Austrian watchdog rules German company's use of Google Analytics breached GDPR by sending data to US

Schrems II ruling continues to trouble transatlantic data sharing

The Austrian data protection authority has ruled that use of Google Analytics by a German company is in breach of European law in light of the Schrems II EU-US data sharing ruling.

Datenschutzbehörde, or DSB, has found that a German publisher, not named in the case, was in breach of Article 44 of the General Data Protection Regulation (GDPR) in the use and operation of Google Analytics – commonly used throughout web publishing and ecommerce – because of its movement of personal data to the United States.

In 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the bloc and the US in what is now known as the Schrems II ruling, which has ramifications for US cloud providers, social media sites, and providers of online tools.

It had been thought that standard contractual clauses (SCCs) may offer a way to continue to share data legally, although that was also in doubt.

The latest Austrian ruling confirms that SCCs are not sufficient to comply with EU law and that so-called technical and organisational measures (TOMs), such as data centre security and baseline encryption, are also insufficient.

The complainant in the case, legal campaign group noyb, had visited the publisher's website while logged into a Google account, which was linked to the complainant's email address. The site contained embedded HTML code for Google services, including Google Analytics. The website processed personal data such as IP address and cookie data. The data had been transferred to Google, putting them under the purview of GDPR.

DSB found the publisher had been responsible for the sharing of data in its use of Google Analytics and that standard data protection clauses did not provide adequate levels of protection under GDPR because Google can be subject to surveillance by US intelligence agencies under so-called FISA 702 rules.

Other measures taken by the German company did not eliminate the possibilities of surveillance and access by US intelligence services, the authority ruled. It had "therefore not ensured an adequate level of protection pursuant to Article 44 of GDPR," the authority said.

However, the Austrian authority found no violation by Google at this stage. The Chocolate Factory "does not disclose the complainant's personal data, but (only) receives them," the ruling said. It added that a possible violation of other GDPR articles by Google would be addressed in a later decision.

The findings were made on the basis of a submission by the publisher that it failed to implement an IP anonymisation function within Google Analytics due to a code error. During the case, the publisher instructed Google to immediately delete all data collected via the Google Analytics properties.

The configuration error in connection with the IP anonymisation function was also corrected and Google confirmed the personal data had been deleted. However, the authority said in its decision that the IP address is "in any case only one of many 'puzzle pieces' of the complainant's digital footprint."

As of yet, the authority has issued no fines over the ruling. As the publisher in question was originally registered in Austria, but is now registered in Germany via a merger, DSB will refer the case to its German counterpart.

Max Schrems, honorary chair of noyb and the lawyer/campaigner behind the Schrems I and Schrems II cases, said similar decisions are expected in other EU member states as regulators have cooperated on these cases via a European Data Protection Board taskforce.

"This is a very detailed and sound decision. The bottom line is: companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.

"We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response.

"In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe," said Schrems.

In a statement, a Google spokesperson said: "People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps retailers, governments, NGOs and many other organizations understand how well their sites and apps are working for their visitors – but not by identifying individuals or tracking them across the web. These organisations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance." ®

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022