And this is just the beginning. When noyb filed the complaint against NetDoktor in August 2020, it also filed 100 other cases with other data protection authorities across Europe. “It’s not specific to Google Analytics. It’s basically about outsourcing to US providers in general,” Schrems says.
Regulators in 30 European countries are currently investigating the other cases, which cover both the use of Google Analytics and Facebook Connect, the company’s tool to link your account to other sites. Country-specific websites belonging to Airbnb, Sky, Ikea, and The Huffington Post are also subject to complaints. “The majority of these decisions will have the same or similar outcomes,” says Zanfir-Fortuna. This is likely, she says, as noyb used the same legal arguments for all of its cases, and in response data protection regulators formed a task force to discuss the legal issues. “We expect that this is going to mobilize country by country, wherever it drops,” Schrems says.
The Dutch data protection authority, Autoriteit Persoonsgegevens, says it is finalizing its investigation and hasn’t ruled out the possibility that the use of Google Analytics in its current form will be banned. In Germany, where data issues are regulated by region, Hamburg’s data protection authority received two complaints from noyb and says in one case the website has removed Google Analytics, so it “does not plan to issue any orders or a fine” in this case. It is still investigating the other case.
Despite coordination by data regulators, there may be some differences of opinion, says Simon McGarr, director of data compliance for Europe at McGarr Solicitors. “The Austrian position is probably at one end of a spectrum of opinion—and it would probably represent the most radical end,” he says, adding that other data bodies will either endorse, amend, or reject that line of reasoning. Disagreement across the EU’s 27 GDPR enforcers is not uncommon: Last year an Irish Data Protection Authority fine against WhatsApp was increased by €175 million after other regulators disagreed with the decision. McGarr says it’s possible other EU regulators looking at the noyb cases may come to different conclusions based on the facts of each case.
A spokesperson for the EDPS says its view is that personal data moving to the US needs to be protected by “effective supplementary measures.” The body is also currently investigating how official EU organizations use Amazon Web Services and Microsoft Office 365.