2 minute read
In a recent decision, the AEPD (the Spanish data protection authority) became the first EU Data Protection Authority to reject one of the 101 complaints filed by privacy activist organisation, NOYB, against 101 European companies regarding their use of the Google Analytics tool. The AEPD’s decision deviates from the positions previously adopted by the Austrian, French, Italian and Danish authorities.
The AEPD’s decision relates to a complaint made against the Royal Spanish Academy’s (RAE) (a public, not-for-profit institution tasked with safeguarding the Spanish language) use of Google Analytics on its Web site. In response to the NOYB complaint, RAE raised the following arguments:
In response to the arguments raised by RAE, the AEPD ruled that it had found no evidence that RAE had infringed the GDPR and rejected NOYB’s complaint.
What does this mean in practice?
The AEPD’s decision demonstrates that it is not always the case that mere use of the Google Analytics tool is automatically deemed to constitute a breach of the GDPR. Whilst the AEPD did not provide any detailed analysis as to the specific reasons why it rejected the complaint, the decision perhaps signals a shift in diverging perspectives among EU data protection authorities as to the level of risk associated with the use of the Google Analytics tool. Companies should perhaps not take too much comfort though; this is one decision made in very specific circumstances. The tide of opinion amongst the EU data protection authorities remains set against the use of Google Analytics.