The Austrian body in charge of data protection, the equivalent of the CNIL in France, judges illegal use of Google Analytics and contrary to the General Data Protection Regulation (GDPR). According to Austria, European companies that use Google Analytics allow Google to transfer their users’ data to the United States, despite the illegal nature of this transfer.
Google Analytics in the sights of European authorities
Following the Schrems II judgment of July 16, 2020, taken by the Court of Justice of the European Union (CJEU), the Austrian NGO Noyb (None of Your Business), founded by activist Maximilien Schrems, filed 101 complaints in several Member States of the Union. At the time, the Austrian NGO accused 101 European entities, 6 of which are French, of unlawfully transfer data to the United States. Today, the Austrian Data Protection Authority (DPA) joins the dance and considers that this behavior indeed constitutes a violation of European law.
Political crisis in Kazakhstan weighs on cryptocurrency miners
In the sights of the Austrian authority: Google Analytics. According to the regulator, the American giant would have partially ignored the cancellation of the “Privacy Shield” agreement by the Court of Justice of the Union in 2020. Like all data from Analytics are hosted in the United States, European users are also affected by this data collection. Hundreds of European companies use Google Analytics, and therefore always transmit their data collected to Google.
A first sanction in Austria
The Austrian authority points the finger at a German publisher, whose head office was initially in Austria, which was precisely the subject of Noyb’s complaint. During the case, the German publisher asked Google to immediately delete all collected data with Google Analytics. The configuration error related to the IP anonymization function has also been corrected and Google has confirmed that the personal data has been deleted. For the time being, the Austrian authority has not imposed any fines following this decision.
According to Maximilien Schrems, similar decisions are expected in other Member States of the European Union. The European Data Protection Supervisor (EDPS) could even follow Austria’s lead. The founder of Noyb specifies that “The main thing is that European companies can no longer use American cloud services. It is now a year and a half since the Court of Justice confirmed this for the second time, so it is high time for the law to be applied”.
For its part, Google estimates that “Internet users want the websites they visit to be well designed, easy to use and respectful of their privacy. Google Analytics helps merchants, governments, NGOs, and many other organizations understand how their sites and apps perform. It is these organizations, not Google, that control the data collected..