European Union: EDPS ruling on the legality of data transfers through Google Analytics

On 5 January 2022, the European Data Protection Supervisor (EDPS) issued its decision regarding the legality of the use of Google Analytics by the European Parliament on its COVID testing webpage. The EDPS opened an investigation into the matter after it received a formal complaint on 29 October 2020 signed by several members of the European Parliament. The EDPS concluded that the use of Google Analytics for data processing violates the General Data Protection Regulation because in this process the personal data of individuals is transferred to the United States (US). In particular, the EDPS noted that Parliament cannot rely on the Standard Contractual Clauses because it failed to demonstrate that the personal data transferred to the US has the equivalent level of protection. Consequently, the EDPS found the Parliament in violation of the GDPR and issued a reprimand. The EDPS order states that the Parliament has one month to update its data protection notices and to list the necessary information regarding personal data processing.