First Fine for Using Google Analytics in the EU

First Fine for Using Google Analytics in the EU

September 25, 2023

In some of our previous texts (available here and here) we wrote about Google Analytics – a popular service of Google company, which works on basis of cookie placement.

As a reminder, these cookies are of analytical nature, i.e., they are used for monitoring users’ behaviour on websites where Google Analytics is activated, which data are subsequently used to prepare reports that help the website owners to adjust content to users’ preferences, often to promote, i.e., sell goods and services.

Problematics of using Google Analytics

The Decision of the European Court of Justice of July 16, 2020 (so-called Schrems II ruling) invalidated the Privacy Shield – the legal mechanism used since 2016 as a basis for transferring data from the EU to the US. The latter arrangement was abolished due to the conflicted powers between the authorities established by the US regulations and the rights guaranteed in the EU. In other words, it failed to provide the subjects of data with protection before authorities, i.e., guarantees equivalent to those required by the EU regulations, such as independence in work and legal force of the decisions that would be binding upon the US intelligence services.

Upon the adoption of the stated decision of the European Court of Justice, the organisation of activists for privacy protection NOYB filed as many as 101 complaints (in nearly all EU member states) for unlawful transfer of personal data from the EU to the US, among other through Google Analytics.

This is for the reason that personal data collected through Google Analytics are stored on servers of Google company in the US, while their transfer represents processing of personal data to a place which lacked adequate level of data protection at that time.

A Swedish case

Upon NOYB complaint, the Swedish personal data protection authority has recently passed decisions against four companies and pronounced to one of them (telecommunication provider Tele2) one-million euro fine for using Google Analytics on its website.

This is the first decision whereby a personal data protection authority in the EU has not only established that personal data processing through the said Google service is unlawful and prohibited it, but also imposed a fine for its use.

The fine was pronounced because the acting authority found that so-called additional measures undertaken by Google in order to eliminate the stated shortcomings of the US regulations, to which it refers its business users from the EU, are nevertheless not enough to consider such data transfer lawful.

New legal framework for the transfer of personal data between the EU and the US

This decision was passed before the new legal framework, i.e., mechanism for personal data transfer between the EU and the US entered into force (we also wrote about this in one of our previous texts, available here).

Namely, on July 10, 2023, the European Commission adopted the Decision no. C (2023) 4745, which entered into force and started to apply on the day of its adoption and under which the US provide adequate, i.e., appropriate level of protection, comparable to the on in the EU, with regard to the transfer of personal data from the EU to the US companies, without the obligation to undertake additional protection measures.

In accordance with the new mechanism, the US companies, as data recipients, are subject to certification, by which they undertake to respect a series of rules, i.e., obligations, such as mandatory erasure of data once they become obsolete, providing continuous data protection in case of their sharing with third parties. The list of recipients certified so far is available here, and one of them is company Google LLC.

However, according to NOYB, whose founder Max Schrems achieved the invalidation of previous personal data transfer mechanisms between the EU and the US (rulings of the European Court of Justice known as Schrems I and Schrems II), this latest attempt to regulate the transfer of personal data between the EU and the US does not imply substantive, but only cosmetic changes, thus a challenging thereof before the European Court of Justice has been announced for the end of this or the beginning of the next year.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.