20 Jan '22
The Austrian Data Protection Authority (DSB) ruled on Thursday, January 13, 2022, that the use of Google Analytics (cookies) violates the General Data Protection Regulation (GDPR). This is mainly due to the transfer of personal data to the United States (US), which does not meet the requirements of the GDPR. Strikingly, the Dutch Data Protection Authority (Dutch DPA) has also posted a warning on its website that the use of Google Analytics may soon no longer be permitted.
The DSB's decision followed one of 101 complaints filed by None of Your Business (NOYB) with various data protection authorities in Europe. NOYB filed these complaints following the European Court of Justice's Schrems II ruling, which made data transfers from Europe to the US (or other "third countries" outside the EEA) more complex. The measures that Google had taken in that context, were deemed insufficient by the DSB to guarantee the level of protection required by the GDPR. This was partly because of the possibility for the US government to access processed personal data.
Many companies use Google Analytics to obtain statistical data on website visits. What the impact of the aforementioned development will be is not entirely clear yet. Given the warning issued by the Dutch DPA on its website, as well as the fact that a task force has been established within Europe to discuss these complaints of NOYB, and a recent similar message from the European privacy supervisor, it is reasonable to assume that the Dutch DPA will publish a similar vision in the near future. This will probably also have an impact on the use of services provided by other parties vested in the US.
NOYB's communication states that, according to NOYB, US service providers are currently largely failing to ensure the required level of protection. Therefore, according to NOYB, the use of these service providers should be considered prohibited until the service providers (or the U.S. government) have implemented a significant change in data protection. Therefore, European companies would probably be better off looking for European alternatives to the services (for now). However, we also identified a number of ‘ifs and buts’ whilst reading the decision, which may imply that the judgement of (now) the DSB might not be considered applicable in every situation. For instance, it is conceivable that on the basis of (properly regulated) consent and/or further limitation of the processing activities by Google, the use of Google Analytics and similar services could still take place. In this respect it is relevant to note that it has been indicated that there will be further examination on whether the Google services meet the requirements of the GDPR, other than those for international transfer (which outcome may also be of importance in this regard).
The results of the Dutch DPA's investigation are expected "early 2022". In case the DPA would indeed decide that Google Analytics may no longer be used, alternative solutions should be considered. It can do no harm to already map out which service providers your company uses that are based in the US (e.g. relating to the use of cookies). It may also be useful to consider whether there is a sufficient European alternative for these purposes. This way, if necessary, action can be taken quickly once the Dutch DPA comes to a decision. In addition, you could check whether you are actually using all the cookies placed on your website and whether your cookie banner and privacy and cookie statement are still up to date. For example, what do these documents say about the processing of personal data outside the EEA? Furthermore, it is wise to keep an eye on the publications of the Dutch DPA, because this will undoubtedly be continued in the near future.
In any case, the Austrian decision emphasized that the controller (in most cases meaning: your company) is responsible for the export of personal data and therefore obliged to arrange this properly in accordance with the GDPR. This is nothing new, but because this can be complex, it is advisable - also more generally - to ask for legal advice about this.
Please do not hesitate to contact us, in order to discuss what the most practical approach for your company may be, or in case you would have any other questions about cookies and/or international data transfers.
11 Nov 24
14 Oct 24
13 Oct 24
07 Oct 24
13 Aug 24
13 Aug 24
04 Jun 24
13 May 24
02 May 24
08 Apr 24
04 Apr 24
21 Mar 24
Met uw inschrijving blijft u op de hoogte van de laatste juridische ontwikkelingen op dit gebied. Vul hieronder uw gegevens in om per e-mail op te hoogte te blijven.
Stay up to date with the latest legal developments in your sector. Fill in your personal details below to receive invitations to events and legal updates that matches your interest.
Follow what you find interesting
Receive recommendations based on your interests
{phrase:advantage_3}
{phrase:advantage_4}
We ask for your first name and last name so we can use this information when you register for a Ploum event or a Ploum academy.
A password will automatically be created for you. As soon as your account has been created you will receive this password in a welcome e-mail. You can use it to log in immediately. If you wish, you can also change this password yourself via the password forgotten function.