On 22 December 2021, the Austrian data protection authority ruled:
“In the opinion of the data protection authority, the Google Analytics tool (at least in the version of 14 August 2020) can thus not be used in accordance with the requirements of Chapter V of the GDPR.”
According to this decision, the use of Google Analytics is not compatible with EU law. The background is that the US authorities potentially have access to all collected data and can identify the data subjects.
The use of Google Analytics is illegal even if standard contractual clauses are concluded with Google and users declare their consent via consent banners.
The German supervisory authorities came to the same conclusion in the new guidelines for telemedia providers (i.e. websites or apps) of 20 December 2021, just two days before the Austrian decision:
It should be noted that the mere conclusion of standard data protection clauses such as the standard contractual clauses adopted by the EU Commission is not sufficient. It must also be examined on a case-by-case basis whether the law or practice of the third country affects the protection guaranteed by the standard contractual clauses and whether, if necessary, supplementary measures must be taken to comply with this level of protection. Detailed instructions on how to proceed with the required assessment have been published by the European Data Protection Board. Especially in connection with the integration of third-party content and the use of tracking services, however, it will often not be possible to take sufficient supplementary measures. In this case, the services concerned may not be used, i.e. they may not be integrated into the website. Personal data processed in connection with the regular tracking of user behaviour on websites or in apps cannot, in principle, be transferred to a third country on the basis of consent pursuant to Art. 49 (1) (a) GDPR. The scope and regularity of such transfers regularly contradict the character of Article 49 GDPR as an exceptional provision and the requirements of Article 44 sentence 2 GDPR.”
The Dutch supervisory authority Autoriteit Persoonsgegevens (AP) reacted to this on 13.01.2022 with this warning:
“Attention: The use of Google Analytics could soon be banned.
In January 2022, the Austrian data protection supervisory authority closed an investigation into the use of Google Analytics on an Austrian website. According to the Austrian data protection authority, Google Analytics does not meet the requirements of the General Data Protection Regulation (GDPR) in this case. The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. After completion of this investigation in early 2022, the AP will be able to say whether Google Analytics is now allowed or not.”
(Translated by the author)
It is to be expected that other European supervisory authorities will follow the decisions of the highest German and Austrian data protection authorities, because the legal basis is the same throughout the EU.
Website operators in the EU who are currently still using Google Analytics are best advised to switch over as soon as possible. You can find tips on how to easily switch to etracker Analytics in our documentation and in this blog post.
Disclaimer
These comments do not constitute legal advice and cannot replace individual legal advice. They are a professional discussion and summary of the subject. If wanted, we will be happy to put you in touch with a specialist lawyer.