The history of major GDPR updates, breaches and rulings from the adoption of the Safe Harbor Framework to present.
Denmark ruled Google Analytics not compliant under the GDPR
The Danish Data Protection Agency concluded that Google Analytics can not be used lawfully under the GDPR. This decision has been made to protect the privacy of European citizens by stopping personal data transfers to countries that do not have an adequate level of data protection.
Swedish DPA imposes landmark fines over €1 Million for Google Analytics usage, issues warning to companies
The Swedish Data Protection Authority (IMY) has issued significant fines for the first time against companies utilising Google Analytics on their websites.
Following noyb’s series of complaints on unlawful EU-US data transfers, IMY imposed a €1 million fine on telecommunication provider Tele2 and 300,000 SEK on online retailer CDON. Despite prior rulings by various European authorities, this landmark penalty highlights the urgency of complying with GDPR and the importance of protecting user privacy.
Austrian DSB declares Facebook's tracking pixel illegal under GDPR and Schrems II decision
The Austrian Data Protection Authority (DSB) has declared that Facebook’s tracking pixel is illegal under the GDPR and Schrems II decision. The tracking pixel violates user privacy rights by transferring personal data to countries with inadequate data protection standards. The decision follows a complaint from a privacy rights group and underscores the importance of protecting user privacy and complying with GDPR regulations.
Denmark banned Chromebooks and Google Workspace in schools
Denmark’s Data Protection Agency (Datatilsynet) ruled that Chromebooks and Google’s Cloud-based services (e.g., Google Drive, Gmail, Google Calendar, Google Docs and more) are not compliant under the GDPR. This ruling was handed down due to data transfers to the US, which does not offer adequate protection for personal data.
This ruling currently applies to Helsingør schools. Those that do not comply could face jail time.
Italy banned Google Analytics under the GDPR
Italian Data Protection Authority (Garante) ruled that a websites use of Google Analytics is not compliant with the GDPR. This ruling was a result of Google Analytics sending personal data to the United States, which does not provide an adequate level of data protection.
The French Data Protection Authority (CNIL) ruled that the use of Google Analytics is illegal under the GDPR due to data transfers to the US.
The Austrian Data Protection Authority ruled Google Analytics illegal based on the ruling that websites using Google Analytics are sending data to the US.
German website fined for leaking visitor's IP address via Google Fonts
A German court fined a website for using a Google-hosted web font from Google’s Font Library (a font embedding service), which disclosed the unidentified plaintiff’s IP address. This was ruled as a GDPR breach due to the plaintiff’s personal data being shared without authorisation and without a legitimate reason for doing so.
The Court of Justice of the European Union (CJEU) ruled that any Cloud services hosted in the US no longer comply with the GDPR (called “Schrems II case”).
EU websites using tools such as Google Analytics and Facebook became targeted by European privacy group noyb after the invalidation of the Privacy Shield. They filed a complaint against 101 websites for continuing to send data to the US.
GDPR officially became enforceable
The GDPR officially enacted as of 25 May 2018. Businesses that are not compliant can be fined up to 4% of the yearly turnover or20 million Euros, whichever is higher.
The purpose of this regulation is to strengthen and unify data protection for all individuals within the European Union. This also includes entities outside Europe that do business with European citizens.
EU-US Privacy Shield replaced the Safe Harbor regulation
The European Commission adopted the EU-US Privacy Shield, a data protection pact negotiated to replace Safe Harbor and safeguard EU citizens’ rights in relation to transatlantic data transfers.
The EU adopted the General Data Protection Regulation (GDPR)
The GDPR (General Data Protection Regulation) was officially adopted on 14 April 2016 and replaced the 1995 Data Protection Directive.
EU Member States were given two years to ensure that the GDPR was fully implementable in their countries.
The European Court of Justice (CJEU) declared the International Safe Harbor Framework invalid (Schrems I)
The CJEU ruled that the Safe Harbor agreement as no longer valid. The Safe Harbor agreement previously allowed the transfer of European citiszens’ data to the US.
The European Commission and the US government created the Safe Harbor Framework
The Safe Harbor Privacy Principles were developed to prevent EU and US private organisations from accidentally disclosing or losing personal data.