Austria: Website in breach of GDPR by transferring Google Analytics data to the US

Austria’s Data Protection Authority has decided that an Austrian website using the free version of Google Analytics is in breach of the GDPR data transfer rules and Schrems II, as personal data may become exposed to US intelligence agencies.

The authority says that any penalty would be set against the website and not Google, which is regarded as a “processor” in this case. The DPA’s view is that using Standard Contractual Clauses, even with supplementary measures, did not guarantee a safe transfer of data to the US. It concludes that the Google Analytics tool (at least in the version dated 14 August 14 2020) cannot be used in accordance with the requirements of Chapter V GDPR (transfers of data to third countries).

The Netherlands’ DPA also has its eye on Google Analytics, as it is currently investigating two complaints about the use of Google Analytics in the Netherlands.

The DPA decision from Austria, especially if followed by fellow EU DPAs, has huge significance as most EU-based websites use Google Analytics as their statistics program.

This is the first decision of the 101 model complaints filed by noyb in the wake of the Schrems II decision.

See the decision by Austria’s DPA