The Austrian data protection authority (the “Austrian DPA”) recently published a decision that could have significant implications in other EU Member States and result in a ban of Google Analytics across the EU. Achieved Compliance believes this ruling could expose any company that uses cloud-based website and application monitoring services and collects information to regulatory scrutiny. Users of Google Analytics and similar services should be aware of this important development.
In its decision, the Austrian DPA concluded that the use of Google Analytics cookies by an Austrian website named in the compliant involved the collection and subsequent transfer of personal data to Google in the U.S., including unique user identification numbers, IP addresses and browser parameters.
The Austrian DPA found that the Standard Contractual Clauses (“SCCs”) entered into between the website operator and Google did not provide an adequate level of protection under the GDPR. The DPA cited two bases for its decision.
First, it noted that Google qualifies as an electronic communications service provider and is therefore subject to surveillance by U.S. intelligence agencies under U.S. surveillance law.
Second, the DPA highlighted that the additional technical and organizational safeguards Google implemented were not effective in closing the legal protection gaps identified in the Schrems II judgment. The Austrian DPA found that the technical measures, in addition to SCCs, do not eliminate the possibility of surveillance by U.S. intelligence agencies, and their access to personal data. The Austrian DPA noted that the organizational and contractual measures implemented by Google did not provide an adequate level of protection for personal data transferred to the U.S. These measures include (i) notifying data subjects about government access requests, (ii) publishing transparency reports, (iii) maintaining a policy on the handling of government authority requests, and (iv) assessing each government authority request.
It is important to note that The Austrian DPA found that, in keeping with guidelines recently released by the European Data Protection Board on what constitutes an international transfer for purposes of the GDPR, GDPR applies only exporters of data, not to U.S. importers. The Austrian DPA found the website operator in violation of the GDPR violation, not Google.
This complex and evolving issue could have a significant impact on all cloud-based transfers from the European Economic Area to the United States. It will likely prompt EEA data exporters to conduct far more extensive due diligence on their vendors. Achieved Compliance is available to discuss with you the details of the Austrian DPA’s decision and the possible affect it may have on your business.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.