Series
Blogs
Series
Blogs
In a recent decision, the Spanish Data Protection Agency (“AEPD”) has rejected a complaint filed by Max Schrems’ NGO, None of Your Business (“NOYB”) against both the Royal Academy of Spanish Language (Real Academia Española) (“RAE”), Spain's official royal institution governing the Spanish language, and Google LLC (“Google”), in relation to the use of Google Analytics (E/10529/2021).
Following his victory in the Schrems II ruling of the Court of Justice of the European Union, Max Schrems’ NOYB filed complaints against 101 companies in all 30 EU and EEA member states in relation to the transfer of personal data via Google Analytics to Google in the US.
NOYB also filed a complaint with the AEPD against RAE and Google in August 2020. NOYB argued that the use of Google Analytics on RAE’s website involved an unlawful transfer of personal data (i.e. cookie data and IP address) to the US.
In its reply, RAE argued, among others, that:
The AEPD concluded that there is no evidence of a breach of the GDPR and decided not to pursue further investigation or sanction RAE and Google. In its decision, the AEPD argued that RAE stopped using Google Analytics shortly after becoming aware of the Schrems II ruling.
The AEPD also stated that RAE did not process data with the purpose of identifying website users.
The ruling of the AEPD comes in the midst of a wave of enforcement decisions issued by other European data protection authorities, including the EDPS, the Austrian DSB, French CNIL, and Italian Garante, in relation to the use of Google Analytics.
In such cases, the EU supervisory authorities have generally ruled in favour of NOYB, including ordering controllers to comply with the GDPR, by requiring controllers to cease to use Google Analytics (in its current state) or to use a tool that does not involve a transfer outside the EU.
The AEPD seems to have stepped away from the approach taken by other European authorities regarding the transfer of personal data when using Google Analytics. In this regard, AEPD appears to give special attention to the arguably limited use of Google Analytics by RAE.
This topic is particularly relevant given that it affects a vast number of websites. Until the new Transatlantic Data Privacy Framework between the EU and the US comes into force, the transfer of data to the US remains an area of risk.
23 December 2022
Up next