Two first decisions on Google Analytics’ data transfers to the US

Following the “Schrems 2” decision from the Court of Justice of the European Union (CJEU) on 16 July 2020 invalidating the privacy shield((The Court of Justice invalidates Decision...

Following the “Schrems 2” decision from the Court of Justice of the European Union (CJEU) on 16 July 2020 invalidating the privacy shield((The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (europa.eu).)), the European Data Protection Authorities (DPAs) are now taking the first “real world” decisions.  

A few weeks ago, the Austrian DPA decided that the use of Google Analytics is not compliant with the rules of the GDPR on international data transfers.((Standarderledigung Bescheid (noyb.eu).)) The French DPA (CNIL) just adopted the same approach in a decision((Utilisation de Google Analytics et transferts de données vers les États-Unis : la CNIL met en demeure un gestionnaire de site web | CNIL.)) requiring a website manager to stop using Google Analytics until sufficient measures to guarantee lawfulness of the data transfer to the US have been implemented. 

These decisions from the DPAs are in line with the CJEU decision, which stated that a data transfer to the US that falls under the US surveillance laws does not comply with the GDPR provisions relating to international data transfer, even though Standard Contractual Clauses (SCCs) would have been signed.  

Despite this decision by the CJEU, a lot of companies including  the GAFAM have largely ignored the practical consequences of the “Schrems 2” decision and continued transferring data, relying on SCCs without implementing effective safeguards against possible exercise of US surveillance laws.  

In response to this, a privacy advocacy NGO My Privacy is None Of Your Business (NOYB)((EU-US Transfers Complaint Overview | noyb.eu.)) has decided to take a hard line and filed 101 complaints with various DPAs.  In these complaints, NOYB has targeted major EU e-commerce and media websites using GA. No doubt decisions by the DPAs will have far-reaching implications as Google Analytics is one of the most commonly used statistics tool. Several complaints also target Facebook Connect, a very popular tool which enables login to third party websites from one’s Facebook account.  

Contact us for more good, clear, precise, advice.

Filter By

Must Reads

Subscribe to receive our latest articles

Follow Us

Related Posts

Imitation is the greatest form of flattery, but we don’t think so in this case.

We are aware of the phishing email that has been circulated to many people. Although we are not the firm mentioned in the phishing email you may have received, we’ve received several calls because of the similarity to our firm name so, unless you’d like to have a chat about other technology law matters, please don’t call us as we won’t be able to help. 

We know the firm in the phishing email is a genuine law firm, based in Cape Town, and we’ve alerted them to what is likely an impersonation scam.

If you’d like to learn more about phishing, click on the following link (we promise this is a legitimate link ) to watch this entertaining video we did eight years ago.