In the years since the implementation of the General Data Protection Regulation (GDPR) in 2018, the data protection NGO NOYB filed numerous complaints with EU data protection authorities against a number of European websites. NOYB believes the websites transfer personal data out of the European Economic Area in violation of the GDPR by using the US analytics tool Google Analytics.
One of the offending websites, telenor.com, is Norwegian and used to use Google Analytics. The Norwegian Data Protection Authority, Datatilsynet, investigated this case. The preliminary conclusion: The use of Google Analytics violated the transfer provisions of the GDPR.
Due to the high number of complaints about the use of Google Analytics at the European level, the European Data Protection Board (EDPB) has established a working group to coordinate the handling of complaints. The reason for this is that data protection authorities are required to interpret the General Data Protection Regulation in the same way throughout the EEA.
Data protection authorities in Austria, France and Italy, as well as the Data Protection Authority for the EU institutions (EDPS), have already ruled that the use of Google Analytics violates data protection rules. In addition, the Danish data protection authority comes to the same conclusion in a guide on the subject, and the Liechtenstein data protection authority has also been critical of the tool.
What happens now with Google Analytics?
If the Norwegian data protection authority also decides that the use of Google Analytics by the website in question violates the GDPR, this could also have consequences for other Norwegian websites. Therefore, the Norwegian authority reiterates its recommendation to consider alternatives to Google Analytics. More detailed information on what to expect from Norwegian websites will be available at the end of April at the earliest.
Universal Google Analytics or GA4?
At the time of the complaint, the website in question was using Universal Google Analytics. While the data protection authority has not commented on whether the same violations exist with Google Analytics 4 in this specific case. But as far as can be seen, Google Analytics 4 will not necessarily fix the problems identified by the data protection authority. In this context, it may be useful to refer to the guidelines of the Danish data protection authority, which state exactly this.
Quelle: datatilsynet.dk | NOYB
Update: In July 2023, the EU Commission approved the new EU-US Data Privacy Framework (DPF), removing many of the restrictions of Schrems II and making it much easier for organisations to transfer EU personal data to the US. However, the new framework will be challenged legally by NGOs (possible “Schrems III”). Therefore some legal uncertainty will remain until the Court of Justice of the EU (CJEU) rules on the matter. JENTIS Data Capture Platform enables future-proof GDPR-compliant tracking, regardless of the data privacy framework and potential challenges.
Any questions on how JENTIS can help your business? We look forward to your message!