In the 18-plus months since the "Schrems II" decision from the Court of Justice of the European Union, many Schrems-II-related EU enforcement actions primarily involved violations by public organizations, particularly around sensitive data or process failures. For the broader, private-sector portion of the privacy community, these enforcement actions may have been less concerning when assessing their organization's risk profile.

In recent weeks, however, two enforcement actions — one from the Austrian Data Protection Authority, the other from France's Commission nationale de l'informatique et des libertés — have changed the calculus, and should, at the very least, garner the attention of privacy pros. 

Notably, both cases involve the use by companies of Google Analytics, perhaps one of the most common internet data analysis tools on the market. Also, notable is that both cases were filed by NOYB, the organization founded by Max Schrems. These two cases are but the tip of the iceberg, as NOYB filed a total of 101 cases across the EU shortly after the CJEU's decision in 2020. 

"I would argue that the two Google Analytics cases increase the risk profile for companies because they focused on the commercial," IAPP Chief Knowledge Officer Caitlin Fennessy, CIPP/US, said during a LinkedIn Live session on data transfer enforcement, risk and compliance. These recent cases, she said, "sit at the front of a cascade of 101 decisions that we expect to come down over the weeks and month ahead, all while we wait for a diplomatic solution on a new Privacy Shield." 

A cascade of cases on the horizon

Future of Privacy Forum's Gabriela Zanfir-Fortuna, who recently wrote an analysis of the Austrian decision, saw some connections between the Austrian case and a decision by the European Data Protection Supervisor, which looked into the use of Google Analytics by the European Parliament. Zanfir-Fortuna found several similarities between the EDPS case and Austria's, which, "for me, that was a trigger that we are going to look at very similar legal assessments in the rest of the 101 cases to come." She also pointed out that the EDPB have created a task force to deal with these 101 cases, which all made similar legal arguments. 

All 101 cases either target Google Analytics, or what NOYB calls "Facebook Connect," Zanfir-Fortuna said. Austria's DPA found that personal data is processed by Google Analytics, including the cookie ID and the IP address, as well as other metadata, like web browser used. "They made this analysis in such a way that it turns out it doesn't really matter if a website visitor is logged in or not," she said. In the next stage of its analysis, the Austrian DPA also found that Google Analytics constitutes a transfer of data to the U.S. Then they also looked at the legality of that transfer and whether sufficient protection was in place when the transfer took place. 

Broadly speaking, Bird & Bird's Ruth Boardman said both the Austrian and French decisions "have the potential to be very widely applied and hugely impactful." Google's official blog post pointed out that in its 15-year history of running Google Analytics, it has never received a request from a public authority to access this data. Tying that to the limited amount of data that is collected by Google Analytics to individuals, Boardman asked, "If this kind of data can't be transferred, what can be transferred?" 

More specifically, Boardman highlighted a discrepancy in a reference the Austrian DPA made to the European Data Protection Board's guidelines on how organizations should handle data transfers. There had been a draft set of guidelines and a final set, the latter of which differed on some key points. In the draft, she said, the guidelines said there should be "zero risk" of access by public authorities, but the final guidelines said one can look at the "likelihood of access." But in its enforcement decision, the Austrian DPA cites the draft guidelines, not the final EDPB ones.

As a result of the above, Boardman said she thinks the CNIL's decision "is more significant because it goes to the final guidelines." 

For American University College of Law Senior Project Director Alex Joel, CIPP/G, who formerly served as the chief of the U.S. Office of the Director of National Intelligence's Civil Liberties, Privacy and Transparency office, both the Austrian and French decisions were interesting because the DPAs did not do a deep dive on the relevant U.S. statutes (in this case, Section 702 of the Foreign Intelligence Surveillance Act), deferring instead to the CJEU's assessment that it doesn't meet the EU legal standard and leaving it at that.

Relatedly, German authorities recently made public an expert opinion on Section 702 by legal scholar Steven Vladeck. In the opinion, which was cited in the Schrems II case by the CJEU, Vladeck argued that 702 could be read as applying more broadly than is generally known and could include hospitality, financial and transportation organizations. 

In response, Joel noted that if the U.S. government is interested in obtaining information under 702, it must go to an electronic communications service provider, remote computing service provider, or a telecommunications carrier to serve them a directive. Joel points out that the common thread in the types of service providers is "communication," but if one "looks at some U.S. government releases, whether about a target or the communication with a target, whether Google Analytics or other services involves a communication is not a simple answer." 

Joel breaks down what is theoretically possible and what is done in practice. For the former, one could construct an argument that 702 could apply to a broad range of entities, but he argues the EDPB has offered guidance not on what is theoretically possible, but what is happening in practice. 

To bolster his point, he referenced a U.S. Department of Commerce White Paper from 2020 that noted U.S. intelligence agencies do not have much interest in most commercial trans-Atlantic transfers of data, including companies using "ordinary commercial information." Joel also found it interesting that neither DPA decision referred to the fact that Google Analytics never received a U.S. government access request in its 15-year history. 

That was unsurprising to Zanfir-Fortuna, however, who pointed out that the CNIL in its decision said the CJEU has already assessed the U.S. framework and they didn't feel the need to go beyond the framework. In the end, she said, though both the Austrian and French DPAs used different lines of reasoning in their assessment of Google Analytics, both came to the same conclusion: that supplementary measures — including technical measures such as encryption — plus transfer mechanisms should be in place to "eliminate the possibility of access" by the U.S. government. 

What does this all mean for compliance?

If it's reasonable to expect that other supervisory authorities in the EU will come to similar conclusions about Google Analytics, prompting some to liken the cascade to "a death by 1,000 cuts," what should privacy pros think about their risk profile and compliance options?

Boardman laid out three options. Companies can "wait and see if things change." Why wait? She noted that the decisions were "taken on the premise that Google as a whole is subject to these kinds of decisions," but she highlighted that no access request was ever asked of Google Analytics, according to Google President, Global Affairs & Chief Legal Officer Kent Walker, and for Boardman, the fact that the DPAs didn't consider that is worth noting. She added, "I would encourage other DPAs to look at Google's statement to see if that makes a difference."

Option two would leverage the most conservative approach: Stop using Google Analytics and take zero risk.

Or, the third alternative would involve looking at individual consent. Though not normally useful as a mechanism for a transfer, Boardman said, most publishers will be asking for consent for analytics cookies. This means they could also ask for consent to place cookies and a separate consent for data transfers.

"This seems to be a plausible option," she said. 

In the long term

"We really need transfers," Zanfir-Fortuna said. "I would persuade everyone listening, regardless of compliance options, to bring this to your executive board or CEO. Push for them to speak to the (U.S.) Congress ... let them know of its importance in the daily operations of companies. It's not just in the EU. Ultimately, I hope the solution doesn't involve compliance teams or involve a third CJEU hearing. We need to raise awareness to the highest levels that we are aware of that this needs to be solved. We need the cooperation of the U.S. longterm, and that might require legislation."