According to the Austrian Data Protection Authority (DSB), the use of Google Analytics on websites in the EU is not compatible with the General Data Protection Regulation (GDPR). Above all, the DSB sees the general principles of data transmission in accordance with Article 44 GDPR violated, since personal user information is passed on to the Google group headquarters in the USA with the statistics program.
With the now published partial decision The DSB is reacting to a model complaint raised in August 2020 by the Noyb data protection association, founded by lawyer and activist Max Schrems. The entry initially referred to an Austrian publisher that integrated Google Analytics. The DSB dismissed a further complaint against Google itself.
No “adequate level of protection”
The DSB justified its decision by the website operator using the statistics tool to transmit the complainant’s personal data to Google. This included unique user identification numbers, IP address and browser parameters. Google’s standard contractual clauses do not offer an “adequate level of protection” to eliminate the “possibilities of surveillance and access by US intelligence services” under the Foreign Intelligence Surveillance Act (FISA).
Google had previously objected to having taken “technical and organizational measures” (“TOMs”) as part of the standard data protection clauses, such as encryption techniques, fences around data centers and the verification of requests from authorities. However, the DSB assessed these measures as largely useless compared to the claims of secret services such as the NSA or the FBI police authority.
The background to the decision is the “Schrems II” judgment of the European Court of Justice (ECJ) in summer 2020, with which it declared the transatlantic “Privacy Shield” and thus one of the most important bases for the transfer of customer data to the USA to be invalid. The Luxembourg judges determined that US laws such as FISA or the Cloud Act enable mass surveillance by security authorities and that the data protection standard in the United States does not correspond to that in the EU.
Cane standard contract
As a result, the EU Commission tried to adapt the standard contractual clauses as an alternative instrument for data transfers to the ECJ case law and published the new version at the beginning of June. Google implemented these revised guidelines in September 2021 for its own cloud services. The company also announced that it intends to focus more on encryption.
Schrems does not consider such precautions to be sufficient. He criticizes: “Rather than technically adapting their services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the CJEU. Many EU companies have followed suit, rather than relying on legitimate services switch.” For the Noyb founder, the quintessence of the DSB decision is: “EU companies can no longer use US cloud services.”
EU vs. US-Cloud
Schrems sees the operators of many websites in the EU affected, since Google Analytics is still the most widely used statistics program. Although there are many alternatives that can be hosted in Europe or run on their own servers, too many administrators still rely on the US group. In total, Noyb has filed 101 similar complaints in almost all EU countries. Schrems therefore assumes that similar decisions will gradually be made there as well.
Just last week, EU data protection officer Wojciech Wiewiórowski made it clear that the use of Google Analytics and the payment provider Stripe by the European Parliament is incompatible with the “Schrems II” ruling. The administrative court in Wiesbaden had previously forbidden a university, on the basis of the basic decision of the ECJ, to integrate the “Cookiebot” on its homepage and thus transfer data to the USA.
Noyb is not satisfied that the DSB rejected the complaint against Google as data recipient in the USA. We are considering taking action against this part of the decision. At the same time, however, the supervisory authority stated that the proceedings against Google with regard to possible violations of other articles of the GDPR are continuing. There will probably be a separate decision on this.