← Blog
Privacy & GDPR

Schrems III: Will Google Analytics Become Illegal in the EU (Again)?

The EU-US Data Privacy Framework is under appeal at the CJEU. Here is what actually happened, what history says comes next, and how to prepare your analytics stack.

7 min readDatalenk

Last updated: June 2026. This article tracks a live court case and is updated as the litigation develops.

If you run analytics on a website with European visitors, you have probably seen the headlines: "Schrems III is coming", "the end of EU-US data transfers", "Google Analytics about to be illegal again". Some of those articles are useful. Many are fear marketing dressed up as legal analysis.

Here is the situation as it actually stands, based on court records rather than vendor blogs, and what the last ten years of European privacy litigation suggest happens next.

Where things stand today (the verified version)

Three facts define where things stand legally:

1. The EU-US Data Privacy Framework (DPF) is valid today. The European Commission adopted its adequacy decision for the DPF in July 2023. Companies certified under it, including Google, can lawfully transfer EU personal data to the United States. Using Google Analytics in the EU is not illegal as of this writing.

2. The DPF survived its first court challenge, but the appeal is live. French member of parliament Philippe Latombe challenged the adequacy decision directly. In September 2025, the EU General Court upheld the DPF and dismissed his case (Latombe v. Commission). Latombe appealed to the Court of Justice of the EU on October 31, 2025. The appeal is registered as Case C-703/25 P. As of May 2026, no hearing date has been announced.

3. The activist who killed the last two frameworks is circling. noyb, the privacy organization founded by Max Schrems, stated after the General Court judgment that it is considering its own, broader challenge to the DPF. Schrems' two previous challenges are the reason this article has a "III" in the title.

So no, there has been no "Schrems III ruling". What exists is a pending appeal, a probable second challenge, and a legal framework with two dead predecessors.

The pattern: this movie has played twice before

The reason serious companies prepare anyway is the historical base rate. Both previous EU-US transfer frameworks were invalidated by the same court that now holds the DPF appeal.

Schrems I (October 2015). The CJEU invalidated Safe Harbor, the original EU-US transfer agreement, after Max Schrems challenged Facebook's transfers in the wake of the Snowden revelations. Thousands of companies lost their legal basis for transatlantic data flows overnight.

Schrems II (July 2020). Its replacement, Privacy Shield, lasted four years. The CJEU struck it down on the same core ground: US surveillance law gives EU citizens no effective remedy, so the US does not offer "essentially equivalent" protection.

The aftershock that hit analytics directly (2022). Schrems II is what made Google Analytics a named target. noyb filed 101 complaints across EU member states, and data protection authorities started ruling one by one: the Austrian DSB in January 2022, the French CNIL in February 2022, the Italian Garante in June 2022, each concluding that Google Analytics transfers violated the GDPR. Sites were ordered to stop using it. Searches for Google Analytics alternatives exploded, and an entire category of EU-hosted, privacy-first analytics tools rode that wave.

The pattern in one sentence: framework adopted, framework challenged, framework invalidated, regulators turn the abstract ruling into concrete enforcement against specific tools, and Google Analytics has been the highest-profile casualty both times.

The DPF's defenders argue this time is different: the US created a Data Protection Review Court and new redress mechanisms specifically to fix the Schrems II defects, and the General Court found them sufficient. The appeal will test exactly that question. There is also a wildcard the previous rounds did not have: the redress mechanism depends on US executive orders that can be amended by any administration, which keeps the "essential equivalence" question permanently unstable.

What happens to Google Analytics if the DPF falls

If the CJEU invalidates the adequacy decision, the mechanics are well rehearsed by now:

  1. Transfers lose their primary legal basis immediately. Court invalidations of adequacy decisions take effect without transition periods, as Schrems II demonstrated.
  2. Companies fall back on Standard Contractual Clauses (SCCs). But Schrems II also held that SCCs cannot fix US surveillance law by contract, which is why the 2022 DPA rulings found Google Analytics unlawful even with SCCs in place.
  3. DPAs reactivate the 2022 playbook. The complaints, templates and legal reasoning already exist. Enforcement against US analytics tools historically followed within months, not years.
  4. The practical question for site owners becomes the same one from 2022: can you configure a US-owned analytics tool into compliance (IP anonymization, proxying, consent), or is the only durable answer a tool that never sends data to a US-controlled company at all? French and Austrian regulators took a hard line last time: configuration tweaks were not enough.

None of this requires Google Analytics to be "banned". It requires only that its data transfers lack a valid legal basis, at which point every EU site using it inherits a compliance problem.

The realistic timeline

Appeals before the CJEU typically take one and a half to two and a half years from filing. With the appeal filed in late October 2025, a decision plausibly lands between 2027 and 2028. A separate noyb challenge, if filed, would run on its own clock. Anyone selling you urgency with a specific date is guessing.

What that timeline means strategically: you have time to prepare calmly, and almost no time to waste if the ruling goes against the DPF, because the 2022 precedent shows enforcement moves fast once the legal ground shifts.

How to be ready (whatever the court decides)

The preparation that makes sense is the kind that pays off even if the DPF survives, because it also reduces consent friction, cookie banner requirements and ad blocker data loss today.

Step 1: inventory your US data transfers. List every tool on your site that sends visitor data to a US-owned company: analytics, tag managers, heatmaps, session replay, A/B testing, fonts, CDNs. For each one, note what personal data leaves and under which legal basis.

Step 2: classify by replaceability. Analytics is usually the easiest high-impact swap: mature EU-hosted alternatives exist at every price point , and unlike your payment processor, switching analytics does not touch revenue-critical infrastructure.

Step 3: prefer tools that make the question disappear. An analytics tool that collects no personal data, sets no cookies, and stores everything on EU-owned infrastructure does not care how Case C-703/25 P ends. That is the difference between betting on a court outcome and being indifferent to it.

Step 4: keep historical data portable. Whatever you use today, export your historical data now. The 2022 rulings stranded years of Google Analytics history for companies that had to leave quickly (and Universal Analytics deletions later proved the same point from a different direction).

Step 5: bookmark the litigation, not the headlines. We maintain a tracker of every active challenge to EU-US transfers, updated as filings happen , precisely so you can check the actual procedural state in thirty seconds.

FAQ

Is Google Analytics illegal in the EU right now? No. The Data Privacy Framework is in force, and Google is certified under it. The framework is under appeal at the CJEU, but a pending appeal changes nothing about today's legality.

What is Schrems III? A nickname for the anticipated next CJEU ruling on EU-US data transfers. It is currently used loosely to refer to the Latombe appeal (Case C-703/25 P) and to a potential separate challenge by noyb. No such ruling has been issued.

What happened in Latombe v. Commission? French MP Philippe Latombe asked the EU General Court to annul the DPF adequacy decision. In September 2025 the court rejected his challenge and upheld the framework. He appealed to the CJEU on October 31, 2025.

When will the CJEU decide? No hearing date is set as of mid-2026. Based on typical CJEU appeal timelines, a decision in 2027 or 2028 is the realistic window.

Did regulators really declare Google Analytics illegal in 2022? Yes. Following Schrems II, the Austrian DSB (January 2022), French CNIL (February 2022) and Italian Garante (June 2022) each found that Google Analytics data transfers violated the GDPR, and ordered sites to stop or fix them. Those rulings were superseded in practice by the DPF in 2023, which is exactly why the DPF's fate matters.

What should I do today? Inventory your US-bound data flows, export your historical analytics data, and evaluate EU-hosted alternatives while there is no deadline pressure. If your analytics collects no personal data on EU-owned infrastructure, the outcome of the appeal becomes irrelevant to you.

Measure the money,
not the pageviews

Cookieless, EU-hosted analytics that ties every visit to real Stripe revenue. Free in beta.