In July 2020 the Court of Justice of the European Union (CJEU) declared the European Commission’s Privacy Shield Decision invalid. This was due to invasive US surveillance laws which meant that under GDPR, transfers of personal data were illegal. This decision became known as the Schrems II decision. Following on from this we have seen the wider impact of the decision taking hold throughout 2022.
Over the course of the year, we have seen European countries speak out against Google, specifically Google Analytics. These countries’ data protection agencies have investigated websites using Google Analytics and found it to be unlawful. The problem with the analytics program is that all data is eventually transferred and stored in the US. But once this data is transferred it is no longer protected in the same way that it is in the EU. The biggest concern for the CJEU is that US surveillance agencies have unrestricted access to any personal data held by a controller or processor.
See the below for the timeline of developments.
Timeline of Events
Court of Justice of the European Union finds Privacy Shield invalid. Known as Schrems II decision.
Austria’s data protection authority finds websites using Google Analytics to have violated GDPR.
France’s data protection authority announces use of Google Analytics is illegal.
The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditionshttps://www.cnil.fr/en/use-google-analytics-and-data-transfers-united-states-cnil-orders-website-manageroperator-comply
Liechtenstein’s authority releases guidance stating businesses need to find an alternative to Google Analytics.
DSS considered it difficult to justify the personal data transfer associated with Google Analytics to the USA… The DSS therefore calls on those responsible to use data protection-compliant web analysis toolshttps://www.datenschutzstelle.li/aktuelles/google-analytics-und-der-datenschutz
Italy’s Privacy Guarantor says use of Google Analytics must stop.
The website that uses the Google Analytics service, without the guarantees provided by the EU Regulation, violates data protection legislation because it transfers user data to the United States, a country without an adequate level of protection.https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782874
Denmark concurs that use of Google Analytics cannot be considered lawful.
Our conclusion is that the tool cannot, without more, be used lawfully.Makar Juhl Holst, Senior Legal Advisor at the Danish Data Protection Agency, https://www.datatilsynet.dk/english/google-analytics/use-of-google-analytics-for-web-analytics
This article will be updated with any further developments. Last updated 10/11/2022.
Does your business interact or target EU residents?
Are you using Google Analytics?
Getting caught violating GDPR can be costly.
Contact us today to find out how we can help you make sure your analytics programs are compliant.