Dutch authority reprimands Takeaway for Google Analytics data transfers

The Dutch Data Protection Authority issued a formal reprimand against Takeaway.com Group B.V. on August 20, 2024, for violating Article 44 of the General Data Protection Regulation through unauthorized transfers of personal data to the United States via Google Analytics. The enforcement action addresses a three-year period from August 18, 2020, to September 1, 2023, during which the food delivery platform operated without valid legal mechanisms for transatlantic data flows.

The case began when non-profit organization noyb filed a complaint on August 18, 2020, on behalf of an Austrian citizen who discovered Takeaway's website transmitted 615 data packets to Google's servers despite explicitly declining cookies and tracking functions. The complaint formed part of coordinated enforcement actions filed with European data protection agencies following the Court of Justice of the European Union's July 16, 2020, invalidation of the Privacy Shield adequacy decision in the Schrems II judgment.

Takeaway implemented Google Analytics version 3 across nine European websites including Thuisbezorgd.nl in the Netherlands, Just-Eat.fr in France, Lieferando.de in Germany, and Pyszne.pl in Poland. The Dutch authority established jurisdiction as the company's lead supervisory authority because Takeaway's main establishment operates from Amsterdam at Piet Heinkade 61.

The investigation determined that Takeaway transferred extensive categories of personal data to Google LLC's United States servers through the Analytics service. According to the decision, transmitted information included browser specifications, operating system details, referrer data, language preferences, tracking identifiers, screen resolution information, and additional technical parameters that the authority redacted from the published document for confidentiality.

The Dutch regulator concluded that unique online identifiers such as cookie identifiers qualify as personal data under GDPR Article 4(1) even when actual user identities remain unknown. "Unique identifiers in cookies such as those of Analytics [constitute] personal data, even if the actual identity of the user in question is unknown," the authority stated, citing alignment with decisions from the European Data Protection Supervisor and Austria's data protection authority.

The decision examined whether transferred data could enable re-identification of individuals. The authority determined that unique identifiers serve to distinguish website visitors from each other through "singling out" techniques, enabling recognition of new versus returning visitors. This classification follows the European Data Protection Board's Recommendations 01/2020 on supplementary measures for international data transfers.

Takeaway argued that Google LLC's status as an electronic communications service provider under 50 U.S. Code Section 1881(4)(b) remained insufficiently substantiated in the investigation report. The company contended that Analytics data does not qualify as foreign intelligence information subject to Foreign Intelligence Surveillance Act requests. The Dutch authority rejected these arguments, noting that Google publicly discloses receipt of FISA requests through its transparency reporting website. Between July and December 2022, Google reported receiving between zero and 499 FISA requests affecting 106,000 to 106,499 accounts.

The most contentious technical aspect involved Takeaway's implementation of supplementary safeguards beyond standard contractual clauses. The company deployed a proxy server configuration and additional technical measures that the authority evaluated against EDPB pseudonymization standards. These measures aimed to filter personal data before transmission to Google's infrastructure.

According to the decision, Takeaway implemented the proxy server to eliminate direct information flow between website visitors and Google, allowing the company to determine which data reached Analytics. The authority concluded that despite these efforts, "re-identification has not been sufficiently ruled out" due to the extensive dataset still transmitted and the potential for combining pseudonymized data with additional information held by U.S. intelligence services.

The regulatory landscape shifted significantly during the investigation period. On March 25, 2022, the European Commission and United States announced an agreement in principle on the Transatlantic Data Privacy Framework. The Commission adopted the adequacy decision for the EU-U.S. Data Privacy Framework on July 10, 2023. Google LLC stated in correspondence dated August 21, 2023, that it intended to rely on the framework effective September 1, 2023, for transfers from the European Union to the United States.

The Dutch authority limited its enforcement scope to the period before the Data Privacy Framework became operational for Google's Analytics service. "What has been considered in this decision relates to the period from 18 August 2020 (the day on which the investigation started) to 1 September 2023 (the day on which the transfer is again based on a valid adequacy decision)," the regulator stated.

Takeaway maintained contractual relationships with Google LLC until September 27, 2021, under standard contractual clauses corresponding to European Commission Decision 2010/87/EU. The company subsequently restructured its data processing arrangements to transfer data first to Google Ireland Limited, which then transferred data to Google LLC under provisions corresponding to Commission Decision 2021/914/EU.

The authority rejected Takeaway's argument that this restructuring terminated its responsibility for international transfers after September 27, 2021. "The controller is responsible for the processing of personal data, including the international transfer of that data by Google Ireland on behalf of Takeaway to the United States during the period from 18 August 2020 to 1 September 2023," the decision stated, citing GDPR Articles 5(2), 24(1), and 28(2).

The enforcement action addressed interpretative questions about whether GDPR's transfer provisions require risk-based assessment. Takeaway argued that Article 24's risk-based approach applies horizontally across the regulation, including Chapter V transfer requirements. The company cited the provision's text requiring controllers to implement "appropriate technical and organisational measures" while considering "the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity."

The Dutch authority rejected this interpretation through textual analysis of Article 44. "The provision explicitly states that transfers may only take place if the conditions laid down in Chapter V of the GDPR are met, and that all provisions of Chapter V must be applied so that the level of protection guaranteed by the GDPR is not undermined," the regulator concluded. The decision noted that where the European legislator intended risk-based approaches, specific provisions contain explicit language requiring consideration of likelihood and severity, as demonstrated in Articles 25(1), 30(5), 32(1)(2), 34(1), 35(1)(2), and 37(1).

The authority also examined the legislative history of GDPR's risk-based provisions. While acknowledging that the European Council's March 1, 2013, memorandum discussed implementing risk-based approaches throughout the regulation, the document explicitly limited these modifications to Chapter IV ("Controller and processor") and limited aspects of Chapter III ("Rights of the data subject"). The memorandum did not reference Chapter V modifications.

The decision considered whether Schrems II requires absolute prohibition of transfers where problematic surveillance laws exist, or whether practical likelihood of access should inform compliance decisions. Takeaway interpreted the judgment's recital 135 to advocate risk-based assessment based on "the state of law and practices in the third country concerned" to guarantee protection "in practice."

The Dutch authority concluded that Schrems II does not support risk-based interpretation. "The mere use of the words 'law and practices' [...] does not show that the Court means by this that a statutory provision can be ignored that, according to European law standards, is contrary to the data protection law guaranteed by the Charter and the GDPR, solely because it has not been established that the danger of that statutory provision has materialised to date," the decision stated.

The enforcement action weighed aggravating and mitigating circumstances under GDPR Article 83(2) when determining appropriate corrective measures. The authority characterized unauthorized data transfers to third countries without valid transfer instruments as serious violations constituting an aggravating circumstance.

However, the regulator acknowledged mitigating factors specific to the case. "The Schrems II judgment has created a very specific situation," the decision noted. The authority considered the delay before the European Data Protection Board issued its Recommendations 01/2020 offering tools for post-Schrems II compliance. The decision also recognized that Takeaway "has demonstrably made significant efforts to guarantee the level of protection of personal data" through proxy server implementation and supplementary technical measures, despite their ultimate insufficiency.

These considerations led the Dutch authority to decline imposing an administrative fine. "Given the circumstances of this specific case, the Dutch DPA sees reason to refrain from imposing an administrative fine in this case. The Dutch DPA will suffice by imposing a reprimand for the observed violation," the decision concluded.

The investigation focused exclusively on Google Analytics version 3, which Google discontinued and replaced with Google Analytics 4. "The Dutch DPA has not conducted any investigation into Google Analytics 4," the authority stated in the decision.

Parliamentary questions submitted to the Netherlands government in November 2025 sought clarification on the investigation's status and potential prohibition of Analytics. An official response dated November 13, 2025, confirmed that the Dutch authority investigated Analytics version 3 but issued only a reprimand that remains unpublished under the agency's disclosure policy.

The government response addressed speculation about comprehensive Analytics prohibition. "A total ban on Google Analytics imposed by the AP is not currently on the cards," the document stated. The response explained that evaluation of Google's services falls under Irish data protection authority jurisdiction because Google's European headquarters operate from Ireland, while the Dutch authority can assess Analytics use by Dutch websites.

Supervisory authority over cookie-related compliance currently rests with the Netherlands Authority for Consumers and Markets under Section 11.7a of the Telecommunications Act. The Dutch Data Protection Authority proposed transferring this supervision to enable "more efficient" oversight of cookies and online tracking with "more concrete guidance on this subject."

The government response indicated ongoing investigation into cookie exception criteria. "The AP is investigating the extent to which it can say which cookies do and do not fall under the exception to the cookie provision," the document stated, noting that definitive answers depend partly on the supervisory authority transfer.

The adequacy decision underlying current transatlantic data flows faces ongoing scrutiny. The framework relies on executive guarantees including the Privacy and Civil Liberties Oversight Board and Data Protection Review Court, neither codified in U.S. law. The Trump administration initiated review of Biden-era national security decisions affecting framework foundations on January 20, 2025.

European privacy enforcement around Google services extends beyond Analytics. Austria's Federal Administrative Court ruled on September 13, 2024, that websites must obtain explicit consent before implementing Google reCAPTCHA, determining that 615 data packets transmitted to Google servers before consent violated GDPR principles.

The advertising technology industry continues developing standardized privacy compliance frameworks. IAB Tech Lab finalized its Data Deletion Request Framework in June 2024, establishing consistent transmission methods for consumer deletion requests across digital advertising supply chains.

Platform providers have introduced technical infrastructure for first-party data collection. Google launched its tag gateway for advertisers feature on May 8, 2025, routing conversion data through advertiser-owned servers to improve measurement accuracy by 11% according to early testing data.

The marketing technology ecosystem continues adapting to fragmented U.S. state privacy legislation. IAB Tech Lab expanded the Global Privacy Platform on August 1, 2024, to include Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee, addressing regulations becoming effective throughout 2024 and 2025.

Timeline

• July 16, 2020: Court of Justice invalidates Privacy Shield in Schrems II case
• August 18, 2020: noyb files complaint against Takeaway's Google Analytics implementation
• November 19, 2020: European Data Protection Board adopts Recommendations 01/2020 on supplementary transfer measures
• April 7, 2022: Dutch Data Protection Authority completes investigation report
• March 25, 2022: European Commission and United States announce Data Privacy Framework agreement in principle
• August 15, 2022: Takeaway submits written opinion on investigation findings
• November 8, 2022: Takeaway presents verbal defense at opinion hearing
• December 5, 2022: Dutch authority requests additional information
• January 6, 2023: Takeaway provides supplementary opinion and documentation
• July 10, 2023: European Commission adopts EU-U.S. Data Privacy Framework adequacy decision
• August 21, 2023: Google LLC confirms intention to rely on Data Privacy Framework
• September 1, 2023: Google LLC implements Data Privacy Framework for Analytics transfers
• August 20, 2024: Dutch Data Protection Authority issues formal reprimand to Takeaway
• September 13, 2024: Austrian court rules Google reCAPTCHA requires explicit consent
• September 14, 2024: Google adopts Swiss-U.S. and UK Extension frameworks for certain transfers
• September 3, 2025: General Court dismisses French lawmaker's challenge to Data Privacy Framework
• November 13, 2025: Netherlands government confirms reprimand status in parliamentary response
• December 1, 2025: IAB Tech Lab closes public comment period on privacy framework updates

Summary

Who: The Dutch Data Protection Authority took enforcement action against Takeaway.com Group B.V., parent company of food delivery platforms including Thuisbezorgd.nl, Just-Eat, Lieferando, and Pyszne, following a complaint filed by Austrian privacy organization noyb on behalf of an individual user.

What: The authority issued a formal reprimand for violating GDPR Article 44 by transferring personal data including unique identifiers, browser information, and technical specifications to Google LLC in the United States through Google Analytics version 3 without valid legal mechanisms during a three-year period.

When: The violation period extended from August 18, 2020, when the investigation began following Privacy Shield invalidation, through September 1, 2023, when Google LLC implemented the EU-U.S. Data Privacy Framework for Analytics services, with the formal decision issued August 20, 2024.

Where: The enforcement action addressed data transfers from nine European Union member states where Takeaway operated websites (Netherlands, France, Germany, Austria, Poland, Belgium, Bulgaria, Luxembourg, and Denmark) to Google LLC's servers located in the United States.

Why: The authority determined that standard contractual clauses alone proved insufficient to guarantee adequate data protection because Google LLC qualifies as an electronic communications service provider subject to U.S. surveillance laws, and Takeaway's supplementary technical measures through proxy servers could not sufficiently prevent re-identification of individuals despite demonstrated compliance efforts.