Divergence Among EU Data Protection Authorities as Spanish DPA Rules that the Use of Google Analytics Does Not Breach the GDPR

Orrick, Herrington & Sutcliffe LLP
Contact

Orrick, Herrington & Sutcliffe LLP

In a recent decision, the AEPD (the Spanish data protection authority) became the first EU Data Protection Authority to reject one of the 101 complaints filed by privacy activist organisation, NOYB, against 101 European companies regarding their use of the Google Analytics tool. The AEPD’s decision deviates from the positions previously adopted by the Austrian, French, Italian and Danish authorities.

Background:

The AEPD’s decision relates to a complaint made against the Royal Spanish Academy’s (RAE) (a public, not-for-profit institution tasked with safeguarding the Spanish language) use of Google Analytics on its Web site. In response to the NOYB complaint, RAE raised the following arguments:

  • RAE’s sole and exclusive purpose for using the tool was to fulfil its mission to guarantee the development and preservation of the Spanish language, rather than for any commercial or business gain.
  • For RAE to fulfil its objective, it was essential to use tools (such as Google Analytics) to gather statistical data. RAE also argued that it only had access to aggregated, statistical data and did not have access to the users’ IP addresses.
  • RAE claimed that no personal data was processed and that the only information that could identify a user would be that related to a random ID that Google gives to its users and that based on that information, RAE could not achieve reidentification of a user.
  • RAE had ceased its use of the Google Analytics tool on 3 December 2020.

Decision:

In response to the arguments raised by RAE, the AEPD ruled that it had found no evidence that RAE had infringed the GDPR and rejected NOYB’s complaint.

What does this mean in practice?

The AEPD’s decision demonstrates that it is not always the case that mere use of the Google Analytics tool is automatically deemed to constitute a breach of the GDPR. Whilst the AEPD did not provide any detailed analysis as to the specific reasons why it rejected the complaint, the decision perhaps signals a shift in diverging perspectives among EU data protection authorities as to the level of risk associated with the use of the Google Analytics tool. Companies should perhaps not take too much comfort though; this is one decision made in very specific circumstances. The tide of opinion amongst the EU data protection authorities remains set against the use of Google Analytics.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Orrick, Herrington & Sutcliffe LLP

Written by:

Orrick, Herrington & Sutcliffe LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Orrick, Herrington & Sutcliffe LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide