Google Analytics breaks GDPR, Austrian data protection watchdog finds
Regulator finds Google's protections inadequate in case that could spell trouble for other US tech firms
The Austrian data protection authority Österreichische Datenschutzbehörde has ruled that a German website has contravened the GDPR because its use of Google Analytics meant it was transferring personal data to the US for processing without sufficient protection.
The data being sent to the US by health website netdoktor.at includes IP addresses and cookie identifiers, which could be combined with other data to identify individuals, according to the data protection authority (DPA).
The watchdog found that Google had not implemented sufficiently strong measures to encrypt and anonymise the data collected through Analytics and transferred to the US to prevent such reidentification.
Google's use of standard 'Technical and Organisational Measures' to protect personal data, such as psuedonymisation and encryption at rest, is similar to arrangements made by other US tech firms that transfer data to their home country, so the Austrian DPA's judgement is likely to have further repercussions.
The case was brought to the DPA by noyb, the legal company set up by Max Schrems, the Austrian lawyer who rose to prominence by challenging Facebooks' data transfer practices. That case eventually led to the demise of the Safe Harbour data transfer agreement.
In a blog post, Schrems welcomed the judgement.
"Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options," Schrems said.
"This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced."
The judgement comes at a time when EU-US data transfers are under renewed scrutiny. The so-called Schrems II judgement by the EU Court of Justice in 2020 rendered Safe Harbour's successor, Privacy Shield invalid, while leaving other mechanisms such as Standard Contractual Clauses intact - but only as an interim measure and on a case-by-case basis.
American tech firms, apparently aided by the Irish DPA, have been fighting against stricter transfer rules, because many of them, including Google, depend on using personal data to server targeting advertising as their primary business model.
noyb has filed another 100 similar complaints with European DPAs in an effort to gain protection for EU subjects from intrusive laws such as FISA 702 and EO 12.333 which provide for bulk surveillance by the US authorities of anyone who is not a US citizen.