Decision on the use of Google Analytics by European data protection authorities
The Austrian Data Protection Agency, Datenschutzbehörde, has decided that the use of the Google Analytics tool was in breach of the data protection rules. The case stems from a complaint lodged by the "None of Your Business" (NOYB) organisation, which, in the wake of the Schrems II decision, has lodged 101 complaints with several European regulators against organisations using Google Analytics.
The Dutch Data Protection Agency, Autoriteit Persoonsgegevens, is also preparing its decisions in two similar cases, which are expected to be published in the early spring, just as the French CNIL in another ruling has backed the conclusion of Austria stating that the use of the US service is illegal in the EU.
The decisions could have significant implications for companies' use of Google Analytics and, ultimately, the use of US cloud services in the EU in the future.
The SCHREMS II DECISION
In July 2020, the European Court of Justice ruled in the so-called Schrems II case, which concerned the transfer of personal data from the EU to the US. The ruling stated that the Privacy Shield scheme, which was often used as a transfer basis to the United States, was not compatible with the GDPR, partly because the United States has legislation that could give US authorities access to the personal data of European citizens. At the same time, the CJEU ruled that the EU Commission's standard contracts (SCCs) remain valid as a basis for transfers to countries outside the EU/EEA, but that in all cases, they cannot stand alone.
RECOMMENDATIONS OF THE EDPB
In the context of the Schrems II decision, the European Data Protection Council (EDPB) has adopted recommendations relating to transfers to third countries. The recommendations provide several steps that should be reviewed to establish that the same level of data protection resulting from the GDPR is guaranteed when transferring personal data to a country outside the EU/EEA (a third country).
Using SCCs as a transfer basis now requires a concrete assessment in each case to ensure that the legislation and practices in the third country do not prevent personal data from being processed with the same level of protection as under the GDPR when transferred. Depending on the assessment, it may be necessary to implement so-called "supplementary measures" to obtain adequate protection for the personal data transferred.
The assessment itself implies that one must assess whether the third country's legislation or practice prevents the data processor from complying with its obligations under the GDPR and the chosen transfer basis. This can, of course, be a difficult task for a data controller since it requires an assessment of both the legislation and the practices of a country of which there may be no prior knowledge.
If in its assessment, it is found that the legislation or practice of the third country means that the data processor cannot ensure an adequate level of protection, supplementary measures must be taken. The EDPB's recommendations contain a wide range of examples of supplementary measures that can be used.
The list of examples in the EDPB recommendations is not exhaustive. Therefore, there may be several supplementary measures to ensure an adequate level of protection when transferring personal data to third countries. What matters is that the measure effectively ensures the same level of data protection as resulting from the GDPR.
THE AUSTRIAN DECISION ON GOOGLE ANALYTICS
The Austrian Data Protection Agency first considered whether the data were personal data. In the decision, the supervisory authority concluded that the data were personal data within the meaning of Article 4(1) of the General Data Protection Regulation, as the data transferred were sufficient to identify the data subject and could thus be considered as personal data under the GDPR.
After establishing that the organisation's use of Google Analytics constituted a transfer of personal data, the supervisory authority considered whether the transfer was subject to a mechanism to ensure an adequate level of protection as required by Article 44.
The transfers were made based on the SCCs in accordance with Article 46, and supplementary measures were also implemented as required by Schrems II. However, the supervisory authority stressed that supplementary measures could only be considered effective if they actually address the specific deficiencies identified in the assessment of the third country.
In this respect, the supervisory authority found that the technical measure on "encryption at rest" could not be invoked in cases where Google has a direct obligation to grant access to or surrender imported personal data in their possession to the US authorities.
For this reason, the supervisory authority found that an adequate level of protection was not guaranteed under Article 46 and that the data transfer was contrary to Article 44.
the IMPACT OF THE DECISION
Google Analytics is a statistics program used by numerous companies, which thus transfer personal data to Google in the United States. Therefore, the users of Google Analytics could potentially face sanctions from EU supervisory authorities in the future.
The rejection of the supplementary measures implemented is of great importance, as it is precisely these supplementary measures that US cloud providers often use to comply with the GDPR, and a rejection of the said supplementary measures by EU supervisory authorities other than the Austrian, French, and Dutch supervisory authorities are likely to become relevant soon.
The fact that supervisory authorities have gradually begun declaring US services illegal puts further pressure on European companies to cease the use of US services and on US providers to ensure hosting such services outside the United States.
the ASSESSMENT of THE DANISH DATA PROTECTION AGENCY
The Danish Data Protection Agency has so far stated that it will read the Austrian decision closely and follow the future decisions for the other European countries. Based on this, the Danish Data Protection Agency will prepare new guidance on the use of tools such as Google Analytics.
The recommendations of the EDPB and the decisions of Austria and France show that it is very important to carry out a thorough assessment of the third countries to which personal data are transferred and to ensure that effective supplementary measures are put in place where necessary. It is especially important to pay attention when using services located in the United States, including cloud services.
Therefore, it is important to address whether personal data are transferred to third countries in connection with the use of services and what basis of transfer is then used so that the required assessment of the third country transfer can be carried out. Also, it is essential to consider whether the additional measures are actually effective.