Book Consultation
Pricing
Cases
Videos
About us
Webinars
Book Consultation
Pricing
Cases
Videos
About us
Webinars
Case Study

EDPS Reprimands European Parliament for Google Analytics Data Transfers

by Berner Setterwall
January 5, 2022
The European Data Protection Supervisor (EDPS) has reprimanded the European Parliament for transferring personal data to the United States through Google Analytics on its COVID-19 testing website, marking the first major institutional application of the Schrems II ruling.

Background

On January 5, 2022, the European Data Protection Supervisor (EDPS) issued a landmark decision reprimanding the European Parliament for its use of Google Analytics on an internal COVID-19 testing website. This ruling represented the first major application of the Schrems II judgment to an EU institution and set the stage for subsequent decisions across European data protection authorities.

The case originated from a complaint filed in January 2021 by noyb, Max Schrems' privacy advocacy organization, on behalf of six Members of the European Parliament. The complaint alleged that the Parliament's COVID-19 testing website violated data protection law through deceptive cookie banners and illegal transfer of personal data to the United States.

The Decision and Key Findings

The EDPS investigation into the European Parliament's website revealed several critical violations:

  1. Unauthorized Data Transfers: The COVID-19 testing website deployed cookies associated with Google Analytics and Stripe (both US-based companies), resulting in transfers of EU citizens' personal data to the United States without adequate legal protection.

  2. Personal Data Classification: The EDPS explicitly determined that the data collected through Google Analytics cookies, including online identifiers, constituted personal data under GDPR definitions, capable of singling out individual users.

  3. Insufficient Safeguards: Despite using Standard Contractual Clauses (SCCs), the Parliament failed to implement the necessary supplementary measures required by the Schrems II judgment to protect personal data from access by US intelligence agencies.

  4. Lack of Transfer Impact Assessment: The Parliament could not demonstrate that it had conducted a data transfer impact assessment or implemented appropriate technical and organizational measures to ensure adequate protection.

  5. Transparency Violations: The EDPS also found that the Parliament violated transparency obligations under the GDPR and failed to adequately respond to data subject access requests from the complainants.

Symbolic Significance

This case carries particular significance for several reasons:

  1. Institutional Accountability: The ruling demonstrated that even the European Union's own legislative body is subject to strict enforcement of data protection laws.

  2. Schrems II Application: This was one of the first formal decisions implementing the Schrems II judgment, with the EDPS making it clear that "even the placement of a cookie by a US provider is violating EU privacy laws" without proper safeguards.

  3. Political Sensitivity: The EDPS emphasized that European politicians are known targets for surveillance, making the data transfer violations particularly concerning.

  4. Coordinated Approach: The decision was part of an emerging coordinated response from data protection authorities across Europe, addressing the legality of using US-based analytics services.

Server-Side Tracking Solutions for Institutional Compliance

The EDPS decision highlights the need for robust, compliant alternatives to standard analytics implementations, particularly for institutions handling sensitive data. Server-side tracking with specific safeguards offers a viable path forward:

  1. EU-Exclusive Data Infrastructure:

    • Deploy server-side tracking solutions entirely within the European Union
    • Implement technical barriers preventing any data from leaving EU jurisdiction
    • Create complete data sovereignty within EU territorial boundaries

  2. Enhanced Anonymization Protocol:

    • Implement comprehensive anonymization measures at the collection point
    • Remove or cryptographically hash any identifiers before processing
    • Apply data minimization principles to collect only necessary statistical information
    • Implement aggregation techniques to prevent individual identification

  3. Legal and Technical Documentation Framework:

    • Create and maintain comprehensive records of all data processing activities
    • Document all technical and organizational measures implemented
    • Establish regular auditing procedures for compliance verification
    • Implement immutable logs of data access and processing

  4. Political Risk Assessment:

    • Conduct specialized risk assessments for politically sensitive contexts
    • Implement enhanced security measures for data related to political activities or opinions
    • Create separation between sensitive institutional data and analytics processing

Implementation Guidelines for Institutional Settings

Organizations and institutions seeking to implement EDPS-compliant analytics should consider these specific approaches:

  1. Complete EU Analytics Stack:

    • Self-host analytics platforms on EU-controlled infrastructure
    • Implement server-side containers to process data before forwarding to analytics platforms
    • Create air-gapped systems that prevent any data transmission outside approved jurisdictions

  2. Comprehensive Data Governance:

    • Implement governance frameworks that include legal, technical, and organizational measures
    • Create clear policies on data collection and processing
    • Establish oversight mechanisms for data protection
    • Conduct regular impact assessments and compliance reviews

  3. True Statistical Analytics Alternative:

    • Focus on aggregate statistical data rather than individual-level tracking
    • Implement anonymization at the edge before any data collection
    • Create purpose-limited analytics that collect only what is necessary
    • Use differential privacy techniques to add protective noise to datasets

Conclusion

The EDPS decision against the European Parliament represents a watershed moment in the application of the Schrems II judgment, establishing that even EU institutions must comply with the strict requirements for international data transfers. By reprimanding the Parliament, the EDPS sent a clear message that everyone, regardless of status, must adhere to data protection laws.

This case laid the groundwork for subsequent decisions by national data protection authorities in Austria, France, Italy, and beyond. It established a consistent interpretation that the use of Google Analytics without substantial supplementary measures violates GDPR requirements for data transfers to the United States.

The lesson for organizations and institutions is clear: implementing server-side tracking with proper EU data residency controls and comprehensive anonymization techniques is not just best practice—it's a legal requirement. By adopting such measures, organizations can maintain necessary analytics capabilities while respecting data protection law and the fundamental rights of individuals as upheld by European courts and regulators.