Divergence Among EU Data Protection Authorities as Spanish DPA Rules that the Use of Google Analytics Does Not Breach the GDPR

2 minute read
January.17.2023

In a recent decision, the AEPD (the Spanish data protection authority) became the first EU Data Protection Authority to reject one of the 101 complaints filed by privacy activist organisation, NOYB, against 101 European companies regarding their use of the Google Analytics tool. The AEPD’s decision deviates from the positions previously adopted by the Austrian, French, Italian and Danish authorities.

Background:

The AEPD’s decision relates to a complaint made against the Royal Spanish Academy’s (RAE) (a public, not-for-profit institution tasked with safeguarding the Spanish language) use of Google Analytics on its Web site. In response to the NOYB complaint, RAE raised the following arguments:

RAE’s sole and exclusive purpose for using the tool was to fulfil its mission to guarantee the development and preservation of the Spanish language, rather than for any commercial or business gain.
For RAE to fulfil its objective, it was essential to use tools (such as Google Analytics) to gather statistical data. RAE also argued that it only had access to aggregated, statistical data and did not have access to the users’ IP addresses.
RAE claimed that no personal data was processed and that the only information that could identify a user would be that related to a random ID that Google gives to its users and that based on that information, RAE could not achieve reidentification of a user.
RAE had ceased its use of the Google Analytics tool on 3 December 2020.

Decision:

In response to the arguments raised by RAE, the AEPD ruled that it had found no evidence that RAE had infringed the GDPR and rejected NOYB’s complaint.

What does this mean in practice?

The AEPD’s decision demonstrates that it is not always the case that mere use of the Google Analytics tool is automatically deemed to constitute a breach of the GDPR. Whilst the AEPD did not provide any detailed analysis as to the specific reasons why it rejected the complaint, the decision perhaps signals a shift in diverging perspectives among EU data protection authorities as to the level of risk associated with the use of the Google Analytics tool. Companies should perhaps not take too much comfort though; this is one decision made in very specific circumstances. The tide of opinion amongst the EU data protection authorities remains set against the use of Google Analytics.

Authors

Kelly Hagedorn Partner, Cyber, Privacy & Data Innovation, Conformité & Règlementation

Londres

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Conformité & Règlementation
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

Londres

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Colette Deamer Managing Associate, Cyber, Privacy & Data Innovation, Conformité & Règlementation

Londres

See my bio

D:+44 20 7862 4630
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Conformité & Règlementation
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Colette Deamer Managing Associate

Londres

Colette has experience working on multi-jurisdictional matters and advising clients on the development and implementation of privacy compliance strategies and documentation. She helps clients navigate complex data protection issues and provides practical advice, tailored to the client’s needs. She has also advised on high profile European regulatory investigations.

Colette previously spent nine months on secondment in the EMEA privacy team at one of the largest social media platforms where she advised on complex privacy and data protection issues. She also spent time on secondment with an online fashion retail platform, where she provided strategic privacy advice in relation to the company’s expansion into EU and UK markets.