Austria: DSB finds use of Google Analytics unlawful in light of Schrems II ruling
None of your business ('NOYB') published, on 13 January 2022, the Austrian data protection authority's ('DSB') decision, as issued on 22 December 2021, in which the DSB found an unnamed EU website operator in violation of Article 44 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') for exporting personal data to an importer in the U.S., Google LLC, through ongoing use of Google Analytics without ensuring an adequate level of protection, as required under Chapter V of the GDPR, following a complaint of a complainant represented by NOYB to the DSB in August 2020 - one of the 101 complaints filed by NOYB against EU companies for continued use of Google Analytics and Facebook Connect, allegedly subjecting EU personal data to U.S. surveillance laws in violation of the requirements of the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case').
Background to the case
Following the filing of NOYB's complaint in August 2020, Google submitted, on 9 April 2021, a response to the DSB confirming in its submission that, in relation to transfers of website visitor data from EU website operators to Google through use of the Google Analytics tool, it relies on Standard Contractual Clauses ('SCCs') pursuant to Article 46(2) of the GDPR, and claimed that, as required by the Schrems II ruling and in alignment with the European Data Protection Board's Recommendations 01/2020, it had implemented supplementary measures, including legal, technical, and operational measures, to ensure an adequate level of data protection.
Subsequently, NOYB made an additional submission, on 5 May 2021, to the DSB in response to Google's submission, following a request from the DSB for the same, dismissing the idea that the measures described by Google were adequate to effectively protect data transferred from the EU, and calling for the DSB to consider a fine of up to €6 billion against Google for the consequently alleged violation of Chapter V of the GDPR.
Findings of the DSB
Firstly, the DSB addressed the issue of whether the data transferred from the website operator to Google through use of Google Analytics constituted personal data under Article 4(1) of the GDPR, highlighting that the application of the GDPR, and thus the success of the complaint, presuppose an affirmative conclusion to this question. In particular, the DSB highlighted that at least unique online identifiers, that identify both the complainant's browser or device and the first respondent (through the first respondent's Google Analytics account ID as website operator), the address and HTML title of the website and the subpages visited by the complainant, information on the browser, operating system, screen resolution, language selection, date and time of the website visit, and the IP address of the device used by the complainant were transferred from the website operator to Google through use of Google Analytics, and concluded that such data was sufficient to identify the data subject, and therefore to be considered as personal data under the GDPR.
Having determined that the website operator's use of Google Analytics constituted a transfer of personal data, both in view of the above and the conditions for the existence of a data transfer as set out by the European Data Protection Board ('EDPB') recently adopted Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR ('the Data Transfer Guidelines'), the DSB assessed whether the transfer was subject to an appropriate mechanism to ensure an adequate level of protection as required by Article 44 of the GDPR. Noting Google's reliance on SCCs under Article 46 of the GDPR supplemented by additional measures as required under the Schrems II ruling, the DSB highlighted that such measures may only be considered effective to the extent that they address the specific deficiencies identified in the third country assessment and found, noting, among other things, that the technical measure of encryption-at-rest cannot be invoked insofar as Google has a direct obligation to provide access to or surrender imported data in its possession or custody or under its control, that the supplementary measures implemented by Google did not effectively address the identified data protection deficiencies, i.e. the access and surveillance possibilities of U.S. intelligence services.
Accordingly, the DSB held that an adequate level of protection could not be ensured by Article 46 of the GDPR, and, further dismissing the existence of an exemption under Article 49 of the GDPR, found that the data transfer was in violation of Article 44 of the GDPR.
Again citing the Data Transfer Guidelines, the DSB found that the violation was attributable to the website operator but, given that Google, as the data importer, does not disclose the complainant's personal data, the requirements of Chapter V do not therefore apply to Google in this specific case.
In view of the above, the DSB outlined that Google Analytics could not be used in accordance with Chapter V of the GDPR. Furthermore, the DSB found the website operator in violation of the GDPR, but dismissed the claim against Google on the grounds that Chapter V of the GDPR does not apply to Google in the case at hand. However, the DSB outlined that it will isssue a separate decision on a potential violation by Google of Articles 5, 28(3)(a), and 29 of the GDPR.
Notably, the DSB did not impose any penalties or corrective measures, noting that the website operator merged with company domiciled in Munich and, as such, the possibility of a ban on transfers to Google would need to be addressed by the relevant Germany authority.
You can read NOYB's press release and access the decision here.