Austrian DPA: Google Analytics violates "Schrems II" decision by CJEU

The Austrian Data Protection Authority ("Datenschutzbehörde" or "DSB") has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR.

Background

In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Austrian DSB decision is the first to be issued.

Data protection authorities may now gradually declare US services illegal, putting additional pressure on EU companies and US providers to move towards safe and legal options.

No penalty yet of Austrian DPA's decision

The GDPR foresees penalties of up to € 20 million or 4% of the global turnover in violation cases, but Austrian DPA's decision is not dealing with a potential penalty, as this is seen as a "public" enforcement procedure, where the complainant is not heard.

There is no information if a penalty was issued or if the DSB is planning to also issue a penalty.

How to keep compliant when using Google Analytics

UniConsent have a detailed article How to make your Google Analytics GDPR Compliant with UniConsent about the best practices of using Google Analytics on your website:

• Enable Google Consent Mode
• Collect Consent before collecting Google Analytics data
• Do not collect or use personal data if not required.
• Or use a privacy-frist analytics alternative solution like Pubperf Analytics

Reference

• Orignial Decision PDF
• DSB (Austria) - use of Google Analytics by an Austrian website in violation of Chapter V. of the GDPR

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: hello@uniconsent.com