Not surprisingly, Google Analytics (GA) has met the "Schrems wall". Read Digi's article where the Norwegian Data Protection Authority speaks out and discusses this issue here. Note that the Norwegian Data Protection Authority merely recommends that companies use alternatives to GA, but they do not explicitly threaten supervision or audits of companies who do use it. This de-dramatizes the situation somewhat. See also this article from Digi that mentions alternatives to GA.
The case in question is the result of one of many complaints to NOYB (Schrems' organization) about businesses that use GA, on this occasion the complaint was against the EU Parliament itself. Earlier NOYB expressed concern about businesses using Facebook plug-ins on websites. On 5 January this year, EDPS (which oversees EU institutions' own privacy) decided to order the EU Parliament to stop using Google Analytics, without issuing a fine. Digi quotes Schrems as saying "EDPS made it clear that simply placing a cookie by a US supplier on the website is in violation of EU privacy laws. No proper protection against U.S. surveillance was in place, despite the fact that European politicians are a known target of surveillance." See the Digi article here.
There are 101 other similar cases filed at the data protection authorities. A few Norwegian companies have also been complained about. It is now reasonable to believe that the result of these cases will be similar to the result in the EU Parliament matter, mentioned above. Businesses may avoid fines for now, but regardless, it is probably time for businesses to implement alternatives to Google Analytics.
Google and Facebook have also been warned of heavy fines for lack of cookie compliance by the French Data Protection Authority. The criticism is based on the fact that the companies had an easily accessible button to accept cookies, but not an easily reachable button to reject cookies (i.e. it took many more clicks to reject cookies). As a result, Google faces a fine of €150,000,000 and Facebook €60,000,000. They have been given three months to change their practice, after which they receive €100,000 in daily penalties until the required change is made. The decisions will of course be challenged, but in light of them it is nonetheless worth reviewing your cookie processes. Read more about the case here.
The history of transfer problems to third countries also continues at a state level. Interestingly, Australia signed a CLOUD-ACT agreement with the US in December, read about this here. As generally known, no country in the EEA/EU has done this to date (the UK had, but they are no longer part of EEA/EU).
The EDPB has engaged external advisers to make their own assessment as to the legal status of China, Russia, and India. The paper which they have produced sets out that in China, the state has few barriers to accessing information – despite the fact that they now have a privacy law. The same applies to Russia, with it being noted in the paper that the country has a "striking record" of violating human rights. As regards India, it is suggested that although the Indian Supreme Court has recently handed down decisions which address privacy concerns, this is a new trend and the country has been violating fundamental privacy principles for a long time. Perhaps the most important comment in the paper is that even if India is now establishing a privacy law, the legislation seems to afford the government a legal basis upon which they have far reaching powers to require access to information. Indian authorities can seemingly not be held responsible for violations of the regulations. The summary of the report states: "the features of the proposed Personal Data Protection (PDP) Bill are discussed. The report concludes that, while the right to privacy was recently recognised by the Supreme Court of India, the government still benefits from wide exemptions to the data protection regime for government access to personal data. The concept of 'national security' is recurring, vague and broad, and it is often used as a ground to access any personal information stored in the Indian territory, including personal data of persons in the EU." The assessment of India has great practical consequences for ICT-services. The assessments may be used in third country assessments, and in contact with suppliers. See the report itself here.