Austrian regulator says use of Google Analytics violates GDPR

The Austrian Data Protection Authority (Datenschutzbehörde or DSB) has decided in a model case brought by activist legal group noyb (My Privacy is None of Your Business) that the continuous use of Google Analytics violates the EU’s GDPR.

The noyb group, led by honorary chair Max Schrems, works with various bodies across Europe to ensure that data protection laws are properly upheld, partly through targeted litigation.

In August of 2020, nyob filed 101 complaints in 30 EU and EEA member states against 101 European companies that were still forwarding data about each visitor to Google and Facebook.

The complaints were also brought against Google and Facebook in the US, for continuing to accept these data transfers, despite them being in violation of the recently introduced GDPR.

The group explained that it filed the complaints in the wake of the so-called ‘Schrems II’ decision. In 2020, the Court of Justice of the European Union decided that the use of US providers violates the GDPR, as US surveillance laws require US providers like Google or Facebook to provide personal details to US authorities.

Other European regulators are expected to follow the Austrian decision. “Similar decisions are expected in other EU member states, as regulators have cooperated on these cases in a European Data Protection Board taskforce. It seems the Austrian DSB decision is the first to be issued,” said nyob in a statement issued this week.

The group said that while the Schrems II decision had sent “shockwaves” through the tech industry, US providers and EU data exporters had largely ignored the case. “Just like Microsoft, Facebook or Amazon, Google has relied on so-called ‘Standard Contract Clauses’ (SCCs) to continue data transfers and calm its European business partners,” claimed nyob.

Its honorary chair Schrems said: “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”

The DSB appears to have agreed that SCCs and ‘Technical and Organizational Measures’ provide no defence.

“While Google has made submissions claiming that it has implemented ideas like having fences around data centres, reviewing requests or having baseline encryption, the DSB has rejected these measures as absolutely useless when it comes to US surveillance,” stated nyob.

Schrems added: “This is a very detailed and sound decision. The bottom line is: companies can’t use US cloud services in Europe anymore. It has now been one and a half years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

The group explained that this decision has wide implications because it is relevant for almost all EU websites.

“Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US,” it stated.

The group suggested that, in the long run, there seem to be two options. Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the US.

Schrems added: “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”

Back to top button