On 22 April 2022, the Austrian Data Protection Authority (the “DSB”) issued its second decision regarding the legality of Google Analytics following a complaint from noyb, a non-profit organisation which pursues strategic and effective enforcement of data and privacy laws throughout the EU. In this decision, the DSB held that a website operator’s use of Google Analytics on its website violated the GDPR and, specifically, that the risk-based approach that the operator and Google applied when assessing the international data transfer, was inadequate. This second decision is important as it impacts the legality surrounding the transfer of personal data to inadequate (or third) countries following the landmark decision in Schrems II.
BACKGROUND
The decision of the Court of Justice of the European Union in Schrems II invalidated the EU-US Privacy Shield as a transfer mechanism and, whilst not invalidating them as a transfer mechanism, also brought into question the Standard Contractual Clauses (“SCCs”) as a method of transferring personal data outside of the EU. Following the decision the European Data Protection Board (“EDPB”) adopted its recommendations for measures that supplement transfer tools (its “Supplementary Measures” guidance) in order to adequately transfer personal data from the EU to third countries in specific circumstances where the SCCs do not go far enough.
Under the Supplementary Measures guidance, the EDPB requires organisations to conduct Transfer Impact Assessments (“TIA”) in order to determine the level of risk associated with the transfer. If outcome of the TIA is that the SCCs alone do not offer adequate protection for the personal data under the transfer, then additional (supplementary) measures must be taken by the data exporter to mitigate the risks identified, or else risk being in breach of the GPDR.
COMPLAINT FROM NOYB
The original complaint in this case arose from one of noyb’s 101 complaints submitted to the EDPB around non-compliance of transfers following the decision in Schrems II in July 2020. As a result of noyb’s complaints, the EDPB established a bespoke task force to deal with these complaints. The decisions stemming from noyb’s complaints will have ramifications throughout the EU and are likely to be considered carefully in the UK when the Data Reform Bill is published later this summer.
Within noyb’s complaint to the DSB, it was argued that the website operator in question implemented Google Analytics cookies on their website and when a visitor arrived to their site, their IP address and any unique identifier data obtained from Google Analytics cookies were subsequently transferred to Google’s servers in the US without adequate protection being in place. If proven true, this would be in direct violation of Article 44 GDPR. Google argued that a user’s IP address combined with any Google Analytics cookie data which attached to that user, would not amount to personal data and therefore the transfer did not come within the scope of Article 44. Google’s argument was dismissed by the DSB as this issue was already decided in the DSB’s earlier decision on Google Analytics from January 2022.
Additionally, Google attempted to argue that it was pursuing a “risk-based approach” when assessing the legality of the transfer in question and this type of approach would be adequate for any personal data transfer from the EU to the US via Google Analytics. This argument was rejected for the reasons set out below.
THE RISK-BASED APPROACH
Article 32(2) of the GDPR: “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Google, as well as other large tech organisations, often rely on applying a risk-based approach in respect of international transfers, which broadens the scope of data transfers they undertake. In this case, Google argued that the data was transferred with an adequate level of protection taking a risk-based approach because SCCs were in place in respect of the transfers of data from the website operator to Google’s servers in the US.
The DSB disagreed and held that although Article 32 does adopt a “risk-based approach” in specific but rare circumstances, it is not available as a general principle in respect international transfers of personal data pursuant to Article 44 GDPR. Furthermore, the DSB considered that the SCCs that the website operator and Google implemented did not on their own provide an adequate level of protection because Google qualifies as an “electronic communications provider” and Google’s servers in the US are subject to surveillance by US intelligence organisations such as the FBI, CIA and NSA.
The DSB also held that Google was in violation of the GDPR by failing to anonymise website visitors’ IP addresses before they were transferred to the US, which meant that Google was transferring personal data. Additionally, the DSB held that IP addresses when combined with other unique identifiers, such as Google Analytics cookies, can enable the identification of individual website visitors, which when taken together, amounts to personal data.
The identifiable personal data transferred from the EU to Google’s servers in the US, created the possibility that US surveillance authorities could have access to EU citizens data and this was enough evidence to establish that an inadequate level of protection was applied to the data transfer. The DSB held that due to the inadequate level of protection for the data transfer in question, the use of Google Analytics cookies by the website operator was in violation of Chapter V of the GDPR.
The DSB did not enforce this decision as the website operator had ceased the use of Google Analytics cookies before the complaint procedure reached its conclusion in April 2022.
COMMENTARY
The DSB has now provided two consistent rulings in the last five months which establishes that the continuous use of Google Analytics in the EU, or at least in Austria, violates the GDPR. Organisations that are using or intend to use Google Analytics cookies or other similar technologies with US based servers will need to reassess their use.
More broadly, this is a timely reminder that requirements arising out of the Schrems II judgment must be complied with and we expect this to be just the beginning of similar decisions and enforcement actions throughout the EU.
An important update for organisations who export data from the EU to the US: On 25 March 2022, the US and EU agreed on a new Privacy Framework (in principle) to create a new cross-border data transfer framework. For the time being the proposed EU/US Privacy Framework does not change the position for EU organisations transferring personal data to the US and until the status of the new framework becomes more clear later this year, organisations should continue to implement the measures referred to above, to ensure their data transfer is compliant.
