The rulings found that even with IP anonymization turned on, personal data was being transmitted to the US.
The rulings also found that the supplementary measures enacted by the controller using Google Analytics must precisely address specific deficiencies in the protection of personal data in the recipient country. The rulings found that the supplementary measures need to completely resolve the deficiencies.
These findings run contrary to a core GDPR concept, which is having a risk-based approach. It will be interesting to see if other DPAs follow these two, or take a more pragmatic approach.
Image from Wix