13. January 2022

Use of Analytics illegal

Google Analytics was found to be non-compliant in Austria

On January 13, 2022, the Austrian data protection authority published its decision on the compliance of the client-side standard implementation of Google Analytics. IP addresses and other personal data were transmitted to Google servers based on Google’s standard SCCs.

Even with the alleged “IP anonymization,” these measures were not sufficient to protect personal data from possible access by U.S. intelligence agencies.

According to the notice, “a violation of the general principles of data transfer pursuant to Art. 44 DSGVO” was upheld. This regulates the transfer of personal data to a third country, or to an international organization. In the specific case, at least “a unique user ID number, IP address and browser parameters” had been transferred to Google. This means that a unique user profile of the user can be created.

The “standard protection clauses” concluded with Google would not provide an “adequate level of protection,” for example, to eliminate “surveillance and access possibilities by U.S. intelligence services,” the authority writes in its justification. Google had previously argued that it had implemented various technical and organizational measures to protect data of European citizens from access by U.S. authorities.

More information


Is Google Analytics now taboo for us Europeans?

Which options you really have, if you want to continue using Google Analytics. An analysis by Thomas Tauchner.

Past Events

Google Analytics illegal?

The standard implementation of Google Analytics has been found NOT to be legally compliant. What to do now - the next steps


CNIL against client side Analytics

French data protection authority confirms non-conformity of client side GA