by Gerald Trieb and Antonia Kühberger// The year 2022 is still young and yet we are already able to report on a groundbreaking decision by the Austrian Data Protection Authority (DPA; in German “Datenschutzbehörde”). The NGO NOYB published a decision of the DPA of December 22, 2021 in which it applied the findings of the Schrems II ruling of the EUCJ. In the decision, the DPA states that the use of Google Analytics violates the GDPR, since its strict requirements for the transfer of personal data outside the EEA cannot be met.
In response to the Schrems II ruling and the lack of implementation by European website operators, NOYB filed a total of 101 model complaints against several companies based in 30 EU/EEA member states. In these complaints, NOYB alleged that said companies were still using Google Analytics, which is the most widely used statistical programme to analyse the usage behaviour of website visitors.
Currently, there are two versions of Google Analytics available. The free version was provided by Google LLC until the end of April 2021. Since then, both Google Analytics versions have been provided by Google Ireland Limited. The proceedings concern an Austrian company (respondent) which uses the free version of Google Analytics on its website. In the specific case, data of the complainant, namely at least unique user identifications numbers, IP address and browser parameters, were transferred to Google LLC in the US. In summary, the complainant, represented by NOYB, argued that this transfer of his personal data by the respondent to Google LLC did not comply with the requirements of Article 44 of the GDPR, a core provision on transfers of personal data to a third country. From the complainants’ perspective, the respondent was not able to ensure an adequate level of protection of the complainants’ personal data through the Standard Contractual Clauses1 used.
As the complainant stated and the DPA confirmed in its decision, the Standard Contractual Clauses used do not provide a sufficient appropriate level of protection, as Google LCC, an US company, is subject to monitoring by the US intelligence services. The additional TOMs (technical and organisational measures) implemented by Google LLC were qualified as not securely eliminating access possibilities of the US intelligence services by the DPA. In particular, the DPA considers the encryption technologies put forward by Google LLC insufficient, since companies subject to control by US intelligence services are obliged to grant access to imported data. This obligation also extends to cryptographic keys, without which the data cannot be read.
Quote (translated by the author): “Insofar as the second respondent subsequently refers to encryption technologies – such as the encryption of “data at rest” in the data centres – the EDPBs Recommendations 01/2020 must once again be held against him. Indeed, it states that a data importer (such as the second respondent) subject to 50 USC § 1881a (“FISA 702”) has a direct obligation to provide access to or surrender imported data in its possession or custody or under its control. This obligation may expressly extend to the cryptographic keys without which the data cannot be read (ibid. para. 76). As long as the second respondent himself has the possibility to access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations.”
As further technical measures, Google LLC states that data processed by using Google Analytics are to be considered as pseudonymised. The DPA does not follow this position, either. In comparison to anonymisation, the separation of identity and information data is sufficient for the pseudonymisation of personal data. If users are made identifiable via IDs or identifiers, it is not a pseudonymisation measure within the meaning of the GDPR, as the DPA states in its decision, “unlike cases where data is pseudonymised in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable” (translated by the author). Moreover, notifying data subjects of data requests and diligently examining a data access issue are not effective measures, as even lawful requests by US intelligence services are not compatible with the fundamental right to data protection under Article 8 of the Charter of Fundamental Rights.
In its decision, the DPA thus comes to the conclusion that the Google Analytics tool – at least in the version of August 2020 – cannot be used in accordance with the requirements of the GDPR, as no adequate level of protection was ensured by an instrument of Chapter V of the GDPR and thus a violation of Article 44 GDPR has occurred.
However, a violation of the general principles of data transfer could not be established in the case of Google LLC as the data importer, since Google LLC does not disclose the data received, but merely receives it.
In any case, the present decision of the DPA is to be considered as trend setting. It remains to be seen whether the respondent and/or Google LLC will receive a fine, as the published decision has been issued in an administrative, not in an infringement procedure a, hence, does only concern questions of violations of obligation of the GDPR, but not the companies’ respective responsibility. Nevertheless, it is certain that the effects of this decision will not be limited to the Austrian company concerned. Not least because of the cooperation of several national supervisory authorities within the framework of an EDPB task force in these 101 proceedings brought by NOYB and because of the very widespread use of Google Analytics in Europe. Although this is the first decision relating to the 101 model complaints, similar decisions by other supervisory authorities, as already see by the CNIL, recently, can be expected in the near future. Website operators should therefore check whether their cookie tool, if it is offered by a third country provider, meets the requirements of the GDPR and, if necessary, switch to other another provider, ideally within the EEA.
1 This relates to the – now outdated – Standard Contractual Clauses that were developed under the previous European Union Directive 95/46/EC. The new Standard Data Protection Clauses implemented by Decision (EU) 2021/914 are not relevant to the facts of the case due to their lack of temporal validity.