The Austrian data protection authority deemed the transfer of personal data to the United States performed through Google Analytics to breach the GDPR.
In a groundbreaking decision, the Austrian data protection authority took a clear stance against the compliance of the data transfer to the United States performed through Google Analytics. The decision follows a complaint filed by an individual represented by NOYB, the association behind the “famous” Max Schrems, against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the Schrems II ruling by transferring their personal data to Google LLC.
The main point of the argument is that Google LLC qualifies as an “electronic communication service provider” under 50 U.S. Code § 1881(b)(4), which makes it subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens to them.
Here are the main takeaways of the decision from my Austrian DLA Piper colleague, Stefan Panic,
- The Austrian data protection authority held that there is the processing of personal data through Google Analytics because of the possibility of singling out the specific user/data subject since US authorities would identify the relevant user. The use of Anonymize IP is potentially irrelevant, as the IP address is just “one piece of the puzzle” in determining the user;
- The old Standard Contractual Clauses have been deemed as insufficient guarantees, specifically for data transfers to the United States, while the new SCCs have not been addressed in this case since the decision relates to events before their adoption;
- The supplementary measures adopted by Google to make data transfer compliant with the GDPR have been determined to be insufficient, as
- any supplementary measures may only be deemed effective if they address the specific deficiencies identified in the assessment of the situation in the third country, i.e., the access and surveillance possibilities of US intelligence services;
- encryption is not an adequate measure if the recipient has the key and may be obliged to disclose it together with the data;
- contractual measures alone are generally not capable of binding the authorities of the third country but must be supplemented with other measures. Google implemented various measures (contractual, organizational and technical), but the Austrian DPA deemed the full spectrum of them insufficient.
- The “quality of the data” in the sense of assessing a specific risk based on specific data was not addressed by the Austrian data protection authority. This aspect may be possibly addressed in determining the fine (if any), which is separate under Austrian law.
Given the widespread usage of Google Analytics, the decision has a substantial impact. A representative of the Italian data protection authority, the Garante, already declared that this decision should be considered. This circumstance means that a domino effect might occur in the other EU Member States.
There are already websites publishing a list of European alternatives to Google Analytics. But the shifting from Analytics to other European technologies is not the main point. After over a year and a half from the Schrems II case, several businesses still have not mapped their data transfers to non-EEA countries and performed a transfer impact assessment.
Implementing the new Standard Contractual Clauses is not per se sufficient to secure the data transfer. As such, with my DLA Piper colleagues, we developed “Transfer”, a legal tech tool and methodology that automates the performance of transfer impact assessments. Over 100 DLA Piper clients already use Transfer, and you can read about it in this article.