The Austrian data protection authority (Österreichische Datenschutzbehörde; Austrian DPA) recently ruled that the use of Google Analytics violated Chapter V (transfers of personal data to third parties) of the EU General Data Protection Regulation (GDPR) in light of the Schrems II judgment issued by the Court of Justice of the European Union (CJEU) on July 16, 2020.
Statements from the Danish and Norwegian data protection authorities (DPAs) indicate that other European DPAs are likely to take a similar view. Since the underlying complaint is one of over a hundred filed by None of Your Business (NOYB) across the European Economic Area, the decision of the Austrian DPA may well mark the beginning of a new chapter when transferring personal data to the U.S. as enforcement of the Schrems II judgment kicks off across Europe.
Max Schrems's non-governmental organization, NOYB, has filed complaints in all 30 of the European Economic Area (EEA) Member States against 101 European companies following the Schrems II judgement in relation to companies allegedly transferring personal data to Google and Facebook in violation of the GDPR (NOYB published an article about the filed complaints). In response to these complaints, the Austrian DPA conducted a cross-border investigation into Google's and Facebook's data transfer practices.
On January 13, 2022, the Austrian DPA published its (partial) decision (Decision) based on one of those complaints. The complaint was directed against (1) an operator of an Austrian website (Website Operator) which used the Google Analytics tracking and analytics tool on its website, as well as (2) Google LLC as the provider of this tool in the U.S., to whom data was transferred through the tool.
Google Analytics is a web analytics tool which, when implemented on a website, collects information about the usage of that website by its users and shares that information with Google. Google then analyses that information and shares analytics data with the website operator, providing them with valuable insights about how users use their website.
Even though the Website Operator claimed that the data transferred from it to Google LLC through Google Analytics was not personal data under the GDPR, both parties had entered into Google's data processing agreement for its advertising services and the standard contractual clauses (SCC) published by the European Commission on February 5, 2010. The Austrian DPA noted that the Website Operator had not (i) (properly) activated the option to "anonymize" the IP Address of website users, which is generally available for Google Analytics, or (ii) asked its website users to give their consent in relation to data transfers to Google LLC.
The Austrian DPA ruled that:
Personal Data Transfer Finding
The Austrian DPA outlined that information constitutes "personal data" under the GDPR if it allows for the singling out of an individual user of a website. An immediate identification of someone's actual identity would not be necessary for information to be regarded as personal data.
In addition to the "IP anonymization" feature of Google Analytics not being properly activated (leading to the sharing of users' IP addresses with Google LLC), the Austrian DPA noted that further unique identifiers were transferred to Google. Given Google's technical abilities, it would have been able to link certain information to a user's Google account if that user was logged into its Google account when visiting the website at hand.
Hereby, the Austrian DPA indicated that the unique identifiers may, in and of themselves, already constitute personal data and that this would be true even more so for the complete information obtained by Google LLC.
Insufficient SCC and Supplementary Measures Finding
The Austrian DPA found that Google LLC qualified as an electronic communications services provider, and therefore was "clearly" subject to U.S. surveillance laws (i.e., FISA 702) and surveillance by U.S. intelligence agencies. It also pointed to access requests outlined in Google's transparency report as further proof of this. On that basis, it reiterated the Schrems II judgement and determined that the SCC alone was not an adequate safeguard for the transfer of data to Google LLC in the U.S. because the SCC terms were not binding on U.S. authorities.
It further determined that the supplementary measures (including inter alia an encryption of the data transfer with Google holding the key, regular publication of transparency reports by Google, a possible notification of individuals affected by access requests) implemented by Google LLC was insufficient to remedy the inadequate protection afforded to users as identified by the CJEU, as they would not prevent U.S. surveillance agencies from accessing the transferred personal data.
The Austrian DPA's Decision does not prohibit the use of Google Analytics across the EU from a legal standpoint.
The Austrian DPA's competence is generally limited to the territory of Austria under the GDPR. Furthermore, the Decision of the Austrian DPA is based on the specific set of facts of the case at hand and is not final. It can still be appealed.
It should be noted that (i) Google Analytics could be implemented differently to a certain extent (please see below) and (ii) some of the facts underlying the Decision have changed since the filing of the complaint. In particular, new Standard Contractual Clauses (New SCC) have been released by the European Commission (Decision (EU) 2021/914 of 4 June 2021) since the passing of the Schrems II judgement, and in the meantime, Google LLC has been replaced with Google Ireland Limited as the contractual partner of EU customers (as stated in the Decision).
However, in any event, the use of the current version of Google Analytics in the EEA is likely to come with legal risks as set out below.
It seems likely that DPAs in other EU Member States are going to take a similar view.
NYOB filed 101 complaints across the EU, so more decisions on this point are likely to follow. It seems likely that other EU DPA's will come to similar conclusions as the Austrian DPA. The head of the Austrian DPA, Andrea Jelinek, is also currently the chairwoman of the European Data Protection Board (EDPB; EDPB - Who we are), the EU body which is composed of the heads of the EU data protection authorities (DPAs), which could influence a Europe-wide approach that reflects the Austrian DPA's decision.
Other DPAs in the EEA have already responded to the decision:
Further, since the complaint was filed, the Website Operator was acquired by a German company, and so the Austrian DPA has forwarded the case at hand to the competent German DPA, which will decide whether the Website Operator should be prohibited from sharing personal data with Google. This means that we will likely get to know another SA's viewpoint on the case at hand. On a side note, the Austrian DPA also stated that it will continue to investigate Google LLC for alleged violations in the case at hand.
Using the new SCC is not enough to satisfy GDPR requirements for international data transfers.
The European Commission has added certain clauses to the New SCC based on the Schrems II judgement, such as the requirement to perform a transfer impact assessment (TIA) and obligations on the entity in the third country (e.g., the U.S.) to provide information about government access requests (where legally possible).
However, the New SCC is unable to address the main shortcomings of the SCC identified in the Schrems II judgement and by the Austrian DPA. The SCC is "just" a contract between two companies whose terms are not binding on government authorities in countries outside the EU to which personal data is transferred. Therefore, a TIA will have to be performed and based on its results, an assessment will have to be made as to whether one may be able to address any possible shortcomings through the implementation of technical, organizational and/or contractual supplementary measures.
Turning on the "IP anonymization" feature of Google Analytics does not avoid the applicability of the GDPR in the eyes of EU DPAs.
Google Analytics includes a feature which allows for the so-called "anonymization" of the user's IP address by deleting several of its digits (Google - IP Anonymization (or IP masking) in Google Analytics). As stated above, the feature was not (correctly) turned on by the Website Operator. However, the German DPAs have already determined – and the Austrian DPA indicated a similar view in its Decision – that Google Analytics would even in cases of the activation of this feature still process personal data because of the collection of additional information which would allow for the singling out of a user (DSK – Hinweise zum Einsatz von Google Analytics (in German).
That said, the feature should still be activated as a mitigation measure when using Google Analytics in the EEA.
Obtaining user consent might mitigate some risk, even if it can be complicated in practice.
The Austrian DPA clarified that consent was not obtained in this case and therefore did not pass judgement on such approach in its Decision.
Article 49(1)(a) of the GDPR includes a derogation which allows for the transfer of personal data to a third country (such as the U.S.) based on consent of the individual.
However, relying on such consent comes with the following challenges when it comes to Google Analytics:
Irrespective of these challenges, and since consent will have to be obtained from users when using Google Analytics in any case (usually through a cookie banner), adding language for international data transfers could be a reasonable mitigation measure.
Google Ireland (instead of Google LLC) being the contractual partner of Website Operators by itself does not justify a different result.
According to the Google Analytics Terms of Service (in German), Google Analytics is now provided by Google Ireland Limited in the EEA. However, based on section 10.1 of the Google Ads Data Processing Terms, which states that "Google may process Customer Personal Data in any country in which Google or any of its Subprocessors maintains facilities", the transfer of data collected via Google Analytics to Google in the U.S. (via Google Ireland Limited) seems probable.
In its Decision, the Austrian DPA considered that the Website Operator was the controller in relation to the personal data processed by Google Analytics and that Google LLC was its processor. German DPAs also took the view that the respective Website Operator using Google Analytics would be a controller, albeit assuming a joint controllership with Google (DSK – Hinweise zum Einsatz von Google Analytics (in German)). In either case, the respective Website Operator cannot exclude itself from its responsibility to ensure GDPR compliance in relation to the processing of personal data (including applicable international data transfers to the U.S.) via Google Analytics, even if Google Ireland Limited is its contractual partner instead of Google LLC.
Mitigation measures that should be implemented if one may want to continue using Google Analytics in the EEA.
In summary, we recommend implementing the following mitigation measures when using Google Analytics in the EEA:
In the eyes of DPAs in the EEA, taking all the steps above may still not lead to (full) compliance with the requirements for international data transfers under the GDPR. However, they will allow an organization to show a DPA that several reasonable actions were taken to advance GDPR compliance, which can (significantly) improve its position if it intends to continue to use Google Analytics. In light of this risk, companies may also wish to consider Google Analytics alternatives, which ensures that the personal data of users remains in the EEA.
Google's reaction to the Decision.
On 19 January 2022, Kent Walker, the President of Global Affairs & Chief Legal Officer of Google published a blog post with a reaction to the Decision of the Austrian DPA (Google Blog Post). The blog post especially states that Google "has never once received the type of demand the DPA speculated about" and would not expect for such demand "to fall within the narrow scope of the relevant law"(which is likely a reference to FISA 702).
Mr. Walker challenged the decision of the Austrian DPA as not reflecting the Schrems II judgment. In his view, the CJEU's judgment was interpreted too restrictively by the Austrian DPA, while he considered the supplementary measures implemented by Google (Google - Safeguards for international transfers) at the time of the blog post to be appropriate.
He further emphasized the importance of the EU and U.S. governments coming to terms on a successor agreement to the invalidated U.S.-EU Privacy Shield framework.
Note: The EU and U.S. governments have been negotiating a replacement for the Privacy Shield since the Schrems II judgement. However, recent statements from representatives of the European Commission and the US Department of Commerce suggest that these negotiations may not conclude in the near future (Article from datenschutz-praxis.de about Privacy Shield Negotiations (in German).