The Dutch Knowledge Safety Authority issued a proper reprimand towards Takeaway.com Group B.V. on August 20, 2024, for violating Article 44 of the Common Knowledge Safety Regulation by way of unauthorized transfers of private information to the US through Google Analytics. The enforcement motion addresses a three-year interval from August 18, 2020, to September 1, 2023, throughout which the meals supply platform operated with out legitimate authorized mechanisms for transatlantic information flows.

The case started when non-profit group noyb filed a criticism on August 18, 2020, on behalf of an Austrian citizen who found Takeaway’s web site transmitted 615 information packets to Google’s servers regardless of explicitly declining cookies and monitoring features. The criticism fashioned a part of coordinated enforcement actions filed with European information safety companies following the Court docket of Justice of the European Union’s July 16, 2020, invalidation of the Privateness Protect adequacy choice within the Schrems II judgment.

Subscribe PPC Land publication ✉️ for comparable tales like this one


Subscribe

Takeaway carried out Google Analytics model 3 throughout 9 European web sites together with Thuisbezorgd.nl within the Netherlands, Simply-Eat.fr in France, Lieferando.de in Germany, and Pyszne.pl in Poland. The Dutch authority established jurisdiction as the corporate’s lead supervisory authority as a result of Takeaway’s foremost institution operates from Amsterdam at Piet Heinkade 61.

The investigation decided that Takeaway transferred intensive classes of private information to Google LLC’s United States servers by way of the Analytics service. In response to the choice, transmitted info included browser specs, working system particulars, referrer information, language preferences, monitoring identifiers, display screen decision info, and extra technical parameters that the authority redacted from the revealed doc for confidentiality.

The Dutch regulator concluded that distinctive on-line identifiers equivalent to cookie identifiers qualify as private information beneath GDPR Article 4(1) even when precise consumer identities stay unknown. “Distinctive identifiers in cookies equivalent to these of Analytics [constitute] private information, even when the precise id of the consumer in query is unknown,” the authority said, citing alignment with choices from the European Knowledge Safety Supervisor and Austria’s information safety authority.

The choice examined whether or not transferred information might allow re-identification of people. The authority decided that distinctive identifiers serve to tell apart web site guests from one another by way of “singling out” strategies, enabling recognition of recent versus returning guests. This classification follows the European Knowledge Safety Board’s Suggestions 01/2020 on supplementary measures for worldwide information transfers.

Takeaway argued that Google LLC’s standing as an digital communications service supplier beneath 50 U.S. Code Part 1881(4)(b) remained insufficiently substantiated within the investigation report. The corporate contended that Analytics information doesn’t qualify as overseas intelligence info topic to Overseas Intelligence Surveillance Act requests. The Dutch authority rejected these arguments, noting that Google publicly discloses receipt of FISA requests by way of its transparency reporting web site. Between July and December 2022, Google reported receiving between zero and 499 FISA requests affecting 106,000 to 106,499 accounts.

Probably the most contentious technical facet concerned Takeaway’s implementation of supplementary safeguards past customary contractual clauses. The corporate deployed a proxy server configuration and extra technical measures that the authority evaluated towards EDPB pseudonymization requirements. These measures aimed to filter private information earlier than transmission to Google’s infrastructure.

In response to the choice, Takeaway carried out the proxy server to eradicate direct info circulate between web site guests and Google, permitting the corporate to find out which information reached Analytics. The authority concluded that regardless of these efforts, “re-identification has not been sufficiently dominated out” as a result of intensive dataset nonetheless transmitted and the potential for combining pseudonymized information with extra info held by U.S. intelligence companies.

The regulatory panorama shifted considerably in the course of the investigation interval. On March 25, 2022, the European Fee and United States introduced an settlement in precept on the Transatlantic Knowledge Privateness Framework. The Fee adopted the adequacy choice for the EU-U.S. Knowledge Privateness Framework on July 10, 2023. Google LLC said in correspondence dated August 21, 2023, that it meant to depend on the framework efficient September 1, 2023, for transfers from the European Union to the US.

The Dutch authority restricted its enforcement scope to the interval earlier than the Knowledge Privateness Framework grew to become operational for Google’s Analytics service. “What has been thought-about on this choice pertains to the interval from 18 August 2020 (the day on which the investigation began) to 1 September 2023 (the day on which the switch is once more based mostly on a legitimate adequacy choice),” the regulator said.

Takeaway maintained contractual relationships with Google LLC till September 27, 2021, beneath customary contractual clauses comparable to European Fee Choice 2010/87/EU. The corporate subsequently restructured its information processing preparations to switch information first to Google Eire Restricted, which then transferred information to Google LLC beneath provisions comparable to Fee Choice 2021/914/EU.

The authority rejected Takeaway’s argument that this restructuring terminated its duty for worldwide transfers after September 27, 2021. “The controller is answerable for the processing of private information, together with the worldwide switch of that information by Google Eire on behalf of Takeaway to the US in the course of the interval from 18 August 2020 to 1 September 2023,” the choice said, citing GDPR Articles 5(2), 24(1), and 28(2).

The enforcement motion addressed interpretative questions on whether or not GDPR’s switch provisions require risk-based evaluation. Takeaway argued that Article 24’s risk-based method applies horizontally throughout the regulation, together with Chapter V switch necessities. The corporate cited the supply’s textual content requiring controllers to implement “acceptable technical and organisational measures” whereas contemplating “the character, scope, context and functions of processing in addition to the dangers of various chance and severity.”

The Dutch authority rejected this interpretation by way of textual evaluation of Article 44. “The availability explicitly states that transfers could solely happen if the situations laid down in Chapter V of the GDPR are met, and that every one provisions of Chapter V have to be utilized in order that the extent of safety assured by the GDPR shouldn’t be undermined,” the regulator concluded. The choice famous that the place the European legislator meant risk-based approaches, particular provisions comprise express language requiring consideration of chance and severity, as demonstrated in Articles 25(1), 30(5), 32(1)(2), 34(1), 35(1)(2), and 37(1).

The authority additionally examined the legislative historical past of GDPR’s risk-based provisions. Whereas acknowledging that the European Council’s March 1, 2013, memorandum mentioned implementing risk-based approaches all through the regulation, the doc explicitly restricted these modifications to Chapter IV (“Controller and processor”) and restricted elements of Chapter III (“Rights of the information topic”). The memorandum didn’t reference Chapter V modifications.

The choice thought-about whether or not Schrems II requires absolute prohibition of transfers the place problematic surveillance legal guidelines exist, or whether or not sensible chance of entry ought to inform compliance choices. Takeaway interpreted the judgment’s recital 135 to advocate risk-based evaluation based mostly on “the state of regulation and practices within the third nation involved” to ensure safety “in follow.”

The Dutch authority concluded that Schrems II doesn’t help risk-based interpretation. “The mere use of the phrases ‘regulation and practices’ […] doesn’t present that the Court docket means by this {that a} statutory provision might be ignored that, in line with European regulation requirements, is opposite to the information safety regulation assured by the Constitution and the GDPR, solely as a result of it has not been established that the hazard of that statutory provision has materialised to this point,” the choice said.

The enforcement motion weighed aggravating and mitigating circumstances beneath GDPR Article 83(2) when figuring out acceptable corrective measures. The authority characterised unauthorized information transfers to 3rd nations with out legitimate switch devices as severe violations constituting an aggravating circumstance.

Purchase advertisements on PPC Land. PPC Land has customary and native advert codecs through main DSPs and advert platforms like Google Adverts. By way of an public sale CPM, you may attain business professionals.


Learn more

Nonetheless, the regulator acknowledged mitigating components particular to the case. “The Schrems II judgment has created a really particular scenario,” the choice famous. The authority thought-about the delay earlier than the European Knowledge Safety Board issued its Suggestions 01/2020 providing instruments for post-Schrems II compliance. The choice additionally acknowledged that Takeaway “has demonstrably made vital efforts to ensure the extent of safety of private information” by way of proxy server implementation and supplementary technical measures, regardless of their final insufficiency.

These issues led the Dutch authority to say no imposing an administrative high quality. “Given the circumstances of this particular case, the Dutch DPA sees purpose to chorus from imposing an administrative high quality on this case. The Dutch DPA will suffice by imposing a reprimand for the noticed violation,” the choice concluded.

The investigation centered solely on Google Analytics model 3, which Google discontinued and changed with Google Analytics 4. “The Dutch DPA has not performed any investigation into Google Analytics 4,” the authority said within the choice.

Parliamentary questions submitted to the Netherlands authorities in November 2025 sought clarification on the investigation’s standing and potential prohibition of Analytics. An official response dated November 13, 2025, confirmed that the Dutch authority investigated Analytics model 3 however issued solely a reprimand that continues to be unpublished beneath the company’s disclosure coverage.

The federal government response addressed hypothesis about complete Analytics prohibition. “A complete ban on Google Analytics imposed by the AP shouldn’t be presently on the playing cards,” the doc said. The response defined that analysis of Google’s companies falls beneath Irish information safety authority jurisdiction as a result of Google’s European headquarters function from Eire, whereas the Dutch authority can assess Analytics use by Dutch web sites.

Supervisory authority over cookie-related compliance presently rests with the Netherlands Authority for Shoppers and Markets beneath Part 11.7a of the Telecommunications Act. The Dutch Knowledge Safety Authority proposed transferring this supervision to allow “extra environment friendly” oversight of cookies and on-line monitoring with “extra concrete steerage on this topic.”

The federal government response indicated ongoing investigation into cookie exception standards. “The AP is investigating the extent to which it could say which cookies do and don’t fall beneath the exception to the cookie provision,” the doc said, noting that definitive solutions rely partly on the supervisory authority switch.

The adequacy choice underlying present transatlantic information flows faces ongoing scrutiny. The framework depends on govt ensures together with the Privateness and Civil Liberties Oversight Board and Knowledge Safety Overview Court docket, neither codified in U.S. regulation. The Trump administration initiated overview of Biden-era nationwide safety choices affecting framework foundations on January 20, 2025.

European privacy enforcement around Google services extends past Analytics. Austria’s Federal Administrative Court docket dominated on September 13, 2024, that web sites should acquire express consent earlier than implementing Google reCAPTCHA, figuring out that 615 information packets transmitted to Google servers earlier than consent violated GDPR rules.

The promoting expertise business continues growing standardized privacy compliance frameworks. IAB Tech Lab finalized its Knowledge Deletion Request Framework in June 2024, establishing constant transmission strategies for shopper deletion requests throughout digital promoting provide chains.

Platform suppliers have launched technical infrastructure for first-party data collection. Google launched its tag gateway for advertisers characteristic on Could 8, 2025, routing conversion information by way of advertiser-owned servers to enhance measurement accuracy by 11% in line with early testing information.

The advertising expertise ecosystem continues adapting to fragmented U.S. state privacy legislation. IAB Tech Lab expanded the World Privateness Platform on August 1, 2024, to incorporate Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee, addressing laws turning into efficient all through 2024 and 2025.

Subscribe PPC Land publication ✉️ for comparable tales like this one


Subscribe

Timeline

Subscribe PPC Land publication ✉️ for comparable tales like this one


Subscribe

Abstract

Who: The Dutch Knowledge Safety Authority took enforcement motion towards Takeaway.com Group B.V., guardian firm of meals supply platforms together with Thuisbezorgd.nl, Simply-Eat, Lieferando, and Pyszne, following a criticism filed by Austrian privateness group noyb on behalf of a person consumer.

What: The authority issued a proper reprimand for violating GDPR Article 44 by transferring private information together with distinctive identifiers, browser info, and technical specs to Google LLC in the US by way of Google Analytics model 3 with out legitimate authorized mechanisms throughout a three-year interval.

When: The violation interval prolonged from August 18, 2020, when the investigation started following Privateness Protect invalidation, by way of September 1, 2023, when Google LLC carried out the EU-U.S. Knowledge Privateness Framework for Analytics companies, with the formal choice issued August 20, 2024.

The place: The enforcement motion addressed information transfers from 9 European Union member states the place Takeaway operated web sites (Netherlands, France, Germany, Austria, Poland, Belgium, Bulgaria, Luxembourg, and Denmark) to Google LLC’s servers positioned in the US.

Why: The authority decided that customary contractual clauses alone proved inadequate to ensure sufficient information safety as a result of Google LLC qualifies as an digital communications service supplier topic to U.S. surveillance legal guidelines, and Takeaway’s supplementary technical measures by way of proxy servers couldn’t sufficiently forestall re-identification of people regardless of demonstrated compliance efforts.


Source link