The fallout from the recent decision of the Austrian data protection authority in the Google Analytics case highlights the increased risk for companies transferring data across the Atlantic, and the urgent need for an effective, practical, long-term solution for data transfer.

As we noted in a recent blog we posted about this case, the Austrian data protection authority (DPA) concluded that personal data collected through Google Analytics cookies and transferred to Google in the U.S. violated Article 44 of the GDPR. The DPA found that the use of Google Analytics cookies by an Austrian website involved the collection and transfer of personal data to Google in the U.S. – a transfer subject to surveillance by U.S. intelligence agencies. It found that the Standard Contractual Clauses (“SCCs”) entered into between the website operator and Google did not provide protections that would effectively close the legal gaps identified in the Schrems II judgment.  

NYOB, the complainant in Schrems II has brought 101 cases like this one across many jurisdictions, and the decision of the Austrian DPA could be the first of many similar decisions to come.

The European Data Protection Board has convened a task force to explore cooperation between DPAs as they consider these cases. Additionally, data protection authorities have issued statements that they are currently considering the Austrian decision. There is growing concern that the decisions in the remainder of these cases could find similarly. Already this week the French DPA has handed down a similar decision, finding that a local website’s use of Google Analytics does not comply with the Article 44 of the GDPR.  

All of this is occurring as the DPAs increase their enforcement efforts and signal their willingness to consider cases and issue decisions that could require companies to significantly change their business practices.  

Significant risk is faced by companies in this environment. This risk will persist until they find a solution at the country and regional level. To reduce their exposure, companies should only transfer data from the EU to the U.S. after conducting a transfer impact assessment. Further, companies should document the findings of that assessment, and the measures suggested by the EDPB that the company implements to mitigate risks.

Act now and partner with us to implement a robust, practical, and enduring solution for seamless data compliance that safeguards your organization in the ever-evolving landscape of data protection regulations.