As it is well-known in the market, after the game-changing decision of the Court of Justice of the European Union (i.e. Schrems II), the non-governmental organisation NOYB filed 101 complaints over continuous EU-U.S. data transfers by websites in the European Economic Area (“EEA”). In particular, NOYB stated that an analysis of the HTML source code of major EU webpages had shown that even after the decision, many companies continued to use services from the likes of Google or Facebook even though both fall under U.S. surveillance laws.
After more than two years, the Spanish Data Protection Agency (“AEPD”) has finally issued a decision on one of these claims, taking a different stand from other EU Data Protection Authorities.
In December 15th, 2022, after a long silence, the AEPD published its decision (the “Decision”, see here) analysing the use of Google Analytics by the Royal Spanish Academy (“RAE”), a public administration, and presenting criteria that differs from that of other harsher European authorities (including the French, Austrian, Danish and Dutch data protection authorities).
In particular, the AEPD concluded that the use of the Google Analytics tool by the RAE does not involve any breach of data protection rules. It indicated that RAE did not use the information to identify web users. The decision is based on the following facts (including several references to Google Ads data processing terms and reviews of information accessed by the RAE) provided by RAE and reviewed by the AEPD:
RAE used the free version of the tool.
RAE has not used any of the advance information options available in Google Analytics (nor Google Signals/Comparatives) which require affirmative activation. Only the basic functionalities of Google Analytics were used, minimizing the impact on the privacy of users so that no information related to identified or identifiable persons was processed, but only aggregated information.
The use of Google Analytics has been limited solely and exclusively to the access to statistical and aggregated information that does not allow the identification of users.
No data was obtained that could be considered personal data (RAE states that it had not carried out any processing activity related to the IP address), because no information was processed that directly or indirectly identifies or allows the identification of those users.
The only information that could individually identify users would be the one related to the random ID that Google grants to its users. RAE cannot, based on this information, carry out any action to achieve their re-identification.
The legal relationship between RAE and Google is that of data controller and processor, respectively.
The fact that RAE stopped using the tool after the Schrems II decision is also taken into consideration by the AEPD.
While the decision lacks a detailed analysis of the measures applied by the RAE when using the tool, let alone the reasoning of the AEPD, it sets a milestone: the mere use of tools from U.S. companies cannot be deemed prohibited, nor condemned to due to the fact that they are provided by U.S. entities. It constitutes an important precedent, opening the door to the use of Google Analytics (or analogous tools) by Spanish entities.
Authored by Joanna Rozanska and Santiago de Ampuero.