Austrian DSB: Use of Google Analytics violates “Schrems II” decision by CJEU
In a ground-breaking decision, the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has decided on a model case by NOYB that the continuous use of Google Analytics violates European data protection regulation, GDPR.
This is the first decision on the 101 model complaints filed by NOYB, the European Center for Digital Rights, in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice of the European Union (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities.
Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.
Max Schrems, honorary chair of NOYB.eu said: “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”
SCCs and “TOMs” not enough
While Google made submissions claiming that it had implemented “Technical and Organizational Measures” (“TOMs”) – which included ideas like having fences around data centres, reviewing requests or having baseline encryption – the DSB rejected these measures when it came to US surveillance (see page 38 and 39 of the decision).
“With regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measures] are effective in the sense of the above considerations. Insofar as the technical measures are concerned, it is also not recognizable (…) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law.”
Max Schrems said: “This is a very detailed and sound decision. The bottom line is: companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”
Decision relevant for almost all EU websites
Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal puts additional pressure on EU companies and US providers to move towards safe and legal options, such as hosting outside of the US. A similar decision on EU-US transfers was reached by the European Data Protection Supervisor (EDPS) a week earlier.
In the long run, there seem to be two options: either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.
Max Schrems added: “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”
Google LLC does not fall under Transfer Rules?
The DSB has rejected claims against Google LLC as a data recipient, holding that the rules on data transfers only apply to EU entities and not the US recipients. However, the DSB said that it will investigate Google LLC further in relation to potential violations of Article 5, 28 and 29 GDPR, as it seems questionable if Google was allowed to provide personal data to the US government without an explicit order by the EU data exporter. The DSB will issue a separate decision on this matter.
Max Schrems said: “For us, it is crucial that the US providers cannot just shift the problem to EU customers. We have therefore filed the case against the US recipient too. The DSB has partly rejected this approach. We will review if we appeal this element of the decision.”
The decision is not dealing with a potential penalty, as this is seen as a “public” enforcement procedure where the complainant is not heard. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty. The GDPR foresees penalties of up to € 20 million or 4% of the global turnover in such cases.
Max Schrems added: “We would assume that there is also a penalty for the EU data exporter, but we only received a partial decision so far that does not deal with this question.”
NOYB has published a deeper legal analysis on www.GDPRhub.eu
UniFida does not use Google Analytics and instead uses Matomo to download data from clients’ first party websites. The Matomo data processing is all undertaken in Europe and so does not violate the GDPR. See https://matomo.org/privacy-policy/