TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Daily Dashboard | Op-ed: Latest Google Analytics decision has no bearing on data transfers Related reading: Notes from the IAPP, May 20, 2022



Information Accountability Foundation Senior Foundation Strategist Lynn Goldstein, CIPP/US, wrote an op-ed explaining how a second decision by the Austrian Data Protection Authority regarding data transfers carried out through Google Analytics "should not hinder today’s data transfers." Following an initial ruling on illegal transfers using Google Analytics web tools, the DPA recently ruled against a risk-based approach to transfers. Goldstein noted the latest decision "is poorly reasoned" and based on "two outdated 'facts'" related to interpretation of the EU General Data Protection Regulation and procedures around standard contractual clauses.
Full Story


If you want to comment on this post, you need to login.

  • comment Michael Schreuder • May 9, 2022
    I don't full agree with this op-ed.
    IP Addresses - There is an implication that since the full IP is not stored, it is fine.  However the definition of a transfer is much broader than this, and it has been identified that the IP is transferred to the GA servers to be resolved, then redacted, then stored.  This would be deemed a transfer that is at risk.
    TOMs - In order to protect the data to an adequate level, you would not be able to use GA.  If you use additional encryption etc you would be able to transfer the data to the US, however the tool set built on top that makes this transfer necessary would not work, making this a waste of time.
    Risk - you would absolutely need to do a risk based assessment,  but IMO the wording is confusing the issue.  The Schrems II judgement set the risk level much lower than most people would expect.  The judgements have set the GA data (IP, pseudonymized ID,  device) as personal data, hence the transfer falls within the scope of GDPR.  The GDPR expects protection of this personal data to a level equivalent as offered in the EU.  Since there is no possibility of the data subject being able to hold the US government to account, there is no way to transfer the data. It doesn't matter that it was never requested by the US (which is impossible to tell due to the possibility of gagging orders) since it is impossible to ever ensure the same level of legal protection.
    While it is not being spoken about, the implications of these judgements are very broad, and can be applied to all transfers.  An example is Workday (HR system), who declare their main processor as Amazon (US).  That would place them squarely under FISA702, and would require a deep dive into the TOMs implemented to ensure that there is absolutely no way the US government can get to the data.  Since new SCCs require much more management on the sub-processors, that anyone can request them, including the data subjects, there could be massive implications for all companies.
  • comment Lynn Goldstein • May 13, 2022
    Mr. Schreuder does not agree with the third point of the IAF’s blog that Google did not have complete IP addresses to hand over to U.S. intelligence services because the process to anonymize IP addresses is a transfer.  According to the Austrian DPA Second Google Analytics Decision (Decision), Google Analytics were provided by Google Ireland Ltd., and Google said that the IP anonymization took place within the EEA.  Therefore, a transfer of a complete IP address to an inadequate country was not at issue in the Decision.  
    What was at issue in the Decision was the storage of “anonymized or masked” IP addresses which for the sake of argument will be assumed to have been stored by Google in the U.S.  Mr. Schreuder does not agree with the third point of the IAF blog because a risk-based assessment would conclude “there is no way to transfer the data.”  The IAF respectfully disagrees with this conclusion.
    Footnote 12 of the 2021 SCCs and the third step of the EDPB’s Final Recommendations set forth how a transfer impact assessment (TIA) should be conducted.  For the purposes of this post, it is assumed that the TIA is assessing the applicability of Section 702 to the data momentarily stored by Google in Ireland (the complete IP address) and to the data stored by Google in the U.S. (the anonymized or incomplete IP address).
    Step Three of the EDPB’s Final Recommendations provide in pertinent part:
    	Where . . . your transferred data and/or importer fall within the scope of problematic legislation (i.e. impinging on the transfer tool’s contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality)[,] . . .  you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer. . . .  You should conduct this assessment with due diligence and document it thoroughly.  
    Footnote 12 to the 2021 SSCs provides: “As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment.  Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities or the absence of such requests, covering a sufficiently representative time-frame.”
    The Decision states that according to Google, the U.S. intelligence agencies had never issued a FISA 702 order with respect to the type of Google Analytics data at issue.  Obviously, in a case where problematic legislation and the 2021 SCCs are at issue, it will be necessary for Google to conduct a TIA and to document that TIA appropriately.   Thus, it is premature to say that “there is no way [for Google] to transfer the data,” and it certainly is premature to say that the implication of this Decision “can be applied to all transfers,” e.g., Workday who uses Amazon in the U.S. as its processor.  
    The important things to know about point 3 of the IAF’s blog are that the Decision omitted relevant facts and did not involve the 2021 SSCs and the EDPB’s Final Recommendations.  As was stated in the IAF’s blog, there are many reasons to worry about data transfers, but the Decision is not one of them.
  • comment Michael Schreuder • May 17, 2022
    Considering the Berlin SA has basically shut down cloud providers based on the Schrems II decision, I would say that the basis of the GA judgements extends further than just a few small websites.