented a significant change in data protection. Therefore, European companies would probably be better off looking for European alternatives to the services (for now). However, we also identified a number of ‘ifs and buts’ whilst reading the decision, which may imply that the judgement of (now) the DSB might not be considered applicable in every situation. For instance, it is conceivable that on the basis of (properly regulated) consent and/or further limitation of the processing activities by Google, the use of Google Analytics and similar services could still take place. In this respect it is relevant to note that it has been indicated that there will be further examination on whether the Google services meet the requirements of the GDPR, other than those for international transfer (which outcome may also be of importance in this regard).
In any case, the Austrian decision emphasized that the controller (in most cases meaning: your company) is responsible for the export of personal data and therefore obliged to arrange this properly in accordance with the GDPR. This is nothing new, but because this can be complex, it is advisable - also more generally - to ask for legal advice about this.
Please do not hesitate to contact us, in order to discuss what the most practical approach for your company may be, or in case you would have any other questions about cookies and/or international data transfers.
Attorney at law
IT-Law,Privacy law,Intellectual property rights,Cybersecurity ,
Food,Health Care & Life Sciences,
IT-Law,Privacy law,Procurement law,Cybersecurity ,
Technology, media and telecom,
07 Sep 22
22 Aug 22
28 Jun 22
23 Jun 22
22 Jun 22
07 Jun 22
17 May 22
16 May 22
03 May 22
15 Apr 22
12 Apr 22
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
For more information on how we use your personal information, please see our Privacy statement. You can change your preferences at any time via the 'Change your details' link or unsubscribe via the 'Unsubscribe' link. You will find these links at the bottom of every message you receive from Ploum.
Get all your tailored information with a My Ploum account. Arranged within a minute.
*This field is required
Follow what you find interesting
Receive recommendations based on your interests
Quick registration for knowledge events and Ploum Academy
Post comments on articles
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.