Google Analytics illegal in Austria. The Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB” or “DPA”) has ruled that Austrian website providers using Google Analytics are in violation of the GDPR.
This ruling stems from a decision made in 2020 by the Court of Justice of the European Union (CJEU) that stated that cloud services hosted in the US are incapable of complying with the GDPR and EU privacy laws. The decision was made because of the US surveillance laws requiring US providers (like Google or Facebook) to provide personal data to US authorities.
The 2020 ruling, known as “Schrems II”, marked the ending of the Privacy Shield, a framework that allowed for EU data to be transferred to US companies that became certified.
The tech industry was sent into a frenzy following this decision, but many US and EU companies decided to ignore the case. The choice to ignore is what landed one Austrian business in the DPA’s line of fire, damaging the brand’s reputation and possibly resulting in a hefty fine of up to €20 million or 4% of the organisation’s global turnover.
About the Austrian DPA’s Model Case
In this specific case, noyb (the European Center for Digital Rights) found that IP addresses (which are classified as personal data by the GDPR) and other identifiers were sent to the US in cookie data as a result of the organisation using Google Analytics.
This model case led to the DPA’s decision to rule that Austrian website providers using Google Analytics are in violation of GDPR. It is believed that other EU Member States will soon follow in this decision as well.
“We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.” Max Schrems, honorary chair of noyb.eu
What does this mean if you are using Google Analytics?
If there is one thing to learn from this case, it is that ignoring these court rulings and continuing to use Google Analytics is not a viable option.
If you are operating a website in Austria, or your website services Austrian citizens, you should remove Google Analytics from your website immediately.
For businesses in other EU Member States, it is also highly recommended that you take action before noyb and local data protection authorities start targeting more businesses.
“Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.” Max Schrems