Google Analytics and EU-US transfers
Locations
This blog collates a number of questions submitted during the webinar and provides further insight into this important decision.
1) What did the Austrian DPA decide about the use of Google Analytics?
On 13 January 2022, the Austrian Data Protection Authority (Österreichische Datenschutzbehörde or "Austrian DPA") published its decision concerning the use of Google Analytics by a health website called netdoktor.at. The Austrian DPA held that the website operator violated Article 44 of the GDPR by failing to ensure that personal data transferred to Google in the United States had been afforded an adequate level of protection.
In particular, the Austrian DPA found that:
- The data collected by Google Analytics – including unique identification numbers, IP address and browser parameters – constituted personal data within the meaning of the GDPR.
- The data was not pseudonymous because the unique identification numbers (alone or when combined with other data elements) could be used to "single out" the user from other website visitors. Furthermore, the website operator had not properly enabled the "IP anonymization" feature.
- The website operator was the controller and Google a processor of the personal data.
- The data was made available to Google LLC and therefore "transferred" to the United States within the meaning of Article 44 of the GDPR. The website operator and Google LLC had entered into the old version of the standard contractual clauses ("SCCs").
- Google qualified as an "electronic communications service provider" ("ECSP") subject to Section 702 of the Foreign Intelligence Surveillance Act ("FISA 702") and, as revealed by its own transparency reports, regularly receives requests from US government authorities to disclose user data.
- The supplementary measures implemented by Google, in addition to the SCCs, were insufficient to eliminate the monitoring and access of personal data by US government authorities.
- The website operator (as data exporter) was solely responsible for violating Article 44 of the GDPR. Google was not responsible, as the GDPR does not impose any obligations on data importers.
The Austrian DPA did not issue a fine or penalty notice against the website operator, although the case has not yet been finalized (see below).
This was the first decision issued as a result of the 101 complaints filed by noyb regarding the use of Google Analytics and Facebook Connect by EU-based controllers.
2) Would it have made a difference if "IP anonymization" had been enabled?
No, probably not.
Google Analytics includes an optional feature called "IP anonymization" that, when enabled, truncates the last octet of the IP address immediately after it is received by Google. The feature had not been enabled by the website operator, but this does not appear to have been a material factor in the Austrian DPA's findings.
In assessing whether the data collected by Google constituted personal data, the Austrian DPA pointed to the fact that the cookies deployed by the website ("_ga", "cid" and "_gid") contained unique identification numbers that allowed both the website operator and Google to distinguish website visitors and identify whether the user was a new or returning visitor. The user was therefore identifiable and could be "singled out", as per Recital 26 of the GDPR – this only became more true when the unique identification numbers were combined with the other data elements collected (including IP address). Finally, the data was also traceable to the user in question – not only because Google could link the data to the user's Google account but because (according to the Austrian DPA) US surveillance agencies regularly use online identifiers to monitor individuals. The IP address (and the role of the "IP anonymization" feature) was thus only "one piece of the puzzle" considered by the Austrian DPA.
3) Would it have made a difference if Google was not subject to FISA 702?
Yes, quite possibly.
As a reminder, Schrems II was primarily concerned with two US surveillance laws – FISA 702 and EO 12333 – which the CJEU considered to be "problematic" under EU law. The fact that the Austrian DPA concluded Google qualified as an ECSP and was subject to FISA 702 was an important aspect of the decision. Although there have not yet been any cases considering this point, companies that are not subject to FISA 702 could potentially argue that the issues raised by Schrems II (concerning disproportionate US government surveillance and the need for supplementary measures) are not directly relevant to them.
It's also notable that the Austrian DPA chose not to focus on the likelihood of government access or practical risks involved for the data in question, but rather on the fact that, as a company, Google regularly receives different types of government requests and the data could therefore be theoretically susceptible to government access. In a statement published after the decision, Google claimed it has "never once received the type of demand the [Austrian DPA] speculated about" and does not expect to receive one "because such a demand would be unlikely to fall within the narrow scope of the relevant law".
4) Why were Google's supplementary measures not considered sufficient?
It's difficult to say, but it seems to have come down to the encryption key.
In a letter to the Austrian DPA, Google provided an outline of the technical, legal and organizational measures it had implemented to protect the data according to the standards required by EU law. These measures included a policy for handling government access requests, regular publication of transparency reports, encryption in transit and at rest using advanced encryption standards, ISO 27001 certification, and additional features like "IP anonymization".
However, the Austrian DPA determined that Google had not demonstrated how any of these measures would prevent monitoring and access by US government authorities. In particular, the Austrian DPA pointed to the fact that Google held the encryption key and could therefore could be compelled to provide US authorities with access to the data. Effectively, none of the supplementary measures could be regarded as effective so long as Google had the opportunity to access the data in plain text.
5) What reaction has there been to the decision so far?
Since the decision, a few DPAs have published statements suggesting that they may take a similar view to the Austrian DPA. The Norwegian DPA (Datatilsynet) announced that its own investigations into the noyb complaints will be influenced by the Austrian DPA's decision and recommended alternatives to Google Analytics, and the Danish DPA (Datatilsynet) announced it would be issuing its own guidance on the use of Google Analytics based on this decision. Meanwhile, the Dutch DPA updated its cookies page to state that the "use of Google Analytics may soon not be allowed". It's possible we will see statements from other DPAs soon.
6) Could the findings of the Austrian DPA with respect to Google Analytics be applied to other analytics tools?
Yes, this is a distinct possibility.
Although the Austrian DPA's decision is limited to the use of Google Analytics and the specific circumstances of the case, it could potentially affect all EU data exporters that use analytics tools provided by entities outside the EU (and US-based providers, in particular).
For Google, this decision is not an isolated one. In the past month, there have been two other decisions regarding the use of Google services. Shortly before the Austrian DPA's decision, the European Data Protection Supervisor ("EDPS") issued a similar decision regarding the use of Google Analytics and Stripe by the European Parliament on its COVID test booking website. The EDPS also found that the European Parliament had failed to demonstrate supplemental measures to protect the data transferred to the US. More recently, a local court in Munich ruled last week that the use of Google Fonts by a German website violated Article 44 of the GDPR due to the lack of supplementary measures.
7) Is data localization a possible alternative?
Data localization may seem like a natural solution to the challenges raised by Schrems II, but will not necessarily provide a complete answer.
To begin with, it is very difficult (if not impossible) for most US-based providers to offer 100% localization in the EU and avoid any form of transfer. Even where data can be hosted within region, it may still need to be accessed in the US (or elsewhere) for a range of operational and business reasons – such as support, troubleshooting or analytics purposes. Similarly, services often rely on sub-processors that are located or otherwise process the data outside the EU.
There is also some legal uncertainty about the value of data localization. Based on a small number of decisions, there are indications that the mere use of a US-based provider could potentially trigger the data transfer rules – even where the data is hosted in the EU. For example, in December 2021 a court in Germany (the Administrative Court of Wiesbaden) ruled that a website violated Article 44 of the GDPR through its use of the consent management platform, Cookiebot. Cookiebot is based in Denmark but uses Akamai (a US-based company) as its hosting provider. The court held even though the data was hosted in the EU, the fact that Akamai was subject to US laws and could potentially be compelled to disclose data under the CLOUD Act meant that there was a transfer under the GDPR.
8) When will we hear about the possible successor to Privacy Shield?
It's difficult to say.
The EU Commissioner for Justice and US Secretary of Commerce issued joint statement in March 2021 saying that negotiations on an enhanced Privacy Shield were intensifying, and four months later the US Department of Commerce Deputy Assistant Secretary for Services provided further assurances that negotiations were progressing. However, last month representatives from the EU and US indicated that negotiations would take more time and called for patience. Given the recent decisions concerning Google Analytics, and increasing pressure from Google and other US companies, we may potentially see something more concrete this year.
9) Have any US providers been able to demonstrate sufficient supplementary measures?
Yes, although the number of cases is limited.
In March 2021, a French court ruled that sufficient supplementary measures had been implemented by AWS in connection with its hosting of a COVID vaccination booking website (called Doctolib). Even though the Luxemburg-based subsidiary of AWS was hosting the website's data in France and Germany, the court found that there was a still risk of access by US government authorities because AWS was ultimately bound by US law. In this case, however, the court found that the supplementary measures were sufficient – these included commitments from AWS to challenge government requests, a 3-month data retention period and encryption (with the key being held by a trusted third party in France, and not by AWS). The court also acknowledged that the data did not include sensitive health data and consisted of (lower risk) booking information.
10) What can we expect next?
The Austrian DPA's decision is not final, as the website operator has merged with a German company and now falls within the jurisdiction of the Bavarian DPA. The Austrian DPA has referred the case to the Bavarian DPA, which will decide whether to impose a penalty or to issue an order against the company. At the same time, the Austrian DPA has stated it will continue to investigate Google for potential violations of the GDPR with respect to its sharing of personal data with US government authorities in connection with the case.
Looking further afield, this decision is just the first resulting from the 101 complaints issued by noyb so we should expect decisions from other regulators concerning Google Analytics and Facebook Connect soon.
With many thanks to Mark Linnane for his contributions to this article.