In a recent decision, the AEPD (the Spanish data protection authority) became the first EU Data Protection Authority to reject one of the 101 complaints filed by privacy activist organisation, NOYB, against 101 European companies regarding their use of the Google Analytics tool. The AEPD’s decision deviates from the positions previously adopted by the Austrian, French, Italian and Danish authorities.
Background:
The AEPD’s decision relates to a complaint made against the Royal Spanish Academy’s (RAE) (a public, not-for-profit institution tasked with safeguarding the Spanish language) use of Google Analytics on its Web site. In response to the NOYB complaint, RAE raised the following arguments:
- RAE’s sole and exclusive purpose for using the tool was to fulfil its mission to guarantee the development and preservation of the Spanish language, rather than for any commercial or business gain.
- For RAE to fulfil its objective, it was essential to use tools (such as Google Analytics) to gather statistical data. RAE also argued that it only had access to aggregated, statistical data and did not have access to the users’ IP addresses.
- RAE claimed that no personal data was processed and that the only information that could identify a user would be that related to a random ID that Google gives to its users and that based on that information, RAE could not achieve reidentification of a user.
- RAE had ceased its use of the Google Analytics tool on 3 December 2020.
Decision:
In response to the arguments raised by RAE, the AEPD ruled that it had found no evidence that RAE had infringed the GDPR and rejected NOYB’s complaint.
What does this mean in practice?
The AEPD’s decision demonstrates that it is not always the case that mere use of the Google Analytics tool is automatically deemed to constitute a breach of the GDPR. Whilst the AEPD did not provide any detailed analysis as to the specific reasons why it rejected the complaint, the decision perhaps signals a shift in diverging perspectives among EU data protection authorities as to the level of risk associated with the use of the Google Analytics tool. Companies should perhaps not take too much comfort though; this is one decision made in very specific circumstances. The tide of opinion amongst the EU data protection authorities remains set against the use of Google Analytics.