GOOGLE ANALYTICS: IS THERE REALLY UNIFORMITY IN THE CRITERIA OF EU DPAs?

Google Analytics (GA) has become the most widely used website analysis and tracking tool in the world
to analyse and collect statistical information on user interactions on websites by assigning each user a
unique identifier, all using so-called "cookies". This tool allows information to be collected on how the
visitor interacts with the website, the time of the visit, browser, operating system, etc.

This tool has been in the sights of the Data Protection Authorities of the European Economic Area (EEA)
since the pronouncement of the Court of Justice of the European Union in case C-311/18, better known
as the "Schrems II" judgment, which represented a new setback for data movements between the EEA
and the US insofar as it again implied the annulment of the adequacy mechanism, the "Privacy Shield",
suffering the same fate as its predecessor, the "Safe Harbor Agreement". The main stumbling blocks
observed by the CJEU to rule out compliance with the GDPR security standards are constituted by the
Foreign Intelligence Surveillance Act (FISA) and US Executive Order 12.333.

In this regard, since January 2022 there has been a constant trickle of pronouncements from different
Data Protection Agencies following the complaints filed by the NGO NOYB, analysing the case of GA
and warning of the risks involved.