Divergence Among EU Data Protection Authorities as Spanish DPA Rules that the Use of Google Analytics Does Not Breach the GDPR

2 minute read
January.17.2023

In a recent decision, the AEPD (the Spanish data protection authority) became the first EU Data Protection Authority to reject one of the 101 complaints filed by privacy activist organisation, NOYB, against 101 European companies regarding their use of the Google Analytics tool. The AEPD’s decision deviates from the positions previously adopted by the Austrian, French, Italian and Danish authorities.

Background:

The AEPD’s decision relates to a complaint made against the Royal Spanish Academy’s (RAE) (a public, not-for-profit institution tasked with safeguarding the Spanish language) use of Google Analytics on its Web site. In response to the NOYB complaint, RAE raised the following arguments:

RAE’s sole and exclusive purpose for using the tool was to fulfil its mission to guarantee the development and preservation of the Spanish language, rather than for any commercial or business gain.
For RAE to fulfil its objective, it was essential to use tools (such as Google Analytics) to gather statistical data. RAE also argued that it only had access to aggregated, statistical data and did not have access to the users’ IP addresses.
RAE claimed that no personal data was processed and that the only information that could identify a user would be that related to a random ID that Google gives to its users and that based on that information, RAE could not achieve reidentification of a user.
RAE had ceased its use of the Google Analytics tool on 3 December 2020.

Decision:

In response to the arguments raised by RAE, the AEPD ruled that it had found no evidence that RAE had infringed the GDPR and rejected NOYB’s complaint.

What does this mean in practice?

The AEPD’s decision demonstrates that it is not always the case that mere use of the Google Analytics tool is automatically deemed to constitute a breach of the GDPR. Whilst the AEPD did not provide any detailed analysis as to the specific reasons why it rejected the complaint, the decision perhaps signals a shift in diverging perspectives among EU data protection authorities as to the level of risk associated with the use of the Google Analytics tool. Companies should perhaps not take too much comfort though; this is one decision made in very specific circumstances. The tide of opinion amongst the EU data protection authorities remains set against the use of Google Analytics.

Authors

Colette Deamer Managing Associate, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

London

See my bio

D:+44 20 7862 4630
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Colette Deamer Managing Associate

London

Colette has experience working on multi-jurisdictional matters and advising clients on the development and implementation of privacy compliance strategies and documentation. She helps clients navigate complex data protection issues and provides practical advice, tailored to the client’s needs. She has also advised on high profile European regulatory investigations.

Colette previously spent nine months on secondment in the EMEA privacy team at one of the largest social media platforms where she advised on complex privacy and data protection issues. She also spent time on secondment with an online fashion retail platform, where she provided strategic privacy advice in relation to the company’s expansion into EU and UK markets.