Austrian DPA on Google Analytics- A Quick Analysis

EU Laws Privacy

Austrian DPA on Google Analytics- A Quick Analysis

by Priyanka FormentinLeave a Comment on Austrian DPA on Google Analytics- A Quick Analysis

Quick Snapshot of the case

  • The Austrian DPA(DSB) held that the use of Google Analytics by an Austrian website provider led to transfers of personal data to Google LLC in the U.S. in violation of Chapter V. of the GDPR.
  • This is the first decision of the 101 model complaints filed by NOYB in the wake of the Schrems II decision.
  • Following the filing of NOYB’s complaint in August 2020, Google submitted, on 9 April 2021, a response to the DSB in relation to transfers of website visitor data from EU website operators to Google through use of the Google Analytics tool, that it relies on Standard Contractual Clauses (‘SCCs’) pursuant to Article 46(2) of the GDPR and in alignment with the EDPB’s Recommendations 01/2020, it had implemented supplementary measures, including legal, technical, and operational measures, to ensure an adequate level of data protection.
  • Subsequently, NOYB made an additional submission, on 5 May 2021, to the DSB in response to Google’s submission, dismissing the idea that the measures described by Google were adequate to effectively protect data transferred from the EU, and calling for the DSB to consider a fine of up to €6 billion against Google for the consequently alleged violation of Chapter V of the GDPR.

DPA’s Observations

Data transmitted through Google Analytics is Personal Data: In the DPA’s opinion, it is theoretically possible to link the transferred data back to a natural person through the combination of the vast amount of data transmitted. Therefore, a link to a person can be established (see Art. 4(1) GDPR) and the GDPR is applicable. In this context, it is interesting that the DPA also considers the anonymization function of the IP address provided by Google Analytics to be insufficient for moving it outside the scope of the GDPR.

Website Operator is the Controller of the Data Processing Activity (Implementation and Transfer): A mere possibility of identification is sufficient to consider the processing as personal data processing: The DPA came to the conclusion that the case involved a transfer of personal data, arguing that the unique identifiers stored within _ga and _gid cookies could be used to differentiate between users.

Transfer of data only based on the new SCCs is unlawful: If a company is subject to surveillance by the US intelligence agencies on the basis of 50 US Code § 1881a, SCCs cannot guarantee an adequate level of protection for the personal data transferred. Check out my summary of the EDPB guidance regarding personal data transfers out of the EU that follows a set of narrow circumstances and/or conditions.

US Intelligence agencies and the CLOUD Act: US intelligence services take certain online identifiers (such as the IP address or unique identification numbers) as a starting point for monitoring individuals. The fact that this is not just a “theoretical danger” is shown by the judgment of the ECJ of July 16, 2020, C 311/18, which was based on the incompatibility of such methods and access options of the US authorities with the fundamental right to data protection according to Art. 8 EU-GRC has ultimately also declared the EU-US adequacy decision (“Privacy Shield”) to be invalid.

Google’s take on GA

Google argued that the privacy risk in market measurement seems lower than individualized and targeted marketing. The GA tool is used to enable general statistical evaluations of the behavior of website visitors. However, the tool does not allow the content to be adapted to a specific website user, since the Evaluation is carried out anonymously and no reference to a specific user is made possible. User IP addresses would also be anonymized before being stored or transmitted (“IP anonymization”). The so-called user agent string is used to inform the server about the system specification with which the user is accessing the server. Without reference to a person, only the device, operating system and version, browser and browser version, and the device type would be displayed. In the best case, it can be assigned to a specific device, but never to a specific person using the device.

Advice for Austrian companies

Austrian website providers using Google Analytics are in violation of GDPR. If you are operating a website in Austria, or your website services Austrian citizens, you should remove Google Analytics from your website immediately. A good alternative to Google Analytics is Matomo.

Related cases

The Dutch Data Protection Authority said it is investigating two complaints in the Netherlands on the use of Google Analytics.

Conclusion

Some points that stood out to me as I was reading the judgment-

  • The Austrian DPA has taken a broad interpretation when assessing whether the processing concerns “personal data”, deeming that “singling out” the User is already sufficient, as is the possibility of identification by relevant actors, i.e., Google LLC and US authorities, to establish personal data processing.
  • The DPA further reiterated that encryption is not an adequate measure if the recipient of personal data also has the key and may be obliged to disclose it together with the data.
  • The DPA analyzed Article 4, GDPR read with Recital 26 to support that Identification IDs fall under the definition of Personal Data. The DPA, however, noted that whether an isolated IP address is personal data, remains open.
  • The decisive factor, in this case, was whether identifiability could be established with justifiable and reasonable effort.
  • While the regulator upheld the complaint against Netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients.
  • The Austrian DPA’s decision does not impose a fine for the determined breach, it is likely that further developments in relation to this decision will follow.

    Note: This decision of the Austrian DSB is not yet legally binding and it can be appealed. I will update this article when there’s any progress on this case. Thanks for reading!

    Link to the translation of the original German decision- https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_EN_bk.pdf
Website https://privacypriyanka.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Back To Top