The Austrian data protection authority (sterreichische Datenschutzbehrde; Austrian DPA) recently ruled that the use of Google Analytics violated Chapter V (transfers of personal data to third parties) of the EU General Data Protection Regulation (GDPR) in light of the Schrems II judgment issued by the Court of Justice of the European Union (CJEU) on July 16, 2020.
Statements from the Danish and Norwegian data protection authorities (DPAs) indicate that other European DPAs are likely to take a similar view. Since the underlying complaint is one of over a hundred filed by None of Your Business (NOYB) across the European Economic Area, the decision of the Austrian DPA may well mark the beginning of a new chapter when transferring personal data to the U.S. as enforcement of the Schrems II judgment kicks off across Europe.
Max Schrems's non-governmental organization, NOYB, has filed complaints in all 30 of the European Economic Area (EEA) Member States against 101European companies following the Schrems II judgement in relation to companies allegedly transferring personal data to Google and Facebook in violation of the GDPR (NOYB published an article about the filed complaints). In response to these complaints, the Austrian DPA conducted a cross-border investigation into Google's and Facebook's data transfer practices.
On January 13, 2022, the Austrian DPA published its (partial) decision (Decision) based on one of those complaints. The complaint was directed against (1) an operator of an Austrian website (Website Operator) which used the Google Analytics tracking and analytics tool on its website, as well as (2) Google LLC as the provider of this tool in the U.S., to whom data was transferred through the tool.
Google Analytics is a web analytics tool which, when implemented on a website, collects information about the usage of that website by its users and shares that information with Google. Google then analyses that information and shares analytics data with the website operator, providing them with valuable insights about how users use their website.
Even though the Website Operator claimed that the data transferred from it to Google LLC through Google Analytics was not personal data under the GDPR, both parties had entered into Google's data processing agreement for its advertising services and the standard contractual clauses (SCC) published by the European Commission on February 5, 2010. The Austrian DPA noted that the Website Operator had not (i) (properly) activated the option to "anonymize" the IP Address of website users, which is generally available for Google Analytics, or (ii) asked its website users to give their consent in relation to data transfers to Google LLC.
The Austrian DPA ruled that:
Personal Data Transfer Finding
The Austrian DPA outlined that information constitutes "personal data" under the GDPR if it allows for the singling out of an individual user of a website. An immediate identification of someone's actual identity would not be necessary for information to be regarded as personal data.
In addition to the "IP anonymization" feature of Google Analytics not being properly activated (leading to the sharing of users' IP addresses with Google LLC), the Austrian DPA noted that further unique identifiers were transferred to Google. Given Google's technical abilities, it would have been able to link certain information to a user's Google account if that user was logged into its Google account when visiting the website at hand.
Hereby, the Austrian DPA indicated that the unique identifiers may, in and of themselves, already constitute personal data and that this would be true even more so for the complete information obtained by Google LLC.
Insufficient SCC and Supplementary Measures Finding
The Austrian DPA found that Google LLC qualified as an electronic communications services provider, and therefore was "clearly" subject to U.S. surveillance laws (i.e., FISA 702) and surveillance by U.S. intelligence agencies. It also pointed to access requests outlined in Google's transparency report as further proof of this. On that basis, it reiterated the Schrems II judgement and determined that the SCC alone was not an adequate safeguard for the transfer of data to Google LLC in the U.S. because the SCC terms were not binding on U.S. authorities.
It further determined that the supplementary measures (including inter alia an encryption of the data transfer with Google holding the key, regular publication of transparency reports by Google, a possible notification of individuals affected by access requests) implemented by Google LLC was insufficient to remedy the inadequate protection afforded to users as identified by the CJEU, as they would not prevent U.S. surveillance agencies from accessing the transferred personal data.
The Austrian DPA's Decision does not prohibit the use of Google Analytics across the EU from a legal standpoint.
The Austrian DPA's competence is generally limited to the territory of Austria under the GDPR. Furthermore, the Decision of the Austrian DPA is based on the specific set of facts of the case at hand and is not final. It can still be appealed.
It should be noted that (i) Google Analytics could be implemented differently to a certain extent (please see below) and (ii) some of the facts underlying the Decision have changed since the filing of the complaint. In particular, new Standard Contractual Clauses (New SCC) have been released by the European Commission (Decision (EU) 2021/914 of 4 June 2021) since the passing of the Schrems II judgement, and in the meantime, Google LLC has been replaced with Google Ireland Limited as the contractual partner of EU customers (as stated in the Decision).
However, in any event, the use of the current version of Google Analytics in the EEA is likely to come with legal risks as set out below.
It seems likely that DPAs in other EU Member States are going to take a similar view.
NYOB filed 101 complaints across the EU, so more decisions on this point are likely to follow. It seems likely that other EU DPA's will come to similar conclusions as the Austrian DPA. The head of the Austrian DPA, Andrea Jelinek, is also currently the chairwoman of the European Data Protection Board (EDPB; EDPB - Who we are), the EU body which is composed of the heads of the EU data protection authorities (DPAs), which could influence a Europe-wide approach that reflects the Austrian DPA's decision.
Other DPAs in the EEA have already responded to the decision:
Further, since the complaint was filed, the Website Operator was acquired by a German company, and so the Austrian DPA has forwarded the case at hand to the competent German DPA, which will decide whether the Website Operator should be prohibited from sharing personal data with Google. This means that we will likely get to know another SA's viewpoint on the case at hand. On a side note, the Austrian DPA also stated that it will continue to investigate Google LLC for alleged violations in the case at hand.
Using the new SCC is not enough to satisfy GDPR requirements for international data transfers.
The European Commission has added certain clauses to the New SCC based on the Schrems II judgement, such as the requirement to perform a transfer impact assessment (TIA) and obligations on the entity in the third country (e.g., the U.S.) to provide information about government access requests (where legally possible).
However, the New SCC is unable to address the main shortcomings of the SCC identified in the Schrems II judgement and by the Austrian DPA. The SCC is "just" a contract between two companies whose terms are not binding on government authorities in countries outside the EU to which personal data is transferred. Therefore, a TIA will have to be performed and based on its results, an assessment will have to be made as to whether one may be able to address any possible shortcomings through the implementation of technical, organizational and/or contractual supplementary measures.
Turning on the "IP anonymization" feature of Google Analytics does not avoid the applicability of the GDPR in the eyes of EU DPAs.
Google Analytics includes a feature which allows for the so-called "anonymization" of the user's IP address by deleting several of its digits (Google - IP Anonymization (or IP masking) in Google Analytics). As stated above, the feature was not (correctly) turned on by the Website Operator. However, the German DPAs have already determined and the Austrian DPA indicated a similar view in its Decision that Google Analytics would even in cases of the activation of this feature still process personal data because of the collection of additional information which would allow for the singling out of a user (DSK Hinweise zum Einsatz von Google Analytics (in German).
That said, the feature should still be activated as a mitigation measure when using Google Analytics in the EEA.
Obtaining user consent might mitigate some risk, even if it can be complicated in practice.
The Austrian DPA clarified that consent was not obtained in this case and therefore did not pass judgement on such approach in its Decision.
Article 49(1)(a) of the GDPR includes a derogation which allows for the transfer of personal data to a third country (such as the U.S.) based on consent of the individual.
However, relying on such consent comes with the following challenges when it comes to Google Analytics:
Irrespective of these challenges, and since consent will have to be obtained from users when using Google Analytics in any case (usually through a cookie banner), adding language for international data transfers could be a reasonable mitigation measure.
Google Ireland (instead of Google LLC) being the contractual partner of Website Operators by itself does not justify a different result.
According to the Google Analytics Terms of Service (in German), Google Analytics is now provided by Google Ireland Limited in the EEA. However, based on section 10.1 of the Google Ads Data Processing Terms, which states that "Google may process Customer Personal Data in any country in which Google or any of its Subprocessors maintains facilities", the transfer of data collected via Google Analytics to Google in the U.S. (via Google Ireland Limited) seems probable.
In its Decision, the Austrian DPA considered that the Website Operator was the controller in relation to the personal data processed by Google Analytics and that Google LLC was its processor. German DPAs also took the view that the respective Website Operator using Google Analytics would be a controller, albeit assuming a joint controllership with Google (DSK Hinweise zum Einsatz von Google Analytics (in German)). In either case, the respective Website Operator cannot exclude itself from its responsibility to ensure GDPR compliance in relation to the processing of personal data (including applicable international data transfers to the U.S.) via Google Analytics, even if Google Ireland Limited is its contractual partner instead of Google LLC.
Mitigation measures that should be implemented if one may want to continue using Google Analytics in the EEA.
In summary, we recommend implementing the following mitigation measures when using Google Analytics in the EEA:
In the eyes of DPAs in the EEA, taking all the steps above may still not lead to (full) compliance with the requirements for international data transfers under the GDPR. However, they will allow an organization to show a DPA that several reasonable actions were taken to advance GDPR compliance, which can (significantly) improve its position if it intends to continue to use Google Analytics. In light of this risk, companies may also wish to consider Google Analytics alternatives, which ensures that the personal data of users remains in the EEA.
Google's reaction to the Decision.
On 19 January 2022, Kent Walker, the President of Global Affairs & Chief Legal Officer of Google published a blog post with a reaction to the Decision of the Austrian DPA (Google Blog Post). The blog post especially states that Google "has never once received the type of demand the DPA speculated about" and would not expect for such demand "to fall within the narrow scope of the relevant law"(which is likely a reference to FISA 702).
Mr. Walker challenged the decision of the Austrian DPA as not reflecting the Schrems II judgment. In his view, the CJEU's judgment was interpreted too restrictively by the Austrian DPA, while he considered the supplementary measures implemented by Google (Google - Safeguards for international transfers) at the time of the blog post to be appropriate.
He further emphasized the importance of the EU and U.S. governments coming to terms on a successor agreement to the invalidated U.S.-EU Privacy Shield framework.
Note: The EU and U.S. governments have been negotiating a replacement for the Privacy Shield since the Schrems II judgement. However, recent statements from representatives of the European Commission and the US Department of Commerce suggest that these negotiations may not conclude in the near future (Article from datenschutz-praxis.de about Privacy Shield Negotiations (in German).
Originally posted here:
- Is Google Advertising Revenue 70%, 80%, Or 90% Of Alphabets Total Revenue? - Forbes [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Google My Business Photos Being Added To Google Posts Without Option To Delete - Search Engine Roundtable [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Even amid the affluence of tech capital in Silicon Valley, local news struggles - CNBC [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Where in the world was Santa? It depended on which online tracker you were following - The Boston Globe [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Huawei, Facebook, and Oracle Put Pressure on Google - Market Realist [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Huawei and Google Diverge in Their Treatment of ToTok - Market Realist [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Google Maps: Aftermath of plane crash in Somalia discovered - what happened? - Express [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Why Apple, Google, and other big tech companies create their own fonts - Mashable [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- ProBeat: Google only updated Android distribution data once in 2019 - VentureBeat [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- 10 things to try with your new Google Nest smart speaker - VentureBeat [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Google workers exposed to chemical that causes birth defects - City A.M. [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- The most popular products of 2019, according to Google - TODAY [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Google Chromes five security features that every user should know - Hindustan Times [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Googles YouTube Goes To War With Bitcoin And Crypto [Updated] - Forbes [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Google is poised to make another blitz at CES 2020 - CNET [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- These Were The Top Google Searches And Trends Of 2019 - Forbes [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Google Search now lets you add movies and shows to a 'Watchlist' - Engadget [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- 31-year-old Google executive says reading this one book has had a huge influence on her career - CNBC [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Obama praises book that slams his White House for its Google relationship - Mashable [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Why Google was the most important brand marketer of the 2010s - Fast Company [Last Updated On: December 30th, 2019] [Originally Added On: December 30th, 2019]
- Amazon and Facebook Are the Most 'Evil' Tech Companies, According to Experts. Google Isn't Far Behind - Inc. [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Google Rich Results testing tool now reports on unloadable embedded resources - Search Engine Land [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Google Assistant routines haven't worked on Android Auto for over a year, still no fix in sight (Update: Google acknowledges) - Android Police [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Jussie Smollett is probably toast now that Google is handing his data to the special prosecutor - Washington Examiner [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Americans trust Amazon and Google more than the police or the government - MarketWatch [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Using Google Authenticator? Here's why you should get rid of it - ZDNet [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Googles hidden AR tool will blow your mind - Creative Bloq [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Kids, Want to Win a $30,000 Scholarship and Show Your Art to Billions? Googles Annual Doodle Contest Is Now Open - artnet News [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- 1 Reason 2020 Will Be a Big Year for Google and Facebook - The Motley Fool [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Google Health Exec Defends Controversial Partnership With Ascension: Were Super Proud Of It - Forbes [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Labs arrive in Google app to let you experiment with features like pinch-to-zoom - 9to5Google [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Sorry, Alexa and Siri, but only Google Home can do these 5 things - CNET [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Kittle photobombed by The Rock in roster Google search - NBCSports.com [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- This Is How Your iPhone Is A Cool New Way To Access Google - Forbes [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Googles Takeover of Fitbit Faces Another Regulatory Hurdle - Motley Fool [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Google Health VP on Ascension partnership: 'The press has made this into something it's not' - Healthcare IT News [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Google Maps keeps a detailed record of everywhere you go here's how to stop it - CNBC [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Will Googles more-efficient Reformer mitigate or accelerate the arms race in AI? - ZDNet [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Rachel Bovard: Congress has a role to play in regulating Google - Home - WSFX [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Why Google added little logos next to search results this week - CNBC [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Report: Google wants to bring the Steam game store to Chrome OS? - Ars Technica [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- BT partners with Google to bundle free Stadia with broadband deals in the UK - The Verge [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Google Play [Last Updated On: January 18th, 2020] [Originally Added On: January 18th, 2020]
- Google Photos app for Android will soon phase out the hamburger menu - GSMArena.com news - GSMArena.com [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- What Is Google Coral And Do You Need It? - Lifehacker Australia [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google and Amazon limit employees travel because of coronavirus fears - The Verge [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google, Toyota Tsusho invest in WhereIsMyTransport to map transport in emerging cities - TechCrunch [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- This Is Huaweis Alarming New Surprise For Google: Heres Why You Should Be Concerned - Forbes [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google and Microsoft offer free teleconferencing tools to combat coronavirus - TechRadar [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google bans on-site job interviews for the foreseeable future due to coronavirus - The Verge [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- AWS to double sales droids as Google, Microsoft's growing clouds threaten to gobble larger slices of Bezos' pie - The Register [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google's Exposure To Travel Will Impact Revenue, BofA Says - Benzinga [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google Cloud goes after the telco business with Anthos for Telecom and its Global Mobile Edge Cloud - TechCrunch [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Apple, Microsoft, Google look to move production away from China. That's not going to be easy - CNBC [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google will lose its John Legend Google Assistant voice on March 23rd - The Verge [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google and Microsoft are giving away enterprise conferencing tools due to coronavirus - The Verge [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Google Stadia now supports 4K streaming on the web - The Verge [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Star Engineer Who Crossed Google Is Ordered to Pay $179 Million to Company - The New York Times [Last Updated On: March 5th, 2020] [Originally Added On: March 5th, 2020]
- Why companies like Microsoft and Google are betting big on Africa - CNBC [Last Updated On: March 8th, 2020] [Originally Added On: March 8th, 2020]
- Google Announces A Coronavirus Incentive For G SuiteAnd Other Small Business Tech News - Forbes [Last Updated On: March 8th, 2020] [Originally Added On: March 8th, 2020]
- Microsoft, Google, and Twitter Are Telling Employees to Work From Home Because of Coronavirus. Should You? - Inc. [Last Updated On: March 8th, 2020] [Originally Added On: March 8th, 2020]
- Facebook, Google among those kicking some cash over to Silicon Valley communities affected by coronavirus cancellations - CNBC [Last Updated On: March 8th, 2020] [Originally Added On: March 8th, 2020]
- Google now giving away three months of Stadia access to Chromecast owners - The Verge [Last Updated On: March 8th, 2020] [Originally Added On: March 8th, 2020]
- Google location data turned a random biker into a burglary suspect - The Verge [Last Updated On: March 8th, 2020] [Originally Added On: March 8th, 2020]
- Apple, Google and others partner with Ad Council and US govt to expand coronavirus messaging - The Drum [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Google Has No Plans To Postpone Killing Third-Party Cookies In Chrome - AdExchanger [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Why Zoom is winning so much hype over Microsoft and Google - Business Insider [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Logged On From the Laundry Room: How the C.E.O.s of Google, Pfizer and Slack Work From Home - The New York Times [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Google cancels its infamous April Fools jokes this year - The Verge [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Google Tests Audience Buying In ADH, A Big Step From Analytics To Activation - AdExchanger [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Googles new Pixel Buds could hit spring release date, as they may have just hit the FCC - The Verge [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Google Removes Infowars Android App From Online Store Over Coronavirus Misinformation - Variety [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Cruising Through South Central Los Angeles With Google Street View : The Picture Show - NPR [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Google ups Duo group calling limit from eight to twelve - The Verge [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Outside China, Android isnt Android without Google - The Verge [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Google has banned the Infowars Android app over false coronavirus claims - The Verge [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- My top 3 Google Home pet peeves and how to fix them - CNET [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Google Unveiled a Massive Stimulus Program of Its Own - Inc. [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Facebook, Google and Twitter Struggle to Handle Novembers Election - The New York Times [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]
- Test and trace with Apple and Google - TechCrunch [Last Updated On: March 30th, 2020] [Originally Added On: March 30th, 2020]