Austrian DPA Says Google Analytics Use Violates GDPR

February 08, 2022 In recent months, a total of 101 complaints have been filed against data exporters in Europe for allegedly transferring data to the United States in violation of the European Union’s General Data Protection Regulation (GDPR) by way of the use of Google Analytics. The first decision by the Austrian Data Protection Authority (DPA) on January 13, 2022 held that an Austrian company was in violation of GDPR for impermissibly transferring personal data to the US via Google Analytics.

By: Lewis Brisbois' Data Privacy & Cybersecurity Team 

Google Analytics, a widely popular website traffic monitoring service used to evaluate the behavior of visitors to a website, has been implemented by nearly 29 million live websites as of January 30, 2022. To accomplish its purpose, Google LLC receives certain information transmitted by the website for its visitors, including IP addresses and cookie data containing unique identifiers. Google then analyzes the data and provides statistics back to the website operator.

In recent months, a total of 101 complaints have been filed against data exporters in Europe for allegedly transferring data to the United States in violation of the European Union’s General Data Protection Regulation (GDPR) by way of the use of Google Analytics. The first decision in this series was released by the Austrian Data Protection Authority (DPA) on January 13, 2022, holding that an Austrian company was in violation of GDPR for impermissibly transferring personal data to the United States via its implementation of Google Analytics.

A threshold question in this case was whether the data transferred to Google constituted personal data subject to certain transfer restrictions under GDPR. Although the IP address and cookie data may not directly identify an individual, data that singles out an individual and enables the mere possibility of identification through combination with other data, is personal data according to the DPA. The DPA determined that the combination of IP address and cookie data transferred to Google is personal data subject to GDPR because it could be combined with other data in Google’s possession to identify individuals.

Given the DPA’s finding that this combination of data is in fact personal data, the transfer of that data to the United States was subject to Article 44 of GDPR, which requires that transfers of personal data out of the EU have a legal basis for the transfer. Since the 2020 European Court of Justice decision that invalidated Privacy Shield as a legal basis for data transfers to the United States, many have hoped to use Standard Contractual Clauses (SCCs) as the legal basis for such transfers. As a legal basis for transfer, SCCs may be sufficient if they can guarantee adequate protection of the data. If there are any deficiencies in the SCC’s protection of the data, supplementary measures, such as encryption or other safeguards, may establish a legal basis for transfer if they can eliminate that risk. To determine whether adequate protection is guaranteed by SCCs, the level of protection afforded to data in the recipient country, in this case the United States, is taken into account.

Google is an electronic communications provider and is therefore subject to surveillance by US intelligence agencies under FISA. The DPA determined that to provide adequate protection of the data under Article 44 of GDPR, the SCCs and supplementary measures surrounding the transfer would need to eliminate the risk of US intelligence agencies obtaining the data. The DPA found that the SCCs and supplementary measures did not eliminate this risk nor guarantee adequate protection of the data. The DPA, therefore, determined that the SCCs and supplementary measures were inadequate to serve as a legal basis for the transfer. The DPA specifically noted that although the data was encrypted, this was insufficient protection in cases where the recipient of the data had the encryption key and could be required to provide the key and the data together to US intelligence agencies.

The implications of this decision are vast, but the actual impact remains to be seen. An appeal may be forthcoming, and 100 similar complaints have yet to be decided. As it currently stands, the DPA’s decision highlights several critical findings: (1) the combination of unique user identification numbers, IP addresses, and browser parameters constitutes personal data under GDPR; (2) the use of Google Analytics constitute a transfer of personal data by the Austrian company to Google in the United States; and (3) the transfer was not protected by either SCCs or the supplementary measures implemented by Google LLC sufficient to pass muster under GDPR.

For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.