Schrems II and Web Analytics: Why Transfers Still Matter
The ruling that reshaped EU analytics: what Schrems II said, how DPAs applied it to Google Analytics, and the architecture answer.
In July 2020, the EU Court of Justice decided Schrems II and knocked the legal floor out from under transatlantic data flows: Privacy Shield — the framework legitimizing EU-to-US transfers for thousands of companies — was invalid, because US surveillance law offered EU data no essentially equivalent protection. Web analytics, an industry built on shipping European behavioral data to American servers, became the test case.
The chain reaction that followed
NOYB (Max Schrems' organization) filed 101 complaints targeting sites using Google Analytics and Facebook tools. The dominoes: Austria's DSB (January 2022), France's CNIL (February 2022), Italy's Garante (June 2022) and others found GA transfers unlawful in the complained-of configurations — IP addresses and identifiers reaching US infrastructure subject to FISA 702 access, with supplementary measures (encryption Google itself could unlock) judged insufficient. 'Google Analytics is illegal in Europe' headlines oversimplified rulings about specific setups — but the rulings were real, and the migration wave they triggered (documented here) reshaped the analytics market.
Where it stands in 2026
The EU-US Data Privacy Framework (2023's adequacy decision) re-legitimized transfers to certified US companies — built on the same legal foundations its two invalidated predecessors shared, with Schrems III litigation universally expected and political variables on both sides of the Atlantic. Transfer-dependent analytics is lawful today the way a house on a floodplain is dry today. Compliance teams that lived through 2020–2022 draw the obvious conclusion: architecture beats adequacy.
The architecture answer
- Keep the data in the EU: processing that never crosses the Atlantic has no transfer to defend — no SCCs, no impact assessments, no framework-collapse contingency (residency logic).
- Minimize what exists: no persistent identifiers, no profiles — cookieless measurement shrinks the stakes of every legal analysis simultaneously (the minimization principle).
- Read the DPA's sub-processor annex: EU storage with US-jurisdiction sub-processors reopens the question through the back door.
Schrems II's enduring lesson for analytics buyers is not about one ruling — it is that legal frameworks are weather while architecture is climate. Build measurement that does not need the weather to hold (the GDPR-by-design pattern), and the next invalidation is someone else's migration project.