EU Data Protection Agencies Find that Google Analytics’ Data Transfers to the US Violate the GDPR

Two separate enforcement proceedings, by the European Data Protection Supervisor (EDPS) and the Austrian Data Protection Authority (DPA), have found that the use of Google Analytics for the processing of data of EU data subjects violates the GDPR because it leads to the unlawful transfer of data to the United States.

The EDPS’s investigation into Google Analytics was prompted by a complaint filed by European parliament members and the Austrian privacy association NOYB (founded by Max Schrems), against the European parliament whose website uses the services of Google Analytics. The EDPS concluded that personal data processed by Google Analytics was indeed transferred to the US, and held that online identifiers provided by users’ devices, such as IP addresses, can lead to the identification of data subjects, particularly when combined with other information. The EDPS clarified that transfer of personal data to the US must be carried out as per the Schrems II decision of the Court of Justice of the European Union, which requires data controllers to implement effective supplementary measures to ensure an essentially equivalent level of protection for the personal data transferred. Such supplementary measures were not presented by the European parliament, and it was therefore found to have violated the GDPR.

The Austrian DPA also investigated a separate complaint filed by NOYB, alleging that Google Analytics’ supplementary measures for data transfers to the US are insufficient. The Austrian DPA found that so long as the personal data is transferred to the US in a readable “clear text” form, the supplementary measures implemented by Google are not satisfactory because US intelligence and enforcement agencies could still access and use the data.