Schrems II Ruling Update: What It Means for Website Analytics
Schrems II Ruling Update: What It Means for Website Analytics
TL;DR — Quick Answer
1 min readMultiple EU data protection authorities have confirmed Google Analytics is non-compliant following Schrems II. Compliant alternatives include EU-owned infrastructure analytics, self-hosting, or providers in GDPR adequacy countries.
The Schrems II judgment invalidated the EU-US Privacy Shield in July 2020, finding that US surveillance laws provide insufficient protection for EU citizens' data.
For website analytics this means: Google Analytics is non-compliant (confirmed by Austrian, French, and Italian DPAs). Any analytics on US-owned infrastructure is at risk. IP addresses are personal data under GDPR.
Compliant approaches include: Analytics providers processing EU data exclusively on EU-owned infrastructure, self-hosted analytics on EU servers, providers in GDPR adequacy countries (Canada, Japan), or proper server-side anonymization before data reaches any analytics system.
The EU-US Data Privacy Framework negotiations continue, but the underlying US surveillance laws remain unchanged. Build compliant infrastructure now rather than waiting for regulatory clarity.
Was this article helpful?
Let us know what you think!
Before you go...
Related Articles
European Data Protection Authorities and Their Rulings on Google Analytics
A timeline of European DPA rulings that found Google Analytics violates GDPR, the legal issues behind them, and what website owners should do in response.
The Schrems II Ruling Explained: Privacy Shield Invalidation and Its Impact
The CJEU invalidated the EU-US Privacy Shield due to US surveillance laws. Here's what the Schrems II ruling means for businesses transferring data across borders.
France's CNIL Rules Google Analytics Violates GDPR
France's data protection authority CNIL ruled that Google Analytics violates GDPR, giving websites one month to comply. Here's what you need to know.