“Schrems II” put in practice: What follows from the Austrian supervisory authority’s decision on Google Analytics?

In August 2020, in response to the European Court of Justice’s “Schrems II” decision, the data protection organisation NOYB, founded by Max Schrems, filed no less than 101 model complaints in various EU member states about the transfer of data from European website operators to US-based service providers Google and Facebook.

The Austrian Data Protection Authority (DPA) now has issued the first decision on these parallel proceedings. Specifically, the complaint concerned the use of the Google Analytics service. It was directed both against an Austrian website operator (the data exporter) that used Google Analytics, and against Google LLC (as service provider and data importer in the United States). The subject matter of the proceedings was the transfer of user data in August 2020. In its decision, the DPA concludes that the use of Google Analytics at that time violated the requirements of the GDPR for international data transfers.

In particular, the supervisory authority has made the following findings:

Google Analytics processes personal data

A website that uses Google Analytics sends the following information about its visitors to Google:

  • unique online identifiers that identify the browser or device of the website ­visitor and the website operator,
  • the URL and the name of the website as well as the subpages visited,
  • information on browser, operating system, screen resolution, and language settings of the visitor as well as date and time of the visit, and
  • the visitor’s IP address.

Based on the broad scope of the GDPR, this information qualifies as personal data according to the DPA. This is because the online identifiers enable the website operator to individualise a user in a pool of users. Especially in combination with other information collected about the user, their “digital fingerprint” becomes more unique and identification more likely.

With regard to the “anonymisation option for IP addresses” of Google Analytics, the ­authority states that it had not been implemented correctly in the present case. However, a correct implementation of this function would not have led to a different assessment, as the IP address is only one of many elements that can be used to identify the users.

The EU standard contractual clauses combined with the additional safeguards put in place by Google are insufficient to ensure an adequate level of protection

Google LLC, headquartered in the USA, qualifies as a “provider of electronic communications services” and therefore falls within the scope of state surveillance by US intelligence services under the US law “FISA 702”. According to the judgement of the Austrian supervisory authority, the measures taken by Google to protect user data are not sufficient, as they do not provide effective protection against the surveillance and access powers of the US intelligence services­­.

Although standard contractual clauses are not objectionable per se as an instrument for international data transfer, they are not sufficient due to their nature as a contract, as they do not legally bind US authorities.

The authority emphasises that if the law of the third country affects the effectiveness of standard contractual clauses, the data exporter must either suspend the data transfer or take supplementary measures to ensure an adequate level of data protection.

However, such additional technical, organisational and contractual measures are only considered effective and sufficient in the sense of “Schrems II” if they effectively close the privacy “gap” created by the access and monitoring powers of the US authorities.

According to the authority, it was not apparent that the protective measures taken by Google (for example, guidelines for handling and carefully reviewing each authority request, or protection of data in transit) could effectively close the gap.

Specifically, with regard to the encryption technologies used by Google, the authority states that these cannot effectively prevent access if the data importer can still access the data in plain text, as US intelligence agencies can demand disclosure of the cryptographic key (which in this case lies with the data importer).

This means that even additional technical measures beyond those taken by Google will likely not be sufficient, provided the data importer in the US retains access to the data in plain text. In such a case, it is not possible to effectively protect personal data from access and surveillance by US intelligence agencies.­

Google itself has not breached the requirements under Chapter V of the GDPR – but a further review is still to follow

The requirements of Chapter V of the GDPR that are the subject matter of the decision must only be observed by the party disclosing personal data to a data importer (and thus not for the party receiving it). Accordingly, the DPA rejected the complaint against Google LLC itself in this respect.

However, the decision does not discuss a (possible) violation of art. 5 et seq. in conjunction with art. 28 para. 3 lit. a and art. 29 GDPR by Google due to the disclosure of personal data to US intelligence services (“secret data transfer”). This legal issue will to be decided in a further decision, the authority stated.

Does this decision also apply to Google Analytics as it is available today?

As mentioned above, the DPA’s decision (only) relates to the data transfer of August 2020. At that time, the contractual partner for the free version of Google Analytics (used in the present case) under Google’s terms was Google LLC an entity established in the United States. Since the end of April 2021, both the free and the paid Google Analytics 360 services are provided by Google Ireland Limited, which is based in the EU. This means that Google Ireland Limited rather than Google LLC acts as the processor for the Google Analytics services.

This change could lead to a different assessment of the current use of Google Analytics.

However, since the actual operation of Google Analytics still involves data being forwarded to Google LLC, with the website operator as the responsible data controller, it is also likely that an assessment of the current Google Analytics setup will not be much different.

The statements of the supervisory authority on surveillance by US intelligence services in accordance with US laws as well as on the insufficient supplementary measures can likely also be applied beyond the specific case to other US-based cloud services that can be qualified as “providers of electronic communication services” and which are regularly the target of information requests by US intelligence services under FISA 702.

Since the control over website that was subject to the proceedings in Austria was transferred to a German company as of 1 February 2021, the Austrian supervisory authority passed the proceedings on to the Bavarian supervisory authority which must now determine whether the current setup of Google Analytics is compliant with the GDPR. This second part of the proceedings will be interesting to watch.

What does this decision mean for the online marketing industry?

Should the use of Google Analytics in its current form also be classified as unlawful, Google and other US service providers will have to make significant changes to their services – unless the relevant US laws are changed. Google, for example, has apparently already started to do so and now offers an “EU-only option” for its Google Cloud service customers in the EU, which includes, inter alia, an EU data residency option, cryptographic control over data access exclusively at the EU customer’s premises, and customer support from a location within the EU.

In any case, we recommend that you review your specific usage of Google Analytics to ensure that it is at least set up as GDPR compliant as possible (we had already informed you about this in a previous client update).

If you are unwilling to accept the existing risk and want to take the path of the greatest possible legal certainty, you should prepare for a European alternative to Google Analytics by the second quarter and that, for the time beyond that date, other US cloud services might also no longer lawful under the GDPR.

Other authorities, which will have to decide on the parallel proceedings brought by NOYB over the next few months, are already striking similar notes. The Dutch data protection authority has already warned that the use of Google Analytics could be banned. Only recently, the data protection commissioner responsible for EU authorities stated that the European Parliament’s use of Google Analytics and the Stripe payment service violates the GDPR.

We will continue to keep an eye on this developing situation for you and are ready to advise you on any questions and your possible next steps.
(Dr. Frank Eickmeier, Dr. Lukas Mezger UNVERZAGT Rechtsanwälte)