The Austrian Data Protection Authority (“DPA”) has recently published its decision concerning the use of Google Analytics. The DPA held that the use of Google Analytics (“GA”) on a website operated by an Austrian company (“Company”), which involved a transfer of personal data to Google LLC in the US, was in breach of Art 44 GDPR as neither the legacy Standard Contractual Clauses, nor the supplementary measures implemented by the Company and Google, provided an adequate level of protection.

In its decision, dated 22 December 2021, the DPA did not impose a fine on the Company, however, as the criminal administrative proceedings concerning fines are separately conducted under Austrian law, a fine is still possible in the future. The decision is not yet final and can be appealed against.

  1. Background of the decision

The decision in question comes following a complaint by the NGO ‘My Privacy is None of Your Business’ (“noyb”). Noyb filed a total of 101 complaints against a wide range of data exporters across Europe for their alleged continued transfer of personal data to Facebook and Google in the US, in breach of the CJEU “Schrems II” (C-311/18) judgment and GDPR Chapter V requirements. The decision of the DPA is the first decision to be issued by a supervisory authority as a result of the noyb complaints.

The DPA established the following facts:

  • The Company was using GA on its website. The IP anonymization function was not (properly) implemented.
  • The data subject who submitted the complaint (“User”) visited the website while being logged in to his Google account. Consequently, unique user identification numbers were transferred to Google LLC. The transferred data included User IDs, IP address and browser parameters.
  • The Company and Google LLC had entered into data processing agreements, including an agreement based on the legacy EU Standard Contractual Clauses (v. 2010/87/EU) (“SCCs”). They had also implemented additional contractual, organizational and technical measures.
  • The User’s consent for the data transfer was not obtained.
  1. Summary of the decision – DPA’s assessment
  • The DPA found the Company was in breach of the GDPR on the following grounds:
      • The Company had transferred personal data of the User to Google LLC in the US.
      • The SCCs used by the Company and Google LLC did not provide an adequate level of protection as required by Art 44 GDPR, as Google LLC is a provider of electronic communications services subject to surveillance by the US intelligence services pursuant to 50 U.S. Code § 1881a.
      • The supplementary measures implemented by the Company and Google LLC were not considered effective as they did not eliminate the possibility of US authorities accessing personal data received by Google LLC or conducting surveillance.
  • The complaint against Google LLC was, however, rejected, as the User’s complaint was only based on Art 44 GDPR, and Google LLC was not found to be in breach of this provision as it did not transfer any data.
  • At the core of the decision, is the DPA’s assessment of whether or not the processing activities in question constituted personal data, as well as the subsequent assessment of the lawfulness of the transfer of the data pursuant to Art 44 GDPR.
  1. Processing of personal data
  • The DPA came to the conclusion that the case involved a transfer of personal data, arguing that the unique identifiers stored within _ga and _gid cookies could be used to differentiate between users. The DPA held that the ability of the Company and Google LLC to “single out” and “individualize” the User is sufficient to constitute processing of the User’s personal data within the meaning of the GDPR.
  • The DPA went further, finding that in this particular case, the User can also be specifically identified by Google LLC as well as (potentially) by US public authorities. As concerns Google LLC, the DPA argued that the User being logged into his Google account would allow Google LLC to identify the user. Concerning the US public authorities, the DPA found that as they already use various online identifiers as a basis for surveillance of individuals, it could not be excluded that these intelligence services would be able to identify the User, by combining the data held by Google LLC and information already collected. In both cases, the DPA considered that the mere possibility of identification is sufficient to consider the processing as personal data processing.
  1. Lawfulness of personal data transfer
  • Given that the data processed by Google LLC was ‘personal data’, the DPA concluded that the transfer of personal data from the Company to Google LLC was in breach of Art 44 GDPR.
  • In line with the Schrems II decision, the DPA held that the SCCs alone cannot provide adequate protection for transferred personal data, without an assessment of the level of protection in the recipient country. When making this assessment, the DPA determined that Google LLC is subject to surveillance by the US intelligence agencies on the basis of 50 US Code § 1881a, and had also been subject to queries from US authorities, as set out in Google LLC’s transparency reports, and therefore the SCCs cannot guarantee an adequate level of protection for the personal data transferred.
  • The DPA’s assessment of the supplementary measures in place between the Company and Google LLC was mainly based on the EDPB Recommendations 01/2020 (“EDPB Recommendations”). The DPA concluded that the supplementary measures must precisely address specific deficiencies in the protection of personal data in the recipient country and therefore the measures should prevent access to data and surveillance by US intelligence agencies. The DPA found that the supplementary measures in place did not achieve this and were therefore insufficient.
  • Regarding encryption, the DPA again referred to the EDPB Recommendations, which conclude that encryption cannot be seen as a sufficient measure if the data recipient also has the encryption key and may be under an obligation to hand over the key together with the encrypted data. Consequently, the DPA found that, although data was encrypted, this was not sufficient to adequately protect the transferred personal data.
  • Finally, as concerns a breach of Art 44 by Google LLC, the DPA found that as Google just received the data, but did not disclose or transfer them, it did not breach Art 44 GDPR. However, the DPA explicitly stated that this conclusion does not preclude the DPA from initiating a further process ex officio against Google LLC for further data processing activities it conducts.
  1. Key takeaways
  • In line with existing case law and recommendations, the DPA has taken a broad interpretation when assessing whether the processing concerns “personal data”, deeming that “singling out” the User is already sufficient, as is the possibility of identification by relevant actors, ie, Google LLC and US authorities, to establish personal data processing.
  • Unsurprisingly, the legacy SCCs alone were deemed by the DPA to be insufficient to adequately protect transferred personal data, specifically for data transfers to the US. Unfortunately, the DPA did not assess the adequacy of the new SCCs (2021/914), as they were not used in this case.
  • When assessing the adequacy and the efficiency of the supplementary measures, the DPA broadly followed the EDPB Recommendations, in particular, that any supplementary measures may only be deemed effective if they address the specific deficiencies identified in the assessment of the third country. For the US, the DPA specifically stated that this “deficiency” is to be understood as access and surveillance possibilities of US intelligence services.
  • The DPA further reiterated that encryption is not an adequate measure if the recipient of personal data also has the key and may be obliged to disclose it together with the data.

As this is the first decision relating to the 101 complaints initiated by noyb, it provides some insight into the potential approach by supervisory authorities in relation to the other complaints filed. Furthermore, as the DPA’s decision is not final, and does not impose a fine for the determined breach, it is likely that further developments in relation to this decision will follow.