Austrian watchdog rules German company's use of Google Analytics breached GDPR by sending data to US
Schrems II ruling continues to trouble transatlantic data sharing
The Austrian data protection authority has ruled that use of Google Analytics by a German company is in breach of European law in light of the Schrems II EU-US data sharing ruling.
Datenschutzbehörde, or DSB, has found that a German publisher, not named in the case, was in breach of Article 44 of the General Data Protection Regulation (GDPR) in the use and operation of Google Analytics – commonly used throughout web publishing and ecommerce – because of its movement of personal data to the United States.
In 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the bloc and the US in what is now known as the Schrems II ruling, which has ramifications for US cloud providers, social media sites, and providers of online tools.
It had been thought that standard contractual clauses (SCCs) may offer a way to continue to share data legally, although that was also in doubt.
The latest Austrian ruling confirms that SCCs are not sufficient to comply with EU law and that so-called technical and organisational measures (TOMs), such as data centre security and baseline encryption, are also insufficient.
The complainant in the case, legal campaign group noyb, had visited the publisher's website while logged into a Google account, which was linked to the complainant's email address. The site contained embedded HTML code for Google services, including Google Analytics. The website processed personal data such as IP address and cookie data. The data had been transferred to Google, putting them under the purview of GDPR.
DSB found the publisher had been responsible for the sharing of data in its use of Google Analytics and that standard data protection clauses did not provide adequate levels of protection under GDPR because Google can be subject to surveillance by US intelligence agencies under so-called FISA 702 rules.
Other measures taken by the German company did not eliminate the possibilities of surveillance and access by US intelligence services, the authority ruled. It had "therefore not ensured an adequate level of protection pursuant to Article 44 of GDPR," the authority said.
However, the Austrian authority found no violation by Google at this stage. The Chocolate Factory "does not disclose the complainant's personal data, but (only) receives them," the ruling said. It added that a possible violation of other GDPR articles by Google would be addressed in a later decision.
The findings were made on the basis of a submission by the publisher that it failed to implement an IP anonymisation function within Google Analytics due to a code error. During the case, the publisher instructed Google to immediately delete all data collected via the Google Analytics properties.
The configuration error in connection with the IP anonymisation function was also corrected and Google confirmed the personal data had been deleted. However, the authority said in its decision that the IP address is "in any case only one of many 'puzzle pieces' of the complainant's digital footprint."
As of yet, the authority has issued no fines over the ruling. As the publisher in question was originally registered in Austria, but is now registered in Germany via a merger, DSB will refer the case to its German counterpart.
- UK and USA seek new world order for cross-border data sharing and privacy
- German court rules cookie preference service that shared IP addresses with US firm should be halted
- UK watchdog's punishment for Blackbaud, Easyjet, other big privacy lawbreakers was slap on the wrist in private
- Max Schrems hits Irish Data Protection Commissioner with corruption complaint
Max Schrems, honorary chair of noyb and the lawyer/campaigner behind the Schrems I and Schrems II cases, said similar decisions are expected in other EU member states as regulators have cooperated on these cases via a European Data Protection Board taskforce.
"This is a very detailed and sound decision. The bottom line is: companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.
"We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response.
"In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe," said Schrems.
In a statement, a Google spokesperson said: "People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps retailers, governments, NGOs and many other organizations understand how well their sites and apps are working for their visitors – but not by identifying individuals or tracking them across the web. These organisations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance." ®