William Fry’s David Cullen and David Kirton look at the Austrian data watchdog’s Google Analytics concerns and what it means.
In the latest in a long line of challenges to the transfer of personal data from Europe to the US, the Austrian data protection authority, DSB, has found that the use by an Austrian website of Google Analytics did not comply with EU data protection law.
The DSB reached this decision on the basis that the use of Google Analytics involves the transfer of personal data to the US where, it found, it would not receive adequate protection from surveillance by US intelligence services.
The DSB concluded that measures put in place to protect that personal data, such as encryption, were not sufficient to address that risk.
This decision is the first issued on foot of 101 complaints filed by Vienna-based privacy non-profit group NOYB with various European data protection authorities, including the Irish Data Protection Commission.
These complaints allege that personal data transfers to Google and Facebook in the US breach EU data protection law as set out in the widely reported Schrems II case.
What is Google Analytics?
Google Analytics is a tool that website operators can use to monitor how visitors use their websites. For example, it can be used to generate reports on visitor numbers, visitors’ browser parameters, which device they are using and more. It does this by placing a cookie – a small piece of code – on the user’s device, which assigns a unique identification number.
Google Analytics can also combine this unique identifier with other information, such as the visitor’s IP address, to track the visitor in additional ways. For example, if the visitor is logged into their Google account, their visit will be linked to that account.
The DSB found that this creates a ‘digital footprint’ that can be used to identify individuals. This digital footprint is not only used by the website operator. Google also collects this information and transfers it to its servers in the US.
International data transfers
EU data protection law, including the GDPR, allows the free movement of personal data within the EEA, as well as between the EEA and certain other countries that are deemed to offer adequate protection for personal data, such as Canada and Japan.
Otherwise, a transfer of personal data outside the EEA (including the US) can only take place using certain mechanisms set out in the GDPR.
One such mechanism is by using standard contractual clauses. This mechanism requires the data exporter and importer to enter into a contract requiring the importer to ensure that the personal data receives sufficient protection outside the EEA.
However, pursuant to the decision of the Court of Justice of the EU in the Schrems II case, the standard contractual clauses alone are not sufficient.
Data exporters must also assess the level of protection that the personal data will receive in the destination country and, if that falls short of the level offered in the EEA, put in place supplementary measures to address those deficiencies.
The DSB’s decision
The DSB’s decision followed a complaint by a visitor to an Austrian website called NetDoktor. Because that website used Google Analytics, the visitor’s personal data, including a unique user identification number, IP address and browser parameters, were retrieved and sent to servers operated by Google in the US.
The operator of the website and Google had entered into the standard contractual clauses, and Google had implemented certain additional contractual, technical and organisational measures with a view to ensuring an adequate level of protection for EU personal data exported to the US. This included encryption of the data.
However, the DSB found that the steps taken were not sufficient to ensure compliance with the GDPR rules on transfers of personal data outside the EEA.
As an electronic communication service provider under US law, Google is subject to compliance with surveillance requests made by US intelligence agencies. Google disclosed that it had received such enquiries from US authorities.
In the absence of additional measures, therefore, the DSB determined that there was a risk that personal data transferred to the US could be accessed by US intelligence agencies in a manner which would violate the rights of data subjects.
Next, the DSB considered the additional measures that were in place, such as encryption, but found that they were not sufficient to address the risk.
For example, the DSB referred to European Data Protection Board (EDPB) recommendations, which state that encryption is not a sufficient measure if the recipient of the personal data has the encryption key and may be under an obligation to hand over that key to the relevant authorities.
The DSB therefore decided that the website operator had not complied with GDPR rules on transfers of personal data outside the EEA.
It should be noted that the DSB did not find any wrongdoing on the part of Google – the primary legal responsibility for transfers of data lies with the data controller, in this case, the website operator.
Nonetheless, Google expressed its concern with the decision. Its president of global affairs and chief legal officer, Kent Walker, noted in a blogpost that, in 15 years of offering the Google Analytics tool, Google “has never once received the type of demand [from the US authorities] the [DSB] speculated about”.
“If a theoretical risk of data access were enough to block data flows, that would pose a risk for many publishers and small businesses who use the web and highlight the lack of legal stability for international data flows facing the entire European and American business ecosystem,” he said.
It is important to stress that the DSB’s decision is not yet final and, in any event, does have effect outside Austria. As with all regulatory decisions, it is specific to its facts.
No one is expecting to see websites across Europe drop Google Analytics overnight. However, as this is the first decision on the foot of 101 complaints filed by NOYB, it is possible that in the coming months, we will start to see similar decisions across Europe.
These decisions may well have an impact on the use of various tools, not just Google Analytics, which involve transfers of personal data to the US or elsewhere outside the EEA.
The EDPB has set up a taskforce to coordinate and promote communication between the national authorities in relation to these complaints.
According to BuiltWith, 28m sites (including more than 70pc of the most popular 10,000 websites globally) were using the Google Analytics tool as of November 2021. There will therefore be a great many businesses, regulators and lawyers looking at these decisions very carefully.
These decisions are against a background where EU and US negotiators are trying to work out a new deal to facilitate the continued sharing of data across the Atlantic.
It is intended that this deal would replace the Privacy Shield mechanism rejected by the EU courts in July 2020. These discussions have not yet resulted in any concrete proposals and negotiators will not approve any deal unless expected to meet the standards set down in the Schrems II decision and related cases.
In the meantime, it is important that businesses operating online are completely aware of all their international data flows, know what tools they use and what personal data they process.
As the Austrian decision illustrates, it is ultimately the website operator that is legally accountable for the protection of its user’s personal data.
David Cullen is a partner and head of William Fry’s Technology Group. David Kirton is a partner in William Fry’s Technology Group.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.