By decision dated 22 December 2021, and then made public on 14 January 2022, the Austrian Data Protection Authority (Datenschutzbehörde or DSB) stated that Google Analytics violates the General Data Protection Regulation 679/2016 (GDPR), the leading European privacy standard.
The Austrian guarantor’s decision was based on one of the "101 US Transfer Complaints", a hundred different complaints that the Austrian NGO Noyb, of which Max Schrems is president, submitted following the Schrems II judgment of the European Court of Justice.
In 2020, with the Schrems II judgment, the EU Court of Justice had established that the Privacy Shield, the legislation that until then regulated the transfer of data between the EU and the US, violated the GDPR. This is because US law allows Big Tech (including Google and Facebook) to provide the authorities with personal data of users for surveillance and security reasons. The Schrems II ruling, from the surname of the same Max Schrems who had denounced the problem, was a revolution in the management of the transfer of data to the US.
In the specific case of Austria, by analysing a website dedicated to health, the supervisory authority found that all sites using Google Analytics in fact export personal data of visitors such as their IP addresses and their unique identifiers in the United States, thus outside the European Economic Area (EEA). The rules contained in Chapter V - in particular, in Articles 45 and 46 of the GDPR - governing the transfer of personal data to a third country or an international organisation, constitute an obligation for the holders (and for the managers) to ensure an adequate level of data protection for natural persons. For the DSB authority, the measures taken by Google are not sufficient. As is well known, US intelligence services use some online identifiers, such as IP addresses and Unique Identification Numbers, for the collection of information and surveillance of individuals. Therefore, according to DSB, it cannot be excluded that those intelligence services have already collected such information from visitors to the website in question.
Google’s response was not long overdue.
Google has published its own press release, signed by Google Analytics Product Management Director Russell Ketchum, by which it makes known the way its service operates, and the safeguards applied to ensure that the US Government cannot access the personal data processed. The company has so far used the Standard Contractual Clauses to meet the conditions required by the GDPR and the Schrems II judgment, and further technical and organizational measures "that keep data safe". Nevertheless, the Austrian Data Protection Authority noted that the application of these additional measures is to be considered more "formal" than substantial, and thus it cannot be considered a sufficient guarantee to ensure an equivalent level of protection of the data transferred to the US. In order to be effective, such measures should be able to fill the legal gaps in the legislation of the third country.
In conclusion, the Austrian authority, stating that Google Analytics cannot be used in compliance with Chapter V of the GDPR, highlighted once again the substantial incompatibility between European and US privacy rules.
E-Business Consulting has been active since 2003 and has been dealing with privacy advice for important companies already in the implementation of Legislative Decree no. 196/03. In addition, E-business Consulting has always paid close attention to the protection of personal data relating to its customers, suppliers and all people with whom it can get in touch. Contact us for a free consultation!