Stepping Into 2023 With Significant GDPR Rulings From The Finnish DPA And The ECJ

• Published date: 06 July 2023
• Subject Matter: Privacy, Data Protection
• Law Firm: Waselius & Wist
• Author: Ms Charlotta Sittnikow

Case 1 (Finland): First decision from the Finnish DPA regarding the use of Google Analytics

During 2022 the data protection authorities in several EU countries have published decisions banning the use of Google Analytics (GA). The Austrian data protection authority was the first one to rule against the use of GA in early 2022. The Austrian decision was then followed by similar decisions of the French, Italian and Danish data protection authorities. According to the data protection authorities of the said countries, the use of GA is unlawful since the GA tool transfers personal data to the United States. After the Schrems II decision in July 2020 the transfer of personal data to the United States is in practice not lawful since the laws of the United States do not offer an adequate level of data protection (i.e. a level equivalent to that in the EU). Also, there are limited safeguards that can be put in place in order to ensure that personal data is adequately protected in the United States. For example, as regards Google, the US Foreign Intelligence Surveillance Act (FISA) applies which in practice means that personal data processed by Google can be accessed by US authorities in a manner that is not allowed under the GDPR.

In January 2023 the Finnish Deputy Data Protection Ombudsman (DDPO) gave its first decision in a case involving three libraries in the capital region of Helsinki and their use of GA. Under the DDPO's decision, the city of Helsinki, Espoo and Kauniainen were given reprimands since, amongst other things, the libraries' webpage user data had through GA been transferred to the United States without the libraries having implemented appropriate safeguards to protect the transferred data. According to the DDPO's decision the GA service stores and reads data collected through cookies placed on the user's browser and the collected data is then transferred to Google servers located in the United States.

It should be noted, however, that the above view has not been shared by all EU data protection authorities. In December 2022 the Spanish data protection authority took a different approach when ruling that the use of GA did not constitute a breach of the GDPR. The respondent (Royal Academy of Spanish Language (Real Academia Espa'ola (RAE)) claimed that no such data was obtained through the use of GA that could be regarded to constitute personal data since the only information that could identify website users was a randomised ID that GA assigns to...