On January 13th, 2022, the NGO noyb published on its website a (not yet legally binding) decision of the DPA on the legitimacy of the use of Google Analytics by an Austrian website operator. It is the first decision of the 101 model complaints filed by noyb in the aftermath of the CJEU Schrems II judgment. In 2020, the European Data Protection Board (EDPB) formed a taskforce to analyse the matter and ensure a close cooperation among all European DPAs. Thus, it can be assumed that regulatory measures issued by DPAs will pick up its pace (e.g.: the Dutch Data Protection Authority already declared in a press release that “the usage of Google Analytics may be not permitted
2. Legal Analysis
The DPA held in the decision as follows:
2.1 Applicability of the GDPR
The relevant provisions of Directive 2002/58/EC (e-Privacy Directive) – transformed in Austria with the Telecommunications Act (TKG 2021) – take precedence over the GDPR as leges speciales. However, the e-Privacy Directive does not contain any rules on the transfer of personal data to “third countries”, which is why Chapter V of the GDPR applies in the given case.
2.2 Data transmitted through Google Analytics are personal data within the meaning of the GDPR
In the DPA’s opinion, it is theoretically possible to link the transferred data back to a natural person through the combination of the vast amount of data transmitted. Therefore, a link to a person can be established (see Art. 4(1) GDPR) and the GDPR is applicable.
In this context, it is interesting that the DPA also considers the anonymisation function of the IP address provided by Google Analytics to be insufficient for moving it outside the scope of the GDPR. Due to the transmission of the large volume of data, the IP address is not central for the classification of the data as personal data within the meaning of the GDPR.
2.3 Website operator is to be regarded as the controller of the data processing activity (implementation and transfer)
It should be noted that the DPA only assessed the data processing activities up to the point of successful transfer to Google. The authority does not comment on the further data processing performed by Google. A separate legal proceding was initiated for this. (Interestingly, the German Data Protection Conference (=Datenschutzkonferenz or “DSK”) assumes joint controllership for the usage of Google Analytics.)
2.4 Data transfer to US in connection with Google Analytics is not GDPR compliant
The ruling of the European Court of Justice of 16 July 2020 (Schrems II) declared the EU-US adequacy decision ("Privacy Shield") invalid. Therefore, Art. 45 GDPR no longer applied as a data transfer instrument and a “derogation for specific situations” did not exist in the opinion of the DPA (in particular because consent was not obtained in the given case - more about that below).
The last remaining legal transfer instrument is "appropriate safeguards" pursuant to Art 46 GDPR. Appropriate safeguards can be standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. In the case at hand, the website operator had concluded "old" SCCs (in the version 2010/87/EU) with Google. (A new set of SCCs was published in June 2021.)
When using Google Analytics, however, the data transfer cannot be based exclusively on the concluded SCCs. This is because Google is subject to US surveillance laws and contractual measures alone do not sufficiently bind authorities in a “third country”. A data transfer is only lawful if additional technical and organisational measures ("supplementary measures") are taken to compensate for the lack of legal protection in the US. In its decision, the DPA found that Google has not provided evidence of sufficient "supplementary measures".
3. Possible legal workarounds to use Google Analytics
3.1 Usage of the new SCCs 2021
As already mentioned above, a new set of SCCs has been published in June 2021. However, the usage of the new SCCs does not solve the main problem of the data transfer to Google (and thus into the US). In its decision, the DPA declares that the data transfer is mainly unlawful due to the lack of technical "supplementary measures". The DPA holds that purely contractual safeguards are not the solution. Consequently, the transfer of data only based on the new SCCs is therefore unlawful.
3.2 Data transfer based on consent pursuant to Art. 49 (1) (a) GDPR
A different approach would be to change the legal basis of the data transfer to consent. Yet, the European Data Protection Board (EDPB) has a very restrictive interpretation on this issue and only accepts the usage of this provision for occasional or non-repetitive transfers (see Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679). Thus, in our view the data transfer based on consent pursuant to Art 49 (1) (a) GDPR is unlawful.
Due to the decision issued by the Austrian DPA, the use of Google Analytics is unlawful. In our opinion, there are currently no alternative legal options to justify the usage of the tool in line with the GDPR. Although this decision is not (yet) legally binding, its effect should not be underestimated. The line of reasoning put forward by the DPA can be applied to many other analytical cookies. A reassessment of all Cookies used is advisable as it is pursuant to Art. 5 (2) GDPR the data controller’s duty (="accountability principle") to provide the necessary documentation upon request to the DPA.
A machine translation of the German original can be accessed here
Article provided by INPLP member: Stephan Winklbauer (Aringer Herbst Winklbauer Rechtsanwälte, Austria)
Dr. Tobias Höllwarth (Managing Director INPLP)