Austrian DSB: EU-US data transfers to Google Analytics illegal

In a groundbreaking decision, the Austrian Data Protection Authority ("Datenschutzbehörde" or "DSB") has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR.

By NOYB (guest author) · January 19, 2022

This is the first decision on the 101 model complaints filed by EDRi member noyb in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities. Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB “task force”. It seems the Austrian DSB decision is the first to be issued.

2020 CJEU ruling hits the real world. In July 2020, the CJEU has issued its groundbreaking “Schrems II” ruling, holding that a transfer to US providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers in the GDPR. The CJEU consequently annulled the transfer deal “Privacy Shield”, after annulling the previous deal “Safe Harbor” in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has relied on so-called “Standard Contract Clauses” to continue data transfers and calm its European business partners.

Max Schrems, honorary chair of noyb.eu: “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”

SCCs and “TOMs” not enough. While Google has made submissions claiming that has implemented “Technical and Organizational Measures” (“TOMs”), which included ideas like having fences around data centers, reviewing requests or having baseline encryption, the DSB has rejected these measures as absolutely useless when it comes to US surveillance (page 38 and 39 of the decision):

“With regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measure] are effective in the sense of the above considerations.”

“Insofar as the technical measures are concerned, it is also not recognizable (…) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law.”

Max Schrems: “This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

Decision relevant for almost all EU websites. Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US. A similar decision on EU-US transfers was reached by the European Data Protection Supervisor (EDPS) a week earlier.

Max Schrems: “We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.”

Long Term Solution. In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.

Max Schrems: “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”

Google LLC does not fall under Transfer Rules? The DSB has rejected claims against Google LLC as a data recipient, holding that the rules on data transfers only apply to EU entities and not the US recipients. However, the DSB said that it will investigate Google LLC further in relation to potential violations of Article 5, 28 and 29 GDPR, as it seems questionable if Google was allowed to provide personal data to the US government without an explicit order by the EU data exporter. The DSB will issue a separate decision on this matter.

Max Schrems: “For us, it is crucial that the US providers cannot just shift the problem to EU customers. We have therefore filed the case against the US recipient too. The DSB has partly rejected this approach. We will review if we appeal this element of the decision.”

No penalty (yet). The decision is not dealing with a potential penalty, as this is seen as a “public” enforcement procedure, where the complainant is not heard. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty. The GDPR foresees penalties of up to € 20 million or 4% of the global turnover in such cases.

Max Schrems: “We would assume that there is also a penalty for the EU data exporter, but we only recived a partial decision so far that does not deal with this question.”

Further Enforcement by German DPAs. Because the Austrian data exporter has merged with a German company the Austrian DSB only had jurisdiction for the violations in the past. The DSB said it will raise a ban on future data transfers with the relevant authority at the new headquarters of the data exporter in Germany.

Background & Legal Analysis. noyb has also published a deeper legal analysis on GDPRhub.eu.

This article was first published by noyb here.

Image credits: noyb (CC BY-NC 3.0)

(Contribution by: EDRi member noyb)