GDPR Timeline

The history of major GDPR updates, breaches and rulings from the adoption of the Safe Harbor Framework to present.

French flag

The French Data Protection Authority (CNIL) followed suit with Austria by banning the use of Google Analytics under the GDPR.

Danish Flag

September 2022

Denmark ruled Google Analytics not compliant under the GDPR

The Danish Data Protection Agency concluded that Google Analytics can not be used lawfully under the GDPR. This decision has been made to protect the privacy of European citizens by stopping personal data transfers to countries that do not have an adequate level of data protection.


July 2023

Swedish DPA imposes landmark fines over €1 Million for Google Analytics usage, issues warning to companies

The Swedish Data Protection Authority (IMY) has issued significant fines for the first time against companies utilising Google Analytics on their websites.

Following noyb’s series of complaints on unlawful EU-US data transfers, IMY imposed a €1 million fine on telecommunication provider Tele2 and 300,000 SEK on online retailer CDON. Despite prior rulings by various European authorities, this landmark penalty highlights the urgency of complying with GDPR and the importance of protecting user privacy.

Austrian flag

March 2023

Austrian DSB declares Facebook's tracking pixel illegal under GDPR and Schrems II decision

The Austrian Data Protection Authority (DSB) has declared that Facebook’s tracking pixel is illegal under the GDPR and Schrems II decision. The tracking pixel violates user privacy rights by transferring personal data to countries with inadequate data protection standards. The decision follows a complaint from a privacy rights group and underscores the importance of protecting user privacy and complying with GDPR regulations.

Denmark Flag

July 2022

Denmark banned Chromebooks and Google Workspace in schools

Denmark’s Data Protection Agency (Datatilsynet) ruled that Chromebooks and Google’s Cloud-based services (e.g., Google Drive, Gmail, Google Calendar, Google Docs and more) are not compliant under the GDPR. This ruling was handed down due to data transfers to the US, which does not offer adequate protection for personal data.

This ruling currently applies to Helsingør schools. Those that do not comply could face jail time.


June 2022

Italy banned Google Analytics under the GDPR

Italian Data Protection Authority (Garante) ruled that a websites use of Google Analytics is not compliant with the GDPR. This ruling was a result of Google Analytics sending personal data to the United States, which does not provide an adequate level of data protection.

French flag

February 2022

The French Data Protection Authority (CNIL) ruled that the use of Google Analytics is illegal under the GDPR due to data transfers to the US.

Austrian flag

January 2022

The Austrian Data Protection Authority ruled Google Analytics illegal based on the ruling that websites using Google Analytics are sending data to the US. 

German flag

January 2022

German website fined for leaking visitor's IP address via Google Fonts

A German court fined a website for using a Google-hosted web font from Google’s Font Library (a font embedding service), which disclosed the unidentified plaintiff’s IP address. This was ruled as a GDPR breach due to the plaintiff’s personal data being shared without authorisation and without a legitimate reason for doing so.

EU flag

July 2020

The Court of Justice of the European Union (CJEU) ruled that any Cloud services hosted in the US no longer comply with the GDPR (called “Schrems II case”).

EU websites using tools such as Google Analytics and Facebook became targeted by European privacy group noyb after the invalidation of the Privacy Shield. They filed a complaint against 101 websites for continuing to send data to the US.  

EU flag

May 2018

GDPR officially became enforceable

The GDPR officially enacted as of 25 May 2018. Businesses that are not compliant can be fined up to 4% of the yearly turnover or20 million Euros, whichever is higher.

The purpose of this regulation is to strengthen and unify data protection for all individuals within the European Union. This also includes entities outside Europe that do business with European citizens.

EU flag

July 2016

EU-US Privacy Shield replaced the Safe Harbor regulation

The European Commission adopted the EU-US Privacy Shield, a data protection pact negotiated to replace Safe Harbor and safeguard EU citizens’ rights in relation to transatlantic data transfers.

EU flag

April 2016

The EU adopted the General Data Protection Regulation (GDPR)

The GDPR (General Data Protection Regulation) was officially adopted on 14 April 2016 and replaced the 1995 Data Protection Directive.

EU Member States were given two years to ensure that the GDPR was fully implementable in their countries.

EU flag

October 2015

The European Court of Justice (CJEU) declared the International Safe Harbor Framework invalid (Schrems I)

The CJEU ruled that the Safe Harbor agreement as no longer valid. The Safe Harbor agreement previously allowed the transfer of European citiszens’ data to the US.

EU flag

July 2000

The European Commission and the US government created the Safe Harbor Framework

The Safe Harbor Privacy Principles were developed to prevent EU and US private organisations from accidentally disclosing or losing personal data.