The recent decision by the Austrian Data Protection Authority that the use of Google Analytics violates the EU General Data Protection Regulation could have “far-reaching implications.” The decision, published Jan. 13, is the first of 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the July 2020 Court of Justice of the European Union’s “Schrems II” decision on data transfers. The “Schrems II” decision invalidated the EU-U.S. Privacy Shield agreement.
The Austrian DPA ruled that in providing the Google Analytics service, the company collects and transfers personal data to the U.S. while failing to protect it from U.S. government surveillance. The DPA determined configuration abilities for customers, including truncating IP addresses, are insufficient to prevent re-identification, potentially by Google or the U.S. government. The decision also determined that supplementary measures implemented by Google, including government access transparency reports and encryption of data, were insufficient, he said.
“The decision casts a dark cloud over any conceivable method of legally transferring data between the continents,” , adding it will have “far-reaching implications.” “In the absence of a breakthrough in Privacy Shield negotiations, data transfers – and consequently international trade – between the EU and U.S. face a bleak future.”
Just days before the Austrian DPA’s decision, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR related to its COVID-19 test booking website launched in September 2020. The website was found to be using cookies associated with Google Analytics and Stripe, while the EDPS said Parliament failed to demonstrate measures to safeguard associated data transfers to the U.S.
Other DPAs could follow as more decisions on the use of U.S. providers are expected in the coming months. The Dutch Data Protection Authority said it is investigating two complaints in the Netherlands on the use of Google Analytics. The implications of the Austria decision “could be huge” if other EU regulators take the same view, particularly as the same issues would then arise also with many other services of U.S. providers. What we see is increasing enforcement in the public sector, as the EDPS action against the EU Parliament shows. We see similar developments on a national level too. At the end of the day, the question will be to what extent and how quickly Google and other providers can adapt their services to the changing legal requirements.
Alston & Bird Senior Counsel and Research Director of Georgia Tech’s Cross-Border Data Forum Peter Swire said authorities and future decision makers “should consider how disruptive these judgements can be to many functions on today’s internet,” noting market measurement differs from targeted marketing. “The purpose of market measurement is not to target an individual. The purpose of market measurement is to provide aggregate statistics about visitors to a site,” he said. “So, the privacy risk in market measurement seems lower than individualized and targeted marketing.”
In a blog post published Wednesday, Google’s President of Global Affairs and Chief Legal Officer Kent Walker urged EU and U.S. governments to finalize a successor to the Privacy Shield agreement. Walker said Google has offered analytics-related services to business around the world for more than 15 years “and in all that time has never once received the type of demand the DPA speculated about.” ; “We strongly support an accord, and have for many years supported reasonable rules governing government access to user data. We have long advocated for government transparency, lawful processes and surveillance reform,” he said. “We urge quick action to restore a practical framework that both protects privacy and promotes prosperity.”
More information on the case and its potential implications here.