GA and EU DPA rulings
Following the Schrems II ruling, several EU data protection authorities (DPAs) assessed complaints about Google Analytics and found specific deployments unlawful because personal data was transferred to the US without adequate safeguards. This page summarises the pattern of those decisions, educationally, and the transfer lessons they hold for analytics.
What the DPAs found
Coordinated by complaints from the advocacy group noyb, authorities including the Austrian DSB, the French CNIL, and the Italian Garante examined whether the use of Google Analytics complied with the GDPR's rules on international transfers. Several concluded that the transfers of personal data to the US, as configured, lacked adequate safeguards under Chapter V of the GDPR after Schrems II, and that supplementary measures in place were insufficient.
- Triggered by post-Schrems II complaints
- Austrian, French, Italian and other DPAs issued decisions
- Core issue: inadequate US transfer safeguards
Lessons for analytics transfers
The decisions show that consent banners and contractual clauses alone did not cure a transfer problem when the data could still be accessed in a third country without effective protection. They pushed organisations toward stronger supplementary measures, EU-region processing, anonymisation before transfer, or first-party tools that keep data in-region. The later EU-US Data Privacy Framework changed the adequacy picture, so always check the current transfer basis.
How it appears in analytics and logs
If your analytics sends EU personal data to a US-based processor without valid transfer safeguards, the DPA decisions indicate that arrangement can be challenged.
Diagnostic use case
Understand why EU regulators scrutinised Google Analytics transfers so you can assess transfer risk in your own analytics stack.
What WebmasterID can help detect
WebmasterID's first-party model and data-handling posture are designed to minimise cross-border transfer exposure of the kind these decisions examined.
Common mistakes
- Assuming a consent banner resolves a transfer-adequacy problem.
- Treating one DPA's decision as binding everywhere in the EU.
- Ignoring later developments like the EU-US Data Privacy Framework.
Privacy and accuracy notes
This page is educational and not legal advice. The decisions turned on specific facts and the legal landscape (including the EU-US Data Privacy Framework) continues to evolve; consult the regulator's own text.
Related pages
- Schrems II and analytics transfers
Schrems II is the 2020 Court of Justice of the EU judgment that invalidated the EU-US Privacy Shield and held that Standard Contractual Clauses remain valid only with a case-by-case assessment of the destination country's surveillance laws. Its reasoning later drove regulator decisions against certain US-hosted analytics. This page explains the ruling and its analytics impact.
- noyb Google Analytics complaints
noyb (the European Center for Digital Rights) filed many coordinated complaints across EU member states arguing that typical Google Analytics deployments unlawfully transferred personal data to the US after the Schrems II ruling. The complaints prompted a wave of DPA decisions. This page explains, educationally, what they argued and their significance.
- Cross-border data transfers in analytics
The GDPR restricts transfers of personal data outside the EU/EEA unless a valid mechanism applies — an adequacy decision, Standard Contractual Clauses, or another safeguard. Analytics that ships data to servers abroad therefore raises a transfer question, made sharper by case law on access by foreign authorities. Keeping data in-region or minimising it reduces the issue. This is educational, not legal advice.
- Compare: Google Analytics
How a first-party model differs on transfers.
Sources and verification notes
- EDPB — News on Google Analytics decisionsEuropean Data Protection Board coverage of coordinated decisions.
- CNIL — Google Analytics and data transfers to the USFrench DPA formal notice on Google Analytics transfers.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.