Austrian Supervisory Authority Assesses Google Analytics as incompliant with Chapter V of the GDPR
The Austrian supervisory authority Datenschutzbehörde (the “Austrian SA”) has recently held that companies using Google Analytics are in breach of the GDPR because the data transfer regime designed by Google does not the meet the necessary GDPR requirements. The decision follows the reasoning of the European Data Protection Board (the “EDPB”) and a similar conclusion made by the European Data Protection Supervisor (the “EDPS”).
This is another decision in the Schrems II saga that challenges the data transfer mechanisms currently applied in the context of global services.
On 17 August 2020, a non-governmental organization co-founded by privacy activist Max Schrems, called “None of Your Business”, filed 101 identical complaints targeted at the services Google Analytics and Facebook Connect before 30 European supervisory authorities.
On 22 December 2021, the Austrian SA was the first to issue a formal decision in regard to these complaints. In the decision, which was made publicly available on 13 January 2022, the Austrian SA assessed the compatibility of Google Analytics with the GDPR. According to the Austrian SA, the measures implemented by Google in addition to the standard data protection clauses were not effective and therefore, if website operators use Google Analytics, such processing of personal data is not compliant with Chapter V of the GDPR.
In particular, the Austrian SA has come to the following conclusions:
Data Transfer to the US in connection with Google Analytics is not GDPR compliant
Google LLC qualifies as a provider of electronic communications services under the relevant US surveillance laws and therefore, it is subject to the obligation to provide personal data to the competent US government authorities if requested to do so.
The Austrian SA held that the new Standard Contractual Clauses themselves did not provide an adequate level of protection because the implemented additional safeguards could not prevent US intelligence services from accessing the data subject’s personal data and therefore, “close the legal protection gaps” in the US surveillance laws.
The standard contractual and organizational measures, such as the notification of data subjects, publishing of transparency reports or “careful consideration of any data access request”, were deemed ineffective and insufficient.
Furthermore, the implemented technical measures, including the protection of communications between Google services, protection of data in transit between data centers, “on-site security” or encryption also failed to close the “legal protection gaps”, as the data exporter and data importer did not establish that these measures could prevent or restrict access of US intelligence services
to the processed data.
The Austrian SA also rejected Google’s argument that the data processed within the Google Analytics are pseudonymized and even if US government authorities requested access to the data, they would not be able to identify the particular data subject. The Austrian SA disagreed, arguing that based on the IP address, together with other online identifiers collected by cookies (unique Google Analytics identification numbers, information about the browser and device), the
US government authorities may be able to identify a particular data subject.
As the Austrian SA insisted that the implemented measures must eliminate any possibility of access to European personal data by the US intelligence services under the applicable surveillance laws, arguments based on the risk-based approach to the interpretation of Chapter V of the GDPR are also not likely to be successful.
Google LLC is not liable for the breach of the GDPR transfer rules
According to the Austrian SA, the obligation to comply with the rules of Chapter V of GDPR lies with the EU exporters, not with the US importers – therefore, Google LLC was not found liable of a violation of 44 of the GDPR. However, the Austrian SA stated that it would investigate Google LLC further in relation to potential violations of Article 5, 28 and 29 GDPR, in particular to determine whether, based on the transparency reports, Google was allowed to provide personal data to the US government authorities without an explicit permission granted by the EU data exporter. The Austrian SA will issue a separate decision in this matter.
There is no currently available information whether the Austrian SA intends to impose a fine on the website operator / data exporter in the case at hand.
Future of Google Analytics
Despite the implementation of the new Standard Contractual Clauses from June 2021, data transfers to Google LLC, and potentially other service providers located in the US, are likely to be deemed incompliant because of the lack of technical supplementary measures capable of closing the “legal protection gaps” identified in the US surveillance laws.
It should be noted that the same conclusion was reached by the European Data Protection Supervisor (who supervises the processing activities carried out by the European institutions) in relation to the use of Google Analytics within the COVID testing website operated by the European Parliament. Therefore, as of today, we already have at least two post-Schrems II relevant decisions based on which data transfers to Google LLC are incompliant with Chapter V of the
GDPR. Same reasoning could analogously be applied to transfers to other service providers located in the US.
In September 2021, the EDPB stated that it had established a taskforce for the purpose of coordinating the responses to complaints filed by the company None of Your Business. While the task force should mainly focus on complaints submitted in the matter of cookie banners, it is likely that the relevant European supervisory authorities will also jointly discuss and cooperate in relation to Google Analytics / Facebook Connect complaints. We can expect that other European supervisory authorities will follow the conclusions and reasoning of the Austrian SA.
Consent-based transfer pursuant to Art. 49 para 1 lit. a) GDPR may seem like a feasible solution, however, in accordance with the EDPB’s interpretation, the use of the data subject’s consent as a transfer mechanism should be limited to occasional transfers (which is not the case of Google Analytics and other such cloud-based services).
Given the conclusions set out above, there are two potential ways of future development in the shift of the data transfer paradigm. Either companies like Google will roll out a European version of their services that will be compliant with the GDPR, i.e., most likely fully hosted in the EEA or an adequate country, or the European website operators will have to find new solutions that would provide the same service and would not be hosted in the US. Otherwise, they would face the risk of harsh penalties under the GDPR.
If you would like to know more about data transfers and applicable legal requirements, please contact:
Teodora Drašković at firstname.lastname@example.org,
Lenka Suchánková at email@example.com, or
Dominik Vítek at firstname.lastname@example.org.