In what can constitute a landmark decision on January 13th 2022, the Austrian Data Protection Authority ruled that the use of Google Analytics violates the EU General Data Protection Regulation. This could indeed have “far-reaching implications.” , if other EU Data Protection Authorities follow the same path and challenge the way website providers and platforms rely on analytics and US-based cloud services for their own products and services.
The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers. The “Schrems II” decision invalidated the EU-U.S. Privacy Shield agreement.
The Austrian DPA ruled that in providing the Google Analytics service, the company collects and transfers personal data to the U.S. while failing to protect it from U.S. government surveillance. The DPA determined configuration abilities for customers, including truncating IP addresses, are insufficient to prevent re-identification, potentially by Google or the U.S. government. The decision also determined that supplementary measures implemented by Google, including government access transparency reports and encryption of data, were insufficient, he said.
The decision casts a dark cloud over any conceivable method of legally transferring data between the continents and could have far-reaching implications. In the absence of a breakthrough in Privacy Shield negotiations, data transfers – and consequently international trade – between the EU and U.S. face a bleak future.
Just days before the Austrian DPA’s decision, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR related to its COVID-19 test booking website launched in September 2020. The website was found to be using cookies associated with Google Analytics and Stripe, while the EDPS said Parliament failed to demonstrate measures to safeguard associated data transfers to the U.S.
Other DPAs could follow as more decisions on the use of U.S. providers are expected in the coming months. The Dutch Data Protection Authority said it is investigating two complaints in the Netherlands on the use of Google Analytics. The implications of the Austria decision “could be huge” if other EU regulators take the same view, particularly as the same issues would then arise also with many other services of U.S. providers