noyb Google Analytics complaints
noyb (the European Center for Digital Rights) filed many coordinated complaints across EU member states arguing that typical Google Analytics deployments unlawfully transferred personal data to the US after the Schrems II ruling. The complaints prompted a wave of DPA decisions. This page explains, educationally, what they argued and their significance.
What noyb argued
After the Court of Justice invalidated Privacy Shield in Schrems II, noyb filed coordinated complaints contending that sites using Google Analytics were transferring identifiers and online data to the US without adequate protection against government access, and that the safeguards in place (such as standard contractual clauses and stated supplementary measures) were insufficient under Chapter V of the GDPR.
- Filed across many EU member states at once
- Centred on unlawful US data transfers post-Schrems II
- Argued safeguards in place were inadequate
Why it mattered
The complaints translated the abstract Schrems II ruling into concrete pressure on a widely used analytics tool, producing decisions from several DPAs and pushing organisations toward EU-region processing, stronger supplementary measures, anonymisation before transfer, or first-party alternatives. The later EU-US Data Privacy Framework changed the adequacy basis, so the current legal position should always be checked against up-to-date sources.
How it appears in analytics and logs
If your analytics transfers EU personal data to a US processor, the noyb-driven complaints show why that arrangement attracted regulatory challenge.
Diagnostic use case
Understand the argument that drove EU scrutiny of Google Analytics so you can evaluate transfer risk in your own analytics deployment.
What WebmasterID can help detect
WebmasterID's first-party, in-region-friendly model is designed to reduce the cross-border transfer exposure these complaints targeted.
Common mistakes
- Treating the complaints as a final ruling rather than a trigger.
- Assuming the EU-US Data Privacy Framework retroactively cures past issues.
- Generalising one country's outcome to the whole EU.
Privacy and accuracy notes
This page is educational and not legal advice. It summarises advocacy complaints and resulting decisions; outcomes are fact-specific and the transfer landscape has since evolved.
Related pages
- GA and EU DPA rulings
Following the Schrems II ruling, several EU data protection authorities (DPAs) assessed complaints about Google Analytics and found specific deployments unlawful because personal data was transferred to the US without adequate safeguards. This page summarises the pattern of those decisions, educationally, and the transfer lessons they hold for analytics.
- Schrems II and analytics transfers
Schrems II is the 2020 Court of Justice of the EU judgment that invalidated the EU-US Privacy Shield and held that Standard Contractual Clauses remain valid only with a case-by-case assessment of the destination country's surveillance laws. Its reasoning later drove regulator decisions against certain US-hosted analytics. This page explains the ruling and its analytics impact.
- EU-US Data Privacy Framework
The EU-US Data Privacy Framework (DPF) is the mechanism, underpinned by a 2023 European Commission adequacy decision, that allows personal data to flow from the EU to US companies that self-certify to its principles. It replaced the invalidated Privacy Shield. This page explains how the DPF enables transfers relevant to analytics and why it stays under scrutiny.
- Compare: Google Analytics
Transfer posture of a first-party alternative.
Sources and verification notes
- noyb — EU-US transfers / Google Analytics complaintsAdvocacy group's overview of its coordinated complaints.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.