Many organisations are currently busily preparing extensive remediation programmes to implement data transfer requirements arising out of the Schrems II judgement. Often, those running such programmes are asked to quantify the risk and likelihood of enforcement action arising out of failure to adhere to these requirements. Two recent decisions provide some insight.
Austrian DSB Decision
On 12 January 2022, the Austrian Data Protection Authority (“Datenschutzbehörde" or the "DSB”) held that the continuous use of Google Analytics involving a transfer of personal data to the US by an Austrian data exporter (a website operator) was in violation of Chapter V of the EU GDPR.
This is a landmark decision as it is the first ruling by a Data Protection Authority following 101 complaints filed by the Austrian-based privacy group None of Your Business (“noyb”) (led by Max Schrems) to the European Data Protection Board (EDPB) concerning transfers of data from the EU/EEA of the United States.
Background
In August 2020, a complaint was filed by a data subject, represented by noyb, to the DSB, claiming that a website operator (acting as a data exporter) and Google LLC (acting as the data importer) were in violation of Article 44 EU GDPR (post-Schrems II).
The website operator was alleged to have breached the EU GDPR via the operation of its website as it enabled Google to collect analytical and usage data (including personal user identifiers and IP addresses), via Google Analytics cookies, and subsequently transferred the collected data to Google’s data servers in the U.S.
Google’s data servers are subject to surveillance by U.S. intelligence agencies as Google is defined as an “electronic communication service provider” under the U.S. Foreign Intelligence Surveillance Act (“FISA”). Organisations that are subject to surveillance by U.S. authorities can be ordered to disclose the collected personal data of European citizens.
Google argued that the implementation of technical and organisational measures, including the use of Standard Contractual Clauses (“SCCs”), ring-fencing measures within the data servers and encryption, amounted to adequate protection to ensure compliance with Chapter V EU GDPR.
Decision
The DSB disagreed. It found that the measures were not effective as they did not prevent or limit access to the personal data by U.S. intelligence agencies in practice.
The DSB upheld the complaint and found that the website operator transferred personal data to Google in direct breach of the EU GDPR. The DSB ruled that the SCCs in place between the parties, ring-fencing measures and encryption did not offer an adequate level of protection as they did not alter the fact that Google’s servers are subject to surveillance by U.S. intelligence agencies. Therefore, the personal data could not be sufficiently protected.
European Data Protection Supervisor Decision
In a decision based on similar reasoning, the European Data Protection Supervisor (EDPS) ruled that the European Parliament was in breach of Chapter V of the EU GDPR by allowing cookies from Google Analytics and the Stripe payment service to be placed on the devices of users of its Covid testing website.
Impact
noyb has submitted 101 EU GDPR complaints alleging Schrems II related breaches. As a result, the EDPB established a bespoke task force to deal with these complaints. We expect to see similar decisions arising from other EU Member States soon. These decisions will have ramifications throughout the EU and are likely to be considered carefully in the UK.
Organisations that are using or intend to use Google Analytics cookies will need to reassess their use. More broadly, this is a timely reminder that requirements arising out of the Schrems II judgement must be complied with. We expect this to be just the beginning of similar decisions and enforcement action.
