The Austrian Data Protection Authority ("Datenschutzbehörde" or "DSB") has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR.
Austrian DPA: Google Analytics without Consent violates Schrems II decision by CJEU
In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Austrian DSB decision is the first to be issued.
Data protection authorities may now gradually declare US services illegal, putting additional pressure on EU companies and US providers to move towards safe and legal options.
The GDPR foresees penalties of up to € 20 million or 4% of the global turnover in violation cases, but Austrian DPA's decision is not dealing with a potential penalty, as this is seen as a "public" enforcement procedure, where the complainant is not heard.
There is no information if a penalty was issued or if the DSB is planning to also issue a penalty.
UniConsent have a detailed article How to make your Google Analytics GDPR Compliant with UniConsent about the best practices of using Google Analytics on your website:
UniConsent is a part of Transfon's privacy-first User Experience Platform serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: firstname.lastname@example.org