With a provision dated 22 December 2021, and then made public on 14 January 2022, the Austrian data protection authority (Datenschutzbehörde or DSB) declared that Google Analytics violates the General Regulation for the protection of personal data 679/2016 (also known as GDPR), the main European privacy law.
The decision of the Austrian guarantor was based on one of the “101 US Transfer complaints”, one hundred different complaints that the Austrian NGO Noyb, of which Max Schrems is president, presented following the Schrems II judgment of the European Court of Justice.
In 2020, with the Schrems II ruling, the EU Court of Justice had established that the Privacy Shield, that is the legislation that until then governed the transfer of data between the EU and the US, violated the GDPR. This, in particular, because US law allows Big Techs (including Google and Facebook) to provide the authorities with users' personal data for surveillance and security purposes. The Schrems II judgment, from the surname of Max Schrems himself who had denounced the problem, was a revolution in the management of data transfer to the USA.
In the specific Austrian case, analyzing a website dedicated to health, the supervisory authority found that all sites that use Google Analytics in fact export personal data of visitors such as their IP addresses and their unique identifiers (Unique Identification Number) in the United States, therefore outside the European Economic Area (EEA). The rules contained in Chapter V - in particular, in articles 45 and 46 of the GDPR - which regulate the transfer of personal data to a third country or an international organization, constitute an obligation for the owners (and for those responsible) to ensure an adequate level of data protection for natural persons. For the DSB authority, the measures taken by Google are not enough. As known, the US intelligence services use some online identifiers, such as IP addresses and Unique Identification Numbers, for the collection of information and the surveillance of individuals. Therefore, according to the DSB, it cannot be excluded that those intelligence services have already collected such information from visitors to the website in question.
Google's response was not long in coming.
Google has published its own press release, signed by Google Analytics Product Management Director Russell Ketchum, through which it discloses the methods of operation of its service and the guarantees applied to ensure that the US government cannot access the personal data processed. Until now, the company has used the standard contractual clauses to meet the conditions required by the GDPR and the Schrems II ruling, and additional technical and organizational measures "that keep data safe". Nonetheless, the Austrian data protection authority DSB noted that the application of these additional measures is to be considered more "formal" than substantive, and that it cannot be considered a sufficient guarantee to ensure an equivalent level of data protection. transferred to the USA. These measures, in order to be effective, should be able to fill the legal gaps in the legal system of the third country.
In conclusion, the Austrian authority, declaring that Google Analytics cannot be used in compliance with Chapter V of the GDPR, highlighted, once again, the substantial incompatibility between European and US privacy regulations.
E-Business Consulting is a company active since 2003 and has been involved in privacy consultancy for important companies already in the implementation of the Legislative Decree. 196/03. Furthermore, E-Business Consulting has always paid extreme attention to the protection of personal data relating to its customers, suppliers and all the people with whom it can come into contact. Contact us for a free quote!