Bombshell Decision That Use of Google Analytics in Austria Violates Top EU Court’s Ruling Boosts GDPR Impact Again
The GDPR is finally beginning to make itself felt more strongly, as a series of blog posts have noted. The situation is summed up in a new “DLA Piper GDPR fines and data breach survey”. Compared with the previous year, total GDPR fines have increased from $179 million to $1.2 billion. But as the report rightly notes, in terms of broader impact, the 2020 ruling from the Court of Justice of the European Union (CJEU) that the Privacy Shield framework for transferring personal data across the Atlantic, was invalid, is still the one to watch.
Given the continuing importance of transatlantic data transfers, it’s not surprising that the European Data Protection Board (EDPB), which coordinates the application of the GDPR across the EU, has tried to clarify the current situation with a series of recommendations for companies. It’s striking that the best it can come up with is “you must verify on a case-by-case basis whether (or not) the law or practice of the third country of destination undermines the safeguards” of the GDPR, and whether “supplementary measures may fill the gap”. If you can’t do that, well, “you must not start transferring personal data to the third country concerned on the basis of your chosen transfer tool”. If that advice all seems a bit vague, the Austrian Data Protection Authority has kindly provided a practical demonstration of just how far-reaching it is in reality.
In August 2020, the PIA blog reported that Max Schrems and his organization, noyb.eu, had filed no less than 101 complaints across 30 countries, alleging that companies were not complying with the new CJEU ruling on data transfers, and were thus in breach of the GDPR. The first of those 101 complaints has now been decided:
In a groundbreaking decision, the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR. This is the first decision on the 101 model complaints filed by noyb in the wake of the so-called “Schrems II” decision. In 2020, the Court of Justice (CJEU) decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities.
The problem EU companies face is that certain key online service providers, like Google and Facebook, are subject to US laws that require them to hand over data to the US authorities if required. That would be a violation of the GDPR, and was the reason why the Privacy Shield framework was ruled invalid by the CJEU. To get around that problem, companies need “supplementary measures”, as the EDPB puts it in the guidance mentioned above. In its submission to the Austrian Data Protection Authority, Google argued that it took “robust technical measures to safeguard personal data, and to protect against interception in transit.” These turned out to be things like encrypting data as it moves around the Internet and between sites, as well as the use of “fencing, signage and other measures” to secure data centers. The Austrian authorities were unimpressed: “insofar as the technical measures are concerned, it is also not recognizable (…) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law.”
Although this is a ruling by the Austrian Data Protection Authority, the noyb.eu press release says: “Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in an EDPB ‘task force’.” The Dutch Data Protection Authority is currently investigating the use of Google Analytics. The European Data Protection Supervisor (EDPS) has already taken a view. His decision followed yet another complaint from Schrems, this time about the European Parliament’s COVID-19 testing website: “The EDPS highlights that the use of Google Analytics and the payment provider Stripe (both US companies) violated the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers.” Schrems points out that the implications of the EDPS ruling are broad:
The EDPS made it clear that even the placement of a cookie by a US provider is violating EU privacy laws. No proper protections against US surveillance were in place, despite the fact that European politicians are a known target for surveillance.
Not every US provider will be affected by these rulings, only those large enough to be subject to the US government requests for personal data. Nonetheless, that will include all the digital giants, such as Amazon (AWS), Apple, Cloudflare, Dropbox, Facebook, Google, and Microsoft.
Clearly, the impact of these decisions, if confirmed across the EU by the other data protection authorities, will be considerable. One curiosity is that the Austrian and EDPS decisions do not call for Google to be fined — they are rulings against the EU bodies that sent personal data to the US. That seems to put the onus on complying with the GDPR on the users of these US services, rather than on the companies that supply the services. However, the Austrian Data Protection Authority has said that it will investigate Google further in order to establish whether it committed GDPR violations by providing personal data to the US government, so that aspect may still change. As for long-term solutions to the transatlantic data transfer problem, Schrems says there are only two: proper privacy protections in the US, or completely separate online services for the US and the EU.
Featured image by Ximeg. https://commons.wikimedia.org/wiki/File:Wildsch%C3%B6nau_feiert_Neues_Jahr_06.jpg CC BY-SA 3.0 https://creativecommons.org/licenses/by-sa/3.0/deed.en unmodified