February 3 2022

Does Google Analytics violate the GDPR? Illegal Google Analytics in Europe?

Austrian DSB: The use of Google Analytics violates the “Schrems II” decision of the CJEU.

Google Analytics is one of the most widespread and popular services on the web: it is used by almost all websites, and even the social network Facebook (one billion users) relies on it. But how can it guarantee compliance with the new European data protection regulations?

Last year Google updated its Privacy Policy to comply with the GDPR: in particular, it implemented a new tool to let people know what data is collected and how it is used. The information is now more detailed and explicit.

Google Analytics, however, would not comply with the European rules on data transfer, considering the technical, organizational and contractual measures adopted by Google to be insufficient: the question is contextualized in the activities subsequent to the Schrems II judgment which declared the Privacy Shield agreement between Brussels and Washington illegitimate.

For the same reason, the EDPS recalls that Google Analytics must be considered a "processor" pursuant to Article 28 of the GDPR, but also stresses that this does not mean that it is subject to all the provisions of that regulation. Indeed, if a company wishes to process personal data on behalf of another entity (in this case Google), then it must ensure that there are appropriate safeguards for adequate protection of such data (Articles 32-36).

In the wake of this decision, the Austrian authorities have asked Google to comply with the provisions of the General Data Protection Regulation (GDPR) adopted in 2018, so that users can obtain access, rectification or deletion and data portability.

To this end, Google had to provide a copy of all data processed on behalf of each user.

The DSB authority has already published a first inspection report on the subject. The conclusions are devastating for Google, which would not respect European rules on data transfer. Indeed, the EDPS recalls that the Schrems II judgment declared the agreement invalid "Privacy Shield"Between the EU and the United States regarding transfers of personal data. The EDPS therefore invites Google to make further efforts to comply with European standards.

What is the Privacy Shield and when was it abolished?

The GDPR Privacy Shield is an agreement that allows us to send your data to the United States.

The GDPR Privacy Shield is a new framework for transatlantic data flows between the US and the EU. It is a "privacy shield" because it protects personal data when it is sent from the EU to US companies. The agreement replaces an old framework, called a "safe harbor", which has been used by thousands of US companies since 2000. safe harbor was abolished because it was not strong enough to protect information.

The GDPR privacy shield works differently than safe harbor. Use stronger enforcement powers and stricter policies for US companies handling EU citizen data. This will ensure that your personal information is handled well and used only for legal reasons.

The GDPR Privacy Shield went into effect on July 12, 2016, but has been controversial ever since. In September 2017, EU privacy regulators decided the deal isn't strong enough to protect people's information. They said they would take action to suspend the deal if no more changes were made by September 2018.

What are the risks and penalties for those who do not comply with the GDPR?

First of all, we need to think from the point of view that if there are violations, it is likely that there may be repercussions and sanctions.
For example, here is a recent list of events:
June 9, 2021: Italian Privacy Guarantor blocks the PagoPA Spa IO app also for exporting data outside the EU (also using Google Cloud regardless of the server location in Europe or in the USA).
December 15, 2021: non-EU data export block to Germany for US technology use in the service chain for managing consent to cookies.
December 22, 2021: in Austria the Guarantor blocks Google Analytics considering it goes against the GDPR for the same reason.
After 1.5 years from July 16, 2020, the date on which the European Court of Justice invalidated the US Privacy Shield, European companies still largely did not understand the trend.

The GDPR is a big deal. In fact, the fines can be huge - up to 4% of a company's global annual revenue or € 20 million, whichever is greater. You don't want to risk violating the GDPR, which means you need to know what it says and how it applies to your business.

The General Data Protection Regulation (GDPR) is a regulation by which the member states of the European Union establish common data protection standards for European citizens regarding the collection of personal data. It also regulates the export of personal data outside the EU.



Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top