Google Analytics violates the GDPR (in Austria)
We would like to inform you about current media reports (e.g. Heise) on the possibility of using Google Analytics:
According to the Data Protection Authority of the Republic of Austria, the use of Google Analytics violates the GDPR.
Although the Austrian authority considers the use of Google Analytics to be illegal, no German authority has adopted this view yet.
Even if this view should also become firmly established in Germany, Google Analytics would still be possible with legally compliant user consent.
Our evaluation of the news:
According to the currently published decision of the Data Protection Authority of the Republic of Austria, the use of Google Analytics on websites violates Article 44 of the GDPR.
One of the reasons given for this decision is that the personal data processed by Google Analytics (e.g. unique user identification numbers, IP address and browser parameters) are processed in the USA and are therefore subject to monitoring by US intelligence services.
In its further justification for its decision, the Austrian authority argues that monitoring by U.S. intelligence agencies cannot be ruled out by contractual arrangements between a website operator and Google Therefore, the level of protection required by Article 44 of the GDPR cannot be maintained in the case of processing outside the EU, meaning that the processing of personal data by Google Analytics violates the GDPR.
In addition to the data protection authority of the Republic of Austria, a decision concerning the permissibility of using Google Analytics for personal data on websites or apps is also expected from the Dutch authority.
In Germany, the Bavarian State Commissioner for Data Protection is currently dealing with an identical examination of the compatibility of the use of Google Analytics. A decision on this is not yet available.
Without statement by a German authority or court, the Austrian decision has no legal effect for data processing in Germany.
Following the previous statements of the German supervisory authorities on the processing of personal data outside the EU and in particular in the USA, it must be expected that the German supervisory authorities will also speak out against the permissibility of using Google Analytics without the consent of the users.
Outlook: : should such a decision be made in Germany in the future, the use of Google Analytics will still permissible with the consent of the website visitors. . You would then only have to expand the Google Analytics notice in the privacy policy to include a passage on the possible processing of this data in the USA by secret services. There are no binding requirements or guidance on this from the German supervisory authorities. If you already want to take precautionary measures, you can of course contact us at any time for text and implementation suggestions.
We keep a close eye on developments and will inform you immediately in the event of new German statements or rulings.