In a recent decision, the Spanish Data Protection Agency (“AEPD”) has rejected a complaint filed by Max Schrems’ NGO, None of Your Business (“NOYB”) against both the Royal Academy of Spanish Language (Real Academia Española) (“RAE”), Spain's official royal institution governing the Spanish language, and Google LLC (“Google”), in relation to the use of Google Analytics (E/10529/2021).

Background

Following his victory in the Schrems II ruling of the Court of Justice of the European Union, Max Schrems’ NOYB filed complaints against 101 companies in all 30 EU and EEA member states in relation to the transfer of personal data via Google Analytics to Google in the US.

NOYB also filed a complaint with the AEPD against RAE and Google in August 2020. NOYB argued that the use of Google Analytics on RAE’s website involved an unlawful transfer of personal data (i.e. cookie data and IP address) to the US.

RAE’s defence

In its reply, RAE argued, among others, that:

• it is a public-law and non-profit body, and its website did not use Google Analytics for any commercial or business gain;
• it used Google Analytics from September 2019 to December 2020;
• its website only used the free version of Google Analytics and did not use any advanced feature;
• it used Google Analytics only to analyse statistical information on the use of its website (e.g. location of website users and frequency of visits). Such information was necessary to promote the development and proper use of the Spanish language, which is the purpose of RAE;
• access was limited to statistical and aggregated information that does not allow the identification of users;
• it did not process user personal data. In particular, user’s IP address was not processed; and
• the only information that could identify website users was the randomised ID that Google Analytics assigns to each user. RAE had no possibility of identifying users based on this information.

AEPD ruling

The AEPD concluded that there is no evidence of a breach of the GDPR and decided not to pursue further investigation or sanction RAE and Google. In its decision, the AEPD argued that RAE stopped using Google Analytics shortly after becoming aware of the Schrems II ruling.

The AEPD also stated that RAE did not process data with the purpose of identifying website users.

Enforcement in other EU countries

The ruling of the AEPD comes in the midst of a wave of enforcement decisions issued by other European data protection authorities, including the EDPS, the Austrian DSB, French CNIL, and Italian Garante, in relation to the use of Google Analytics.

In such cases, the EU supervisory authorities have generally ruled in favour of NOYB, including ordering controllers to comply with the GDPR, by requiring controllers to cease to use Google Analytics (in its current state) or to use a tool that does not involve a transfer outside the EU.

Conclusion

The AEPD seems to have stepped away from the approach taken by other European authorities regarding the transfer of personal data when using Google Analytics. In this regard, AEPD appears to give special attention to the arguably limited use of Google Analytics by RAE.

This topic is particularly relevant given that it affects a vast number of websites. Until the new Transatlantic Data Privacy Framework between the EU and the US comes into force, the transfer of data to the US remains an area of risk.