According to the Austrian Data Protection Authority (DSB), the use of Google Analytics on websites in the EU is incompatible with the General Data Protection Regulation (GDPR). The DSB finds above all a violation of the general principles of data transmission in accordance with Article 44 of the GDPR, as the personal information of the users is transmitted to the Google headquarters in the United States with the statistics program.
With the just-released partial notification, the DSB responds to a model complaint that the Noyb data protection association, founded by lawyer and activist Max Schrems, raised in August 2020. The entry concerned initially an Austrian publisher who integrated Google Analytics. The DSB dismissed a new complaint against Google itself.
No “adequate level of protection”
The site operator used the statistics tool to transmit the personal data of the complainant to Google, the ORD explains its decision. This included unique user identification numbers, IP address, and browser settings. Google’s standard contractual clauses do not provide an “adequate level of protection” to eliminate “options for surveillance and access by US intelligence services” under the Foreign Intelligence Surveillance Act (FISA).
Google had previously objected to taking “technical and organizational measures” (“TOM”) under standard data protection clauses, such as encryption techniques, fencing around data centers and verification of data. requests from the authorities. The DSB assessed these measures as largely unnecessary in the face of allegations from secret services such as the NSA or the FBI.
The context of the decision is the “Schrems II” judgment of the European Court of Justice (ECJ) of summer 2020, with which it declared the transatlantic “Privacy Shield” and therefore one of the most important bases for the transfer of customer data to the United States from being invalid. Luxembourg judges found that US laws such as FISA or the Cloud Act allow mass surveillance by security authorities and that data protection standards in the US do not match those in the EU.
Standard rod contract
As a result, the European Commission has made efforts to adapt the standard contractual clauses as an alternative instrument for data transfers to the case law of the ECJ and published the new version in early June. Google implemented these revised requirements for its own cloud services in September 2021. The company also announced that it would like to rely more on encryption.
Schrems considers that such precautions are not sufficient. He criticizes: “Instead of technically adapting their services to be GDPR-compliant, US companies have tried to simply add a few texts to their data protection guidelines and ignore the ECJ. Many companies in the EU have followed this example instead of continuing to switch legal departments. “For the founder of Noyb, the epitome of the DSB decision is:” Companies in the EU can no longer use cloud services. Americans.
EU vs US-Cloud
Schrems sees operators of many EU websites affected, as Google Analytics is still the most widely used statistics program. While there are plenty of alternatives that can be hosted in Europe or run on their own servers, too many admins still rely on the US group. In total, Noyb filed 101 similar complaints in almost all EU countries. Schrems therefore assumes that similar decisions will now also be taken there step by step.
As recently as last week, EU data protection officer Wojciech Wiewiórowski made it clear that the European Parliament’s use of Google Analytics and payment provider Stripe was incompatible with the ‘Schrems II’ stop. Previously, the Wiesbaden Administrative Court had banned a university on the basis of the ECJ’s landmark decision from including the “Cookiebot” on its website and thus from transferring data to the United States.
Noyb is not happy that the DSB has dismissed the complaint against Google as a recipient of data in the United States. Consider taking action against this part of the decision. At the same time, however, the supervisory authority said that proceedings against Google are ongoing for possible violations of other articles of the GDPR. There will likely be a separate ruling on this.