NEWS
Category: LEGAL NEWS
Google Analytics
Data protection authority finds inadequate data protection
Philipp Scheuba and Stefan Humer have analyzed the recent decision of the Austrian Data Protection Authority (Datenschutzbehörde DSB) on Google Analytics with regard to the transfer of data. The article was written for a data and cyber bulletin by DAC Beachcroft, in which experts from various partner law firms comment on current issues.
Introduction
The Austrian Data Protection Authority (DSB) has recently rendered a ruling that is remarkable not only because of its likely practical implications, but also because it is expected that corresponding decisions will soon be issued by other data protection authorities in various EU-Member States. The decision concerns the use of Google Analytics, the well-known tool provided by Google LLC to measure and track website use.
Background
Transfers of personal data from the EU to the United States traditionally used to be based on legal frameworks put in place by the EU and the US to regulate the transatlantic exchange of personal data, the most recent one being the so-called Privacy Shield. In July of 2020, it was struck down by the Court of the European Union (CJEU) following a complaint by the Austrian data protection activist, Max Schrems. The CJEU ruled that transfers of personal data to US-companies based on the Privacy Shield violated the GDPR, because the Privacy Shield did not provide adequate protections to EU citizens against the US-government once the data was in the US (most notably against surveillance by US-intelligence service agencies).
After this, EU companies resorted to transferring personal data to the US based on Standard Contractual Clauses (SCCs), a mechanism recognized by the GDPR (Art. 46 lit. c) for lawfully transferring personal data to a non-EU-Member State.
This practice is now being challenged by noyb, an NGO which DAC Beachcroft have previously written about in this article. It filed 101 complaints relating to transfers of personal data by EU-based data controllers to Google LLC and Facebook Inc. The Austrian decision appears to be the first one responding to one of these complaints.
The Case
The complainant (data subject) visited a website operated by an Austrian company. Because of this visit, the Austrian company processed the complainant’s personal data (most importantly the IP address, which qualifies as personal data as it allows singling out the data subject). The website used Google Analytics. Therefore, personal data of the complainant was transferred to Google in the United States.
Before the DSB, the complainant represented by noyb, argued that this transfer occurred without a legal basis – the Privacy Shield no longer qualified as such (see above) and the SSCs employed by Google did not provide adequate protection against US-surveillance and therefore could also not constitute an option. Therefore, the transfer of his data to the US should be deemed unlawful. The complainant directed his complaint against both the Austrian company and Google LLC.
The DSB qualified the Austrian company as data controller (Verantwortlicher) and Google as data processor (Auftragsverarbeiter).
With regard to Google, the DSB dismissed the complaint. It ruled that the relevant provisions of the GDPR regulating data transfers to third countries only imposed legal duties on the data exporter (here: the Austrian company), but not on the data recipient (here: Google).
With regard to the Austrian company, the DSB ruled in favour of the complainant. A transfer of personal data to a non EU-Member State is only lawful if the transfer mechanisms laid down by the GDPR are followed. Otherwise, the transferred personal data is not adequately protected. Without such adequate protection the transfer is unlawful. In the present case, the DSB deemed this to have been the case: Google as "electronic communication service provider" is subject to surveillance by US intelligence services. Google’s SCCs were insufficient, because they could not prevent US intelligence services from accessing the personal data.
In the eyes of the DSB also the other safeguards implemented by Google against surveillance, such as supplementary measures and technical and organizational measures, did not lead to sufficient protection - the data was neither sufficiently pseudonymized, as it remained identifiable, nor sufficiently encrypted, as Google had also access to the encryption.
To sum up, the transfer of the complainant’s personal data to the US through Google Analytics violated the GDPR.
Outlook
It is necessary to point out that i) the decision is not yet final and that ii) the SCCs examined by the DSB have in the meantime been updated by Google. While therefore there is not yet a decision concerning Google’s current SCCs, the DSB’s ruling is still highly relevant. Most importantly, because it also dealt with Google’s supplementary, technical and organizational measures. Since the DSB also determined shortcomings with regard to them, it seems unlikely that a new version of SCCs drawn up by Google (or for that matter a different US-provider offering a similar service) to mitigate the implications of the decision would solve the underlying problem, namely the insufficient protection of European data subjects against US authorities when their personal data is transferred overseas. While US-providers will likely attempt to offer revised SCCs and safeguards to their European business partners, it has to be acknowledged that their room for action will be limited due to US-law. Therefore, one has to hope that a renewed agreement between the EU and the US will bring a longer-lasting resolution.