The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications."
The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers. The "Schrems II" decision invalidated the EU-U.S. Privacy Shield agreement.
Goodwin Procter Partner and IAPP Senior Fellow Omer Tene said the Austrian DPA ruled that in providing the Google Analytics service, the company collects and transfers personal data to the U.S. while failing to protect it from U.S. government surveillance. The DPA determined configuration abilities for customers, including truncating IP addresses, are insufficient to prevent re-identification, potentially by Google or the U.S. government. The decision also determined that supplementary measures implemented by Google, including government access transparency reports and encryption of data, were insufficient, he said.
“The decision casts a dark cloud over any conceivable method of legally transferring data between the continents,” Tene said, adding it will have “far-reaching implications.” “In the absence of a breakthrough in Privacy Shield negotiations, data transfers – and consequently international trade – between the EU and U.S. face a bleak future.”
Just days before the Austrian DPA's decision, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR related to its COVID-19 test booking website launched in September 2020. The website was found to be using cookies associated with Google Analytics and Stripe, while the EDPS said Parliament failed to demonstrate measures to safeguard associated data transfers to the U.S.
NOYB’s Max Schrems believes “more decisions on the use of U.S. providers” are expected in the coming months, “as other cases are also due for a decision.”
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens, said it is investigating two complaints in the Netherlands on the use of Google Analytics. Noting an anticipated decision in early 2022, the DPA said, “the use of Google Analytics may soon not be allowed.”
Baumgartner Baumann Partner and IAPP DACH Regional Leader Ulrich Baumgartner, CIPP/E, said the implications of the Austria decision “could be huge” if other EU regulators take the same view, “particularly as the same issues would then arise also with many other services of U.S. providers.”
“While the Austrian case is certainly a ‘harbinger,’ I personally doubt that services like Google Analytics will be prohibited across the board in Europe,” he said. “What we do see, though, is increasing enforcement in the public sector, as the EDPS action against the EU Parliament shows. We see similar developments on a national level too. At the end of the day, the question will be to what extent and how quickly Google and other providers can adapt their services to the changing legal requirements.”
Fieldfisher Partner Phil Lee, CIPP/E, CIPM, FIP, said Austria’s decision cannot be written off as pertaining solely to Google Analytics, but instead, “affects all EU data exporters in the context of services provided by entities outside of the EU, especially those in the U.S.”
“If taken literally, this turns 'Schrems II' from a data export law into a data localization law, effectively permitting processing by organizations only within the EU – in stark contradiction to the GDPR’s recognition that ‘flows of personal data to and from countries outside the Union and international organizations are necessary for the expansion of international trade and international cooperation,’” he said.
Alston & Bird Senior Counsel and Research Director of Georgia Tech’s Cross-Border Data Forum Peter Swire, CIPP/US, said authorities and future decision makers “should consider how disruptive these judgements can be to many functions on today’s internet,” noting market measurement differs from targeted marketing.
“The purpose of market measurement is not to target an individual. The purpose of market measurement is to provide aggregate statistics about visitors to a site,” he said. “So, the privacy risk in market measurement seems lower than individualized and targeted marketing.”
In a blog post published Wednesday, Google’s President of Global Affairs and Chief Legal Officer Kent Walker urged EU and U.S. governments to finalize a successor to the Privacy Shield agreement. Walker said Google has offered analytics-related services to business around the world for more than 15 years “and in all that time has never once received the type of demand the DPA speculated about.”
“We strongly support an accord, and have for many years supported reasonable rules governing government access to user data. We have long advocated for government transparency, lawful processes and surveillance reform,” he said. “We urge quick action to restore a practical framework that both protects privacy and promotes prosperity.”
Moving forward from the Austrian decision, Baumgartner said organizations should take a close look at non-EU providers and vendors, and find alternatives where possible.
“'Schrems II' is here to stay, and regulators will have to enforce it,” he said. “Where there is no viable alternative, organizations will have to 'be as good as they can' in terms of security measures, data limitation, encryption, contracts, etc. And they should invest into thorough and robust transfer impact assessments. These transfer impact assessments, which should also include a reasoning why a certain data transfer is without alternative, will at least reduce the risk, even if not able to eliminate it in most cases."
Photo by Stephen Phillips - Hostreviews.co.uk on Unsplash