Additional Data Protection Authorities Assess Legality Around Using Google Analytics
In 2020, the European Court of Justice (ECJ) ruled in the Schrems II decision that the EU-US Privacy Shield data transfer mechanism – a primary mechanism previously available to companies exporting data from the European Union to the United States – was not consistent with European data protection laws and was not an acceptable means for transferring personal data. As a result, the EU-U.S. Privacy Shield was invalidated.
In response to the ECJ’s decision, the EU and U.S. began working to identify a new arrangement for transferring personal data from the EU to the U.S. However, to date, no substitute data transfer mechanism has been identified partially because, as addressed in Schrems II, current U.S. law does not protect EU citizens from possible government surveillance under a Foreign Intelligence Surveillance Act (FISA) warrant to the extent that they are protected under EU law. As discussed in our post from February 2022, “Austrian DPA Says Google Analytics Use Violates GDPR,” upon issuance of the ECJ’s judgment, noyb – an Austrian NGO – filed complaints with every EU Member State Data Protection Authority (DPA) regarding potential violations of the data transfer requirements set forth in the EU’s General Data Protection Regulation (GDPR) (notably, noyb was founded by Max Schrems, the plaintiff in the case discussed in our recent post). On January 12, 2022, the Austrian DPA held in response to the first of these complaints that the use of Google Analytics by an Austrian website provider resulted in transfers of EU individuals’ personal data to Google’s data centers in the U.S. in violation of the GDPR.
During the proceedings addressing noyb’s complaint, Google confirmed that all data collected through Google Analytics, including data of EU companies and EU citizens, are transferred to and hosted in the U.S. Upon review of Google’s technical and organizational mechanisms in place to protect and secure any personal data in its possession, the Austrian DPA concluded that neither those mechanisms, nor the Standard Contractual Clauses between Google and the Austrian website provider, adequately protected personal data. The Austrian DPA concluded that neither can stop U.S. intelligence agencies from accessing personal data that may belong to EU individuals.
During its review of the complaint, the Austrian DPA dismissed the complaint against Google, holding initially that Chapter 5 of the GDPR only imposes legal duties on the data exporter, not the data recipient. However, the Austrian DPA declared that it would conduct an investigation and issue a separate decision in relation to whether Google violated Chapter 5 of the GDPR as well.
A week prior to this decision, on January 5, 2022, the European Data Protection Supervisor reached a similar decision. Their decision confirmed that the European Parliament’s use of Google Analytics and the payment provider, Stripe, violated the GDPR. Similar cases are pending currently in The Netherlands.
Further, in the wake of the Austrian DPA’s decision, the Norwegian DPA, which currently has two ongoing investigations into complaints similar to that addressed by the Austrian DPA, recommended that organizations begin looking for alternatives to Google Analytics. While this is not a final decision on the matter, this appears to be a sign from the Norwegian DPA regarding how they may likely rule on their current investigations.
In early February 2022, France’s Commission nationale de l'informatique et des libertés (CNIL), also issued a decision regarding an almost identical complaint filed by noyb. The CNIL’s decision asserts that it is illegal to collect and transfer French residents’ data to the U.S. using Google Analytics. Similar to the Austrian DPA, the CNIL cited that while Google has taken a number of measures to regulate these transfers of data, such measures are insufficient because they do not prevent U.S. intelligence agencies from accessing this data.
Two notes about the CNIL’s decision: (1) it reflects that the decision was made “in cooperation with its European counterparts,” all of whom are analyzing the transfer of data to the U.S. utilizing Google Analytics and associated risks; and (2) it goes beyond just the use of Google Analytics, extending “to other tools used by sites that result in the transfer of data of European Internet users to the United States.”
The fact that individual EU Member State DPAs have the authority to declare the use of specific companies’ services violations of the GDPR, and appear to all be currently analyzing this issue, puts substantial pressure on the EU and U.S. to identify an adequate replacement for the EU-U.S. Privacy Shield. The broadening of scope by each decision and DPA recommendation being issued as investigations into noyb’s complaints continue indicates that it is only a matter of time before more DPAs follow suit. Unless these negotiations are expedited and completed, and a new data transfer mechanism is identified, additional DPAs will more than likely continue to make similar decisions in the future, further disrupting the use of U.S. based technology services by EU customers.
For more information on the potential business implications of this growing trend, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up. Visit our Data Privacy & Cybersecurity Practice page to learn more about this team’s capabilities.