The Austrian Google Analytics decision: The race is on – IAPP

Last month, the Austrian data protection authority fired the starting gun by issuing the most impactful post-Schrems II enforcement decision to date.

Privacy professionals are racing to assess, to comply, to enforce, and to find a more workable long-term solution for data transfers.

The many runners in our field will recall, perhaps with some nostalgic butterflies, that a starters pistol can signify three things: 1) the start of the race; 2) a fault and disqualification for one or many; 3) that the finish line is approaching one lap left.

Privacy professionals must now help their CEOs, boards, and the senior-most government officials involved in data transfer talks understand these three possibilities and the potential impacts of each.

If we consider the Austrian decision the start of the race, we must acknowledge its been a long and grueling warm up. For more than 18 months, regulators, policymakers and companies have considered all possibilities to remedy the government access concerns identified by the Court of Justice of the European Union when it invalidated EU-U.S. Privacy Shield July 16, 2020 the impetus for this case and decision and implemented those they could. This could be the start of something much bigger.

Austrias decision is the first of a cascade of likely similar decisions to come and is the first among 101 cases of similar substance that NOYB filed across the EU. In response, the European Data Protection Board established a task force and jointly considered how to address these 101 cases. The Dutch and Danish DPAs issued statements that they are considering the Austrian decision, while rumors flew early that France would issue a decision next. This suggests that the remainder of the decisions could follow a similar logic.

This decision is also the first test of the sufficiency of safeguards to remedy foreign government access concerns in practice in the commercial sector. Between July 2020 and January 2022, DPAs issued guidance on supplementary measures, launched investigations into the adequacy of data transfer protections, and issued decisions focused on the public sector and process failures failure to conduct a transfer impact assessment for instance. They held off on deciding whether those protections met their test in practice outside the public sector and particularly sensitive areas.

Until now.

The 101 NOYB cases are also far from everything. Austrias decision comes amidst a broader ramp up in GDPR enforcement and DPAs displayed willingness to bring cases that demand changes in business practices (the Belgian DPAs recent decision against IAB Europe is a case in point). We know this decision will inspire additional complaints regarding Google Analytics and data transfers more generally. We already saw one such complaint in France. Other major investigations, such as the Irish Data Protection Commissions Facebook case may also result in near-term and impactful decisions.

Whether you are watching from the stands or standing on the track, a disqualifying shot is gutting. It certainly could it be for data flows or the communications and business models that rely on them. The question is who or what is out. That depends on whether:

We see evidence of all three already.

Privacy professionals should brief senior leaders on the increased material risks their businesses face and the need for greater due diligence to demonstrate to EU partners that they have mitigated the risks to data transfers in practice. They should conduct transfer impact assessments and implement and document the supplemental measures recommended by the EDPB where possible. They should also make senior leaders aware that risk will remain until a diplomatic solution is reached a new trans-Atlantic accord and longer-term, more global solutions.

To fully understand how Austrias decision shifts the risk calculus, privacy teams should consider its findings. For an in-depth analysis of the decision, see Gabriela Zanfir-Fortunas recent blog post. For the key takeaways, see below.

In short, the decision implements a broad view of what constitutes a transfer of personal data, a legal-only view of the risk that must be remedied and a narrow view of what qualifies as adequate safeguards to remedy identified deficiencies in foreign government access protections.

Since many business operations require access to data in the clear, the operative question is, who or what could be subject to FISA 702? While the U.S. government has attempted to help businesses address that question, what matters now is how EU authorities answer it. On Jan. 25, the conference of German data protection commissioners published an expert opinion by Stephen Vladeck on the scope of FISA 702 applicability. The questions Vladeck fielded and the answers he offered shed light on the broad swath of companies that face near-term risks of regulatory scrutiny, fines, and lost business if EU businesses fear either and shift to domestic service providers.

German authorities asked about the applicability of FISA 702 to businesses as diverse as banks, airlines, hotels and shipping companies, and Vladeck replied that in some contexts, yes, it could be applicable to each. German authorities also asked about data held by companies in Europe with some U.S. connection, in line with the reasoning in the interim German Wiesbaden decision. Here the answer is more nuanced, but, the line of questioning demonstrates that regulatory scrutiny and business risk is far-reaching.

U.S. and EU negotiators building a replacement for Privacy Shield have been jockeying for more than a year, but, it certainly seems they just heard the one-lap-to-go shot. They now seem to be sprinting toward the finish line.

For businesses and regulators, a diplomatic solution can not come fast enough. The EDPBs recommendations on supplementary measures made clear that businesses could not address the CJEUs and DPAs concerns with U.S. surveillance laws alone. The Austrian decision showed just how limited their practical options have become and how likely that businesses on both sides of the Atlantic will pay the price without a political solution.

The remaining question is how soon they will cross the line and how different the field might look by the time they do.

*All quotes are taken from the machine translation of the Austrian decision, posted on NOYBs website.

Photo by Jacek Dylag on Unsplash

See original here:

The Austrian Google Analytics decision: The race is on - IAPP