About Us
Global Law Experts Logo
Global Law Experts Logo

Find a Global Law Expert

Practice Area


Since 2010, the Global Law Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.

Use of Google Analytics Declared Illegal: Update on the Emerging Saga

posted 2 years ago

After receiving multiple complaints from various privacy activists, including Max Schrems’ organisation, ‘NOYB’, data protection authorities across Europe, also following in the steps of the European Data Protection Supervisor, launched investigations to assess and determine the legality behind the continued use of Google Analytics, one of the most commonly used US-based services by European controllers for analysing website traffic through statistical reviews. Dr Naomi Schembri, an associate at City Legal, provides a brief overview of the decisions issued so far and of future expectations in connection to this emerging saga.

As many of our readers may know – particularly anyone owning a website – Google Analytics is a service that may be integrated by operators into their websites for business development and marketing purposes, with its most popular functions being, amongst others, the generation of statistical data and website traffic analysis. For the website owner to reap the benefit of this service, Google Analytics must collect data from every website user through the placement of tags (which can also be used to set cookies), into the code of each web page. This will enable the collection and transfer of data from the web browser of each website user to Google’s servers – most of which are located in the US – where such data is stored and further processed. Google Analytics will then use this data to generate reports for the website owner indicating information such as session durations, number of users, clicks per user, page views and user interaction with the website.

Over the past months, Google Analytics and its mother company, Google LLC, have been placed under close scrutiny within Europe for their questionable data protection practices. Privacy activists, such as Austria-based ‘NOYB’ and ‘Panoptykon Foundation’ in Poland, filed multiple complaints with data protection authorities all over Europe against the tech giant and the European controllers making use of Google Analytics service, lobbying for an investigation to be launched into the legality of transfer of personal data from the EU to the US in light of the GDPR and the CJEU’s ‘Schrems II’ ruling in July 2020 invalidating the US ‘Privacy Shield’.

Three major decisions have so far been rolled out as a consequence of such complaints:

1. On 5 January 2022, the European Data Protection Supervisor (‘EDPS’), the competent authority responsible for overseeing compliance with data protection laws by European bodies, reprimanded the European Parliament for its use of Google Analytics on its COVID-testing website. The EDPS confirmed that, particularly in its failure to implement effective technical and organisational measures, the European Parliament neglected to ensure an adequate level of protection prior to transferring personal data to Google in the US through the use of cookies on its website. The problem with such transfers is that no proper protections against US surveillance laws are yet in place, which means that US surveillance agencies may request US service providers, such as Google, to provide and grant access to data which they hold that may be considered ‘foreign intelligence information’: a practice which runs counter to the GDPR.

2. The decision of the EDPS was closely followed by another landmark ruling pronounced by the Austrian Data Protection Authority (‘DSB’). On 13 January 2022, the DSB declared that the use of Google Analytics and the consequent transfer of data from the EU to the US is illegal as it violates the GDPR. Whilst Google has largely been relying on the use of ‘Standard Contractual Clauses’ to continue its business within the EU, and further claimed that it had actually implemented more robust technical and organisational measures following the ‘Schrems II’ decision, the DSB proceeded to rule such measures to be completely worthless against US surveillance laws.

3. A few weeks after the DSB’s ruling, the French Data Protection Authority (‘CNIL’) issued a decision whereby it similarly considered the use of Google Analytics and data transfers to the US to be illegal and proceeded to order a French website operator to do what it takes to bring its processing operations in line with the GDPR. The CNIL also went as far as to suggest that the operator is to stop using the Google Analytics functionality under its current terms and conditions or to find an alternative service provider which does not require the transfer of data outside of the EU. In a press release issued by the CNIL on 10 February 2022, the authority observed how “although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services”. The operator, which remained unnamed, has one month to comply with the CNIL’s decision.

Now that the effects of the ‘Schrems II’ decision are being felt by controllers within the private sector, with European data protection authorities declaring US services as illegal due to their non-compliance with European data protection laws, it is expected that US service providers and European controllers forwarding user data to international processors will be further incentivised to consider and implement concrete and safer solutions ensuring an equivalent level of data protection offered in the EU. Possible alternatives may be considered such as, for example, hosting EU data outside of the US and opting instead for territories which are GDPR-compliant.

We shall be on the lookout for similar decisions from other data protection authorities in Europe which are expected to follow suit as the multiple complaints filed by privacy activists continue to be considered by the specialised taskforce established by the European Data Protection Board for this purpose back in 2020. Undoubtedly – while such decisions will impact US service providers and their EU customer base – the extent to which this is to happen remains to be seen, depending on the regulatory action which is taken (or otherwise) by the US legislator and appropriate security measures implemented to safeguard transferred data.

For more information on how we may assist with your data protection matters, please contact:

Dr Emma Grech, Partner – [email protected]

Dr Naomi Schembri, Associate – [email protected]

DISCLAIMER: The information contained in this document does not constitute legal advice or advice of any nature whatsoever. Although we have carried out research to ensure, as far as is possible, the accuracy and completeness of the information contained in this article, we assume no responsibility for errors or other inconsistencies herein.

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Practice Area
0 m+


who are already getting the benefits

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

Newsletter Sign Up

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Contact Us

Stay Informed

Join Mailing List