The fallout from the recent decision of the Austrian data protection authority in the Google Analytics case highlights the increased risk for companies transferring data across the Atlantic, and the urgent need for an effective, practical, long-term solution for data transfers.
As we noted in a recent blog we posted about this case, the Austrian data protection authority (DPA) concluded that personal data collected through Google Analytics cookies and transferred to Google in the U.S. violated Article 44 of the GDPR. The DPA found that the use of Google Analytics cookies by an Austrian website involved the collection and transfer of personal data to Google in the U.S. – a transfer subject to surveillance by U.S. intelligence agencies. It found that the Standard Contractual Clauses (“SCCs”) entered into between the website operator and Google did not provide protections that would effectively close the legal gaps identified in the Schrems II judgment.
NYOB, the complainant in Schrems II has brought 101 cases like this one across many jurisdictions, and the decision of the Austrian DPA could be the first of many similar decisions to come. The European Data Protection Board has convened a task force to explore cooperation between DPAs as they consider these cases, and data protection authorities have issued statements that they are currently considering the Austrian decision. There is growing concern that the decisions in the remainder of these cases could find similarly. Already this week the French DPA has handed down a similar decision, finding that a local website’s use of Google Analytics does not comply with the Article 44 of the GDPR.
All of this is occurring as the DPAs increase their enforcement efforts and signal their willingness to consider cases and issue decisions that could require companies to significantly change their business practices.
In this environment, companies face significant risk that will continue until a solution is found at the country and regional level. To reduce their exposure, companies should only transfer data from the EU to the U.S. after conducting a transfer impact assessment. The findings of that assessment, and the measures suggested by the EDPB that the company implements to mitigate risks should be documented.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.