Decision of the Austrian Data Protection Authority Raises GDPR Concerns for Users of Cloud-Based Services

Written by

Achieved Compliance

The Austrian data protection authority (the “Austrian DPA”) recently published a decision that could have significant implications in other EU Member States and result in a ban of Google Analytics across the EU. Achieved Compliance believes this ruling could expose any company that uses cloud-based website and application monitoring services and collects information to regulatory scrutiny. Therefore, users of Google Analytics and similar services should be aware of this important development regarding GDPR concerns for users of cloud-based services.

None of Your Business (“NYOB”), the non-governmental organization co-founded by privacy activist Max Schrems, brought the case against an Austrian website provider and Google. It centers on the question of whether transfers of EU personal data to Google and Facebook in the U.S. resulting from the use of cookies are still permitted after the Schrems II judgment. The Austrian DPA ruled that the use of Google Analytics cookies by the website operator violates Chapter V of the General Data Protection Regulation (“GDPR”), which establishes rules governing international transfers of data, and the Schrems II decision of the Court of Justice of the European Union.

In its decision, the Austrian DPA concluded that the use of Google Analytics cookies by an Austrian website named in the compliant involved the collection and subsequent transfer of personal data to Google in the U.S., including unique user identification numbers, IP addresses and browser parameters. The Austrian DPA found that the Standard Contractual Clauses (“SCCs”) entered into between the website operator and Google did not provide an adequate level of protection, raising GDPR concerns.

The DPA cited two bases for its decision:

First, it noted that Google qualifies as an electronic communications service provider and is therefore subject to surveillance by U.S. intelligence agencies under U.S. surveillance law. Secondly, the DPA highlighted that the additional technical and organizational safeguards Google implemented were not effective in closing the legal protection gaps identified in the Schrems II judgment. Further, the Austrian DPA found that the technical measures, in addition to SCCs, do not eliminate the possibility of surveillance by U.S. intelligence agencies, and their access to personal data. The Austrian DPA noted that the organizational and contractual measures implemented by Google did not provide an adequate level of protection for personal data transferred to the U.S. These measures include (i) notifying data subjects about government access requests, (ii) publishing transparency reports, (iii) maintaining a policy on the handling of government authority requests, and (iv) assessing each government authority request.

It is important to note that The Austrian DPA found that, in keeping with guidelines recently released by the European Data Protection Board on what constitutes an international transfer for purposes of the GDPR, GDPR applies only to exporters of data, not to U.S. importers. The Austrian DPA found the website operator in violation of the GDPR violation, not Google.

This complex and evolving issue could have a significant impact on all cloud-based transfers from the European Economic Area to the United States. It will likely prompt EEA data exporters to conduct far more extensive due diligence on their vendors.

Contact Achieved Compliance to discuss the details of the Austrian DPA’s decision and its possible effect on your business.