Google Analytics banned? In the shadow of Schrems II
Datenschutzbehörde (the "DSB"), the Austrian Data Protection Authority, has once again put the issue of transferring personal data to the United States on the map. Through its decision of 22 December 2021 (the "Decision"), DSB concluded that an Austrian website operator's use of Google Analytics is a violation of the EU General Data Protection Regulation (the "GDPR").
By Fredrik Steen and Thomas Nygren
The outcome of the Decision is not surprising, but potentially devastating for website operators as Google Analytics is the most widely used tool to understand how visitors interact with a website. DSB states that the website operator's use of Google Analytics violates EU's data protection rules because the service transfers personal data to the US without effective safeguards, pursuant to the Schrems II judgement (case c-311/18, of 16 July 2020).
In the Schrems II judgement, the Court of Justice of the European Union (the "CJEU") established that a transfer of personal data cannot legally be conducted under the GDPR, if the laws of the recipient's country undermine the European protection of personal data and the rights and freedoms of individuals. The CJEU assessed US surveillance legislation and deemed section 702 of the Foreign Intelligence Surveillance ACT (FISA) and Executive Order 12 333 as problematic. It was noted that these US surveillance practices did not offer European citizens the same level of protection for their personal data as in the EU, nor did EU citizens have any legal recourse or information in response to data collection by the US authorities. Therefore, transferring data to the US requires additional safeguards when the receiver of the data is within the scope of the aforementioned surveillance acts. To be effective, the safeguards must prevent US authorities from accessing the personal data. The Decision is the first concrete ruling on transfers of personal data to the US since the Schrems II judgement.
The operator subject to the Decision ran a website and used Google Analytics to analyze statistics about website visitors. Google Analytics collects information through the website and cookies stored on a visitor's computer, after which the information is sent to Google's servers in the US. Once there, the information is analyzed, and the website operator can access statistics about website visitors via a user interface.
In this case, the information collected by the website operator through Google Analytics included IP addresses and unique online identifiers, such as cookie IDs and device IDs. DSB states that this information constitutes personal data and that the personal data has been transferred to Google's servers in the US. As such, the website operator had conducted a transfer of personal data to a third country. As a transfer mechanism, Google and the website operator had entered into the standard contractual clauses released by the European Commission for the transfer of personal data to third countries. However, the DSB deemed that the parties, in addition to the standard clauses, failed to implement safeguards that effectively prevented access to the personal data by US authorities.
For its additional safeguards, the website operator had primarily relied on the tools Google provided, such as encryption and the fact that the personal data in question, according to Google and the website operator, was pseudonymized.
Regarding encryption, DSB states that if the importer of personal data has the possibility to access the personal data in plain text, encryption or other technical measures cannot be considered effective. Since Google was the party that offered the encryption feature, it was also Google that had access to the encryption key. Google could thus be required by US intelligence agencies to decrypt the stored information. If the recipient can decrypt the personal data themselves by accessing the encryption key, encryption is not an effective safeguard. As such, encryption provided by the entity importing the data, is not an effective measure and should not be relied upon by controllers for their third country transfers.
The DSB's assessment in this regard is in line with the guidelines of the Data Protection Board regarding the Schrems II judgement (Recommendations 01/2022 of 18 June 2021) (the "Guidelines"). Pursuant to the Guidelines, encryption can be an effective safeguard if, amongst other criteria, encryption keys are handled by the exporter of the personal data or by an entity trusted by the exporter in a jurisdiction that offers an equivalent level of protection as within the EU.
A controller wishing to rely on encryption to carry out a transfer of personal data to third countries should therefore ensure that the recipient of the data does not have any reasonable way to access the encryption key. In addition, all other encryption conditions must be met in order for encryption to be considered an effective safeguard measure (for example, the encryption must be robust enough not to fail when analyzed by the authorities of the recipient country).
In addition to encryption, Google and the website operator argued that the personal data transferred was protected through pseudonymization. Pseudonymised data is personal data that can no longer be attributed to a specific person without the use of additional information, provided that such additional information is kept separately. However, contrary to the claims of Google and the website operator, the DSB concluded that the personal data in the present case was not pseudonymized.
The information that was transferred consisted of IP addresses and online identifiers. Online identifiers are usually attributed to users through cookies when the users navigate websites. The purpose of online identifiers is to enable tracking of users between websites to link information from multiple sources to one identifier, thereby gathering more data about a single individual. The purpose of online identifiers is thus not to protect an individual's privacy, but rather to be able to tie more data to the individual.
In its decision, DSB highlights this purpose by online identifiers and refers to a statement by the German Data Protection Conference which emphasizes that online identifiers cannot be considered pseudonymized data due to this purpose. Since the identifiers aim to track an individual's patterns from several sources, they lack a protective effect. DSB therefore concluded that the personal data transferred was not effectively protected by pseudonymization.
In view of the foregoing, DSB stated that the website operator, as data controller for the processing, had violated chapter five of the GDPR by transferring personal data to the US without taking effective additional safeguards. DSB did not impose an administrative fine on the website operator, as the website was transferred to a German company during the process.
In conclusion, it can be said that the decision confirms what the CJEU ruled in the Schrems II case: transfers of personal data to non-EU countries may only take place if they comply with the conditions laid down in chapter five of the GDPR and if the data exporter ensures that the legislation of the recipient country does not undermine the protection of personal data offered to EU citizens. If such protection is undermined by legislation in the recipient country, the data exporter must implement additional safeguards that effectively counteract the identified risks and flaws.
DSB's ruling was likely the first of many, as the NOYB has lodged several complaints with regulators across the EU regarding transfers of personal data to non-EU countries. This will allow us to see how the supervisory authorities will deal specifically with the effects of the Schrems II case. As it stands, it is clear that controllers cannot simply rely on security measures offered by the US entities, as these measures do not effectively prevent public authorities from accessing EU citizens' personal data.