On 25 May 2018, the General Data Protection Regulation entered into force in the EU. Since then, it has attracted attention mainly through violations by large Internet companies. Now the Austrian data protection authority has uncovered the next GDPR violation in Google Analytics.
In the third quarter alone, penalties of almost one billion euros were imposed in the EU for violations of the GDPR. Fines The frontrunner is Amazon’s European headquarters in Luxembourg with 746 million euros.
But the GDPR fines are also impressive in Germany. Since its introduction in 2018, around 69 million euros have been paid here for violations.
And Google also apparently does not adhere to the rules of the GDPR. This emerges from a judgment of the Austrian Data Protection Authority. Accordingly, Google Analytics violates the EU directives.
The GDPR violation of Google Analytics
Anyone who integrates the statistics tool Google Analytics on their own website violates the GDPR. The reason is the so-called Schrems II judgment of the European Court of Justice from 2020.
This states that personal data may not be transferred by US companies from the EU to a non-EU country. According to the DPO, the data transfer on Google’s analysis tool Analytics “does not have an adequate level of protection in accordance with Article 44 GDPR”.
By using Google Analytics, personal data reaches the USA. According to the Austrian Data Protection Authority, these include “unique user identification numbers, IP address and browser parameters”.
It is also particularly problematic that the standard safeguard clauses do not sufficiently protect against “surveillance and access possibilities by US intelligence services”.
The complaint of the data protection association Noyb
In August 2020, the data protection association Noyb had submitted a model complaint to the Austrian Data Protection Authority. The complaint related to an Austrian publisher and its implementation of Google Analytics.
Behind Noyb is the data protector Max Schrems. He founded the NGO in 2017. Since then, the association has caused inconvenience, especially to the large Internet companies.
Directly on the day of the introduction of the new General Data Protection Regulation, the Austrian lawyer and data protector filed billions in lawsuits against Google, Facebook, Instagram and WhatsApp.
A complaint by the NGO was also the basis for a fine of 50 million euros imposed on Google by the French data protection authority CNIL.
What’s next for Google Analytics in the EU?
Whether Google now has to reckon with another million-dollar fine in the Analytics case is not yet clear, according to the data protection association Noyb.
Max Schrems, on the other hand, assumes that there will be a penalty. However, that is not apparent from the partial decision, since it ‘does not deal with that question’.
In the long term, we either need adequate data protection in the US, or we will end up with separate products for the US and the EU. Personally, I would prefer better protection in the U.S., but that’s up to U.S. lawmakers.
For Google, however, it could indeed be expensive. According to the Noyb communication, the GDPR provides for “penalties of up to 20 million euros or 4% of global sales”.