Austria: DSB reaffirms unlawfulness of Google Analytics, rejects risk-based approach to data transfers
None of your business ('NOYB') published, on 2 May 2022, a decision issued by the Austrian data protection authority ('DSB'), on 22 April 2022, in which the DSB found an unnamed EU website operator in violation of Article 44 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and further rejected the possibility of a risk-based approach to Article 44 of the GDPR.
Background to the case
On 17 August 2020, NOYB filed 101 complaints against EU website operators that continue to send website visitor data to Google LLC and Facebook Inc. (now Meta Platforms, Inc.), allegedly in continued violation of the GDPR, despite the ruling in the Schrems II Case. On 13 January 2022, NOYB published the first decision to be issued following the filing of its complaints - a decision issued by the DSB finding an unnamed website operator's use of Google Analytics to be in violation of the GDPR. Subsequently, the French data protection authority ('CNIL') issued three further decisions also finding EU website operators' use of Google Analytics to be in violation of the GDPR.
The present case responds to one of NOYB's 101 complaints, this time again in relation to an unnamed website operator's use of Google Analytics.
Findings of the DSB
In particular, the DSB outlined that through use of the Google Analytics tool, the website operator transferred unique user identification numbers, IP addresses, and browser parameters to Google LLC. Having established that the aforementioned information constitutes personal data under the GDPR, the DSB highlighted that the requirements of Chapter V of the GDPR are thus applicable. Though acknowledging that the website operator had concluded Standard Contractual Clauses ('SCCs') with Google LLC, the DSB found that such SCCs did not provide an adequate level of protection pursuant to Article 44 of the GDPR, given that Google qualifies as an electronic communications service provider within the meaning of 50 U.S. Code § 1881(b)(4) and, as such, is subject to US intelligence surveillance pursuant to Section 702 of the Foreign Intelligence Surveillance Act ('FISA') Amendments of 2008 (50 U.S. Code § 1881a), and having found that the supplementary measures implemented in addition to the SCCs mentioned were not effective as they did not eliminate the possibilities of surveillance and access by US intelligence services.
Notably, Google had argued in its defence that a risk-based approach should be taken when assessing the appropriateness of data transfers to the US, as allegedly advocated by the European Commission's new SCCs, further arguing that the risk of US surveillance access in the present case was low.
However, the DSB outright rejected the possibility of a risk-based approach to Article 44 of the GDPR, finding that it is clear from the wording of Article 44 of the GDPR, as well as those provisions under the GDPR where a risk-based approach is expressly established, that the legislator did not intend for a risk-based approach to Article 44 of the GDPR and that it must, as such, be precluded. Consequently, the DSB ruled that the mere possibility of US surveillance access to the data in question, combined with the ineffectiveness of the supplementary measures adopted by Google to prevent such access, were sufficient to conclude that no adequate level of protection was ensured by an instrument of Chapter V of the GDPR and to, therefore, establish a violation of Article 44 of the GDPR.
In accordance with the above, the DSB found that the Google Analytics tool could not be used in accordance with Chapter V of the GDPR. However, the DSB outlined that it was not necessary to exercise its enforcement powers in the present case given that the website operator had stopped using the tool before the conclusion of the complaint procedure.
You can read NOYB's press release and access the decision here.