Organisations using Google Analytics beware: The Austrian data protection authority has issued a decision that the transfer of Google Analytics data from the EU to the US violates the GDPR, due to not providing adequate supplementary measures during the transfer.
The complaint was filed by the infamous privacy advocate organisation NOYB following the Schrems II judgement by the CJEU. It is one of the 101 complaints filed Europe-wide by the organisation following this judgement, targeting companies that use Google Analytics and Facebook Connect on their website. The EDPB created a special task force for the national supervisory authorities to cooperate in a more structured way.
This Austrian case is the first complaint of the 101 dalmatians (as the complaints are also known as) to receive a decision and thereby became a landmark ruling.
The complaint centered around two questions:
- Did the implementation of Google Analytics on the website lead to personal data being transferred to the US based Google Inc?
- Did the data transfer include an appropriate level of data protection following Art. 44 GDPR?
In relation to the first question, the authority established that:
- unique identifiers
- technical information about the browser
- Operating system
- Screen resolution
- Time of the web visit
- IP address of the device
were processed by the Google Analytics code snippets. This data (and the combination of it) falls under the definition of personal data. The main purpose of the cookies in question is to distinguish between the different website visitors – which means that individuals may be identified.
Following existing case law, the authority reminded that the ability to identify an individual does not vanish if the means to identify an individual through the (combination of) data lies with a third party. In other words, it is not necessary that the parties involved in the processing in question may be able to identify an individual – it is sufficient that any other party could identify an individual with legally available means applying reasonable efforts. Based on Google’s transparency reports it is evident that US intelligence services frequently request access to certain online identifiers to surveil individuals.
Next, the authority analysed the relationship between the parties and whether a data transfer based on the GDPR and EDPB guidelines has occurred by implementing Google Analytics on the website. It established that the Austrian website provider was the controller and data exporter while US based Google Inc. acted as the data processor and data importer. This entails that Chapter V GDPR on data transfers applies and that a transfer tool needs to be applied. Google relies on the Standard Contractual Clauses, which since Schrems II do not guarantee the legality of a data transfer. The CJEU concluded that the clauses are a contract and are not sufficient to protect the transferred personal data from the access of authorities in third countries based on their national law.
The Schrems II decision already analysed the legal situation and data protection practices of the US in relation to the Privacy Shield. They held that the extensive surveillance laws of the country lead to supplementary measures being needed to raise the standard of data protection to essentially be on par with the EU.
Why Google’s efforts aren’t enough
Supplementary measures can be of a contractual, technical or organisational nature. These measures are aimed at closing legal gaps that allow authorities of a third country to access data beyond what is necessary and reasonable in a democratic society and therefore go beyond the measures that are required by the GDPR for processing carried out in the EEA (and countries that enjoy an adequacy decision).
The Austrian authority concluded that it is not recognisable how the contractual and organisational measures implemented by Google effectively reach this high standard. The measures in question were the notification of individuals affected by a data access request (if legally permitted), the publication of a transparency report and the ‘careful evaluation of each data access request’.
Also for the implemented technical measures the authority came to the same conclusion. It was not recognisable how IT security measures like encryption applied to the data at rest and in transmission would protect from access by the US authorities since Google still has the encryption keys and therefore has the ability to access the data in clear text.
The argument that the data at stake is only pseudonymised was thrown out by the Austrian authority based on the views of the German Data Protection Conference (the committee of independent German federal and state data protection supervisory authorities) that determined that pseudonymisation is not to be seen as a measure supporting data protection if identifiers are used to distinguish between individuals and render them identifiable, in contrast to ‘regular’ personal data being pseudonymised to render an individual less identifiable or indistinguishable.
Ruling & implications for EU businesses
Based on the investigation described above the Austrian data protection authority held that the usage of Google Analytics in the form it was in in August 2020 was in violation of Chapter V of the GDPR. It also held that the data exporter (website provider) needs to comply with the obligations in Chapter V of the GDPR, and not the data importer (Google Inc). This means that the website provider and not Google Inc was in violation of Chapter V of the GDPR.
- Google Inc is no longer the provider for Google Analytics in the EU. This was handed over to Google’s subsidiary in Ireland in April 2021. What impact does this change have?
- Would the ruling have been the same if the website provider had activated the ‘IP anonymisation’ functionality in Google Analytics?
- Was Google in violation of Arts. 5ff in connection with Arts. 28(3)(a) and 29 GDPR? -> The Austrian authority will investigate this issue and issue a separate ruling.