According to the Austrian privacy regulator, Google Analytics is in violation of European privacy legislation. The service sends users’ IP addresses and cookie data to the US, which the watchdog says is prohibited under the GDPR.
According to the Austrian privacy watchdog, IP addresses and cookie data fall under personal data and may therefore not be transferred to the United States according to the privacy law, writes privacy foundation noyb. In defense, Google said it has sufficiently encrypted user data, but according to the Austrian watchdog, the measures taken by the search giant are not effective for preventing espionage from the US. It is unclear whether sanctions will be taken, writes noyb, that is independent of this procedure.
It is the first ruling in one of 101 charges against data transfers to the US that the privacy foundation filed in 2020 with several European privacy regulators. Complaints have also been submitted in the Netherlands and Belgium; these include the websites of Marktplaats, PostNL, Thuisbezorgd, Neckermann, Bpost. It is not known whether these have been taken into consideration by the Dutch and Belgian regulators and what their status is.
According to Max Schrems, the chairman of noyb, this decision means that companies can no longer use US cloud services in Europe. “It has been more than a year and a half since the Court of Justice confirmed this for a second time, so it is good that it is now being enforced.”
According to noyb, this decision has consequences for all European websites. “The fact that regulators are now gradually declaring US services illegal means that EU companies and US providers will feel more pressure to start using safe and legal options, such as hosting outside the US.” Schrems says he expects more EU Member States will make such decisions. “Ultimately we will either get adequate protection in the US, or separate products in the US and EU.”