Because Google could access data in plain text, the data wasn’t protected from potential surveillance, the body’s decision says. “This transfer was found to be unlawful because there was no adequate level of protection for the personal data transferred,” says Matthias Schmidl, the deputy head of the Austrian data regulator. He adds that website operators cannot use Google Analytics and be in line with GDPR.
At the moment, the decision applies only in Austria and isn’t final. Websites across Europe aren’t suddenly going to stop using Google Analytics. NetDoktor didn’t respond to a request for comment. “While this decision directly affects only one particular publisher and its specific circumstances, it may portend broader challenges,” says Kent Walker, Google’s senior vice president for global affairs and chief legal officer. In a blog post published on January 19, Walker says that the company believes the technical measures it has put in place protect people’s data, and that this kind of decision could impact how data flows across the “entire European and American business ecosystem.”
And this is just the beginning. When noyb filed the complaint against NetDoktor in August 2020, it also filed 100 other cases with other data protection authorities across Europe. “It’s not specific to Google Analytics. It’s basically about outsourcing to US providers in general,” Schrems says.
Regulators in 30 European countries are currently investigating the other cases, which cover both the use of Google Analytics and Facebook Connect, the company’s tool to link your account to other sites. Country-specific websites belonging to Airbnb, Sky, Ikea, and The Huffington Post are also subject to complaints. “The majority of these decisions will have the same or similar outcomes,” says Zanfir-Fortuna. This is likely, she says, as noyb used the same legal arguments for all of its cases, and in response data protection regulators formed a task force to discuss the legal issues. “We expect that this is going to mobilize country by country, wherever it drops,” Schrems says.
The Dutch data protection authority, Autoriteit Persoonsgegevens, says it is finalizing its investigation and hasn’t ruled out the possibility that the use of Google Analytics in its current form will be banned. In Germany, where data issues are regulated by region, Hamburg’s data protection authority received two complaints from noyb and says in one case the website has removed Google Analytics, so it “does not plan to issue any orders or a fine” in this case. It is still investigating the other case.
Despite coordination by data regulators, there may be some differences of opinion, says Simon McGarr, director of data compliance for Europe at McGarr Solicitors. “The Austrian position is probably at one end of a spectrum of opinion—and it would probably represent the most radical end,” he says, adding that other data bodies will either endorse, amend, or reject that line of reasoning. Disagreement across the EU’s 27 GDPR enforcers is not uncommon: Last year an Irish Data Protection Authority fine against WhatsApp was increased by €175 million after other regulators disagreed with the decision. McGarr says it’s possible other EU regulators looking at the noyb cases may come to different conclusions based on the facts of each case.