Use of Google analytics (still) breaches the GDPR – austrian data protection authority rejects risk based approach
1 Backround
On May the 2nd, 2022, the NGO noyb published on its website a decision of the DPA on the legitimacy of the use of GA by a website operator. The website was offering services to different European countries which is why the “One-Stop-Shop” mechanism was conducted. Following this procedure, the leading data protection authority – the Austrian DPA – received no relevant objections against the draft decision by the concerned other data protection authorities. This is not surprising as the European Data Protection Board (EDPB) formed a taskforce to coordinate the reaction to the 101 model complaints filed by noyb after the CJEU Schrems II judgment.
2 Legal Analysis
We have analyzed the first GA decision in another article for INPLP which can be accessed here. Therefore, we will focus our analysis in this article on new legal interpretations of the DPA in comparison to the first GA decision.
The DPA held in the decision as follows:
2.1 Data transmitted through Google Analytics are personal data within the meaning of the GDPR
In the DPA’s opinion, the GA cookies “_ga”, “cid” (Client ID) and “_gid” (User ID) are considered personal data in the meaning of Art 4 (1) GDPR. These “Unique online identifiers" alone can be sufficient to qualify as personal data. The DPA argues that the threshold of "identifiability" is already reached as soon as an individualisation takes place, even if the respective data is not yet attributable to a natural person. The question of the means which are reasonably likely to be used to identify the natural person, either directly or indirectly, does not need to be examined. This is due to the fact that the assignment of the identification numbers to a website user already constitutes a ‘singling-out’ within the meaning of Recital 26 of the GDPR. Consequently, the website user is identifiable. The DPA strengthens the argument by referencing the GA decision of the European Data Protection Supervisor of 5th January 2022 (2020-1013) where a similar argument is presented.
In this context, it is interesting that the DPA considers the anonymization function of the IP address provided by GA to be insufficient because the full IP address is processed for at least a short period of time on Google’s servers. Thus, the complete IP address can be accessed by US intelligence agencies. The DPA argues that even if the IP address would only be processed on Google Servers in the European Union, Google could be forced to hand over the IP address under US surveillance laws. To substantiate this legal point of view, the DPA cites the EDPB-EDPS Joint Response of the US Cloud Act (accessible here) and the Expert Opinion on the Current State of U.S. Surveillance Law and Authorities by Prof. Stephen I. Vladeck commissioned by the German Conference of Independent Data Protection Authorities (accessible here).
The website operator as a controller has the burden of proof that the GDPR is not applicable (see Art 5 (2) GDPR). The DPA sees the conclusion of a data processing agreement and standard contractual clauses (SCCs) as an indication to the contrary, namely that personal data is transferred to the US.
2.2 Data transfer to US in connection with Google Analytics is not GDPR compliant
With the “Schrems II” ruling of the European Court of Justice (CJEU) the EU-US adequacy decision (“Privacy Shield”) got invalidated and a “derogation for specific situations” did not exist in the opinion of the DPA, in particular because consent pursuant to Art 49 (1) (a) GDPR was not obtained.
In the case at hand, the website operator had concluded “old” SCCs (in the version 2010/87/EU). The data transfer cannot be exclusively based on the executed SCCs because Google US is clearly a provider of electronic communications services and subject to US surveillance laws (e.g., FISA 702). The DPA found that Google had not provided sufficient contractual, organizational or technical measures (“supplementary measures”) to compensate for the lack of legal protection in the US.
2.3 DPA explicitly rejects the “risk-based approach” for data transfers
There is the opinion in the privacy law community that even if “supplementary measures” are not 100% effective to compensate the lack of legal protection in third countries, the SCCs based transfer is GDPR compliant if the actual risk of an unlawful access by foreign intelligence services is very low. In other words, the “risk-based approach” for data transfers takes into account if a certain “minimum risk” to the data subjects’ rights and freedoms is present and whether intelligence services will actually access data.
The DPA rejects this legal argument because the GDPR does not foresee any “risk-based approach” in Chapter V (relevant chapter for data transfers). Such an approach can only be found in other articles of the GDPR (e.g. Art 24 or 32). Furthermore, in the “Scherms II” decision the CJEU does not apply or mention a “risk-based approach”. Additionally, an endorsement of an “risk-based approach” cannot be found in the “new" SCCs (2021/914/EU) nor in the Recommendations 01/2020 of the EDPB. In both documents, the suggested assessment should consider if “problematic” surveillance laws are applicable and not if the transferred data are non-sensitive or non-criminal personal data.
3 Conclusion
After multiple decisions of several European Data Protection Authorities about the implementation of GA, the legal outcome remains the same: GA is not GDPR compliant in its standard setting and the “risk-based approach” is not a possible legal work-around to legitimize data transfers to third countries.
The machine translation of the German original can be accessed here: https://noyb.eu/sites/default/files/2022-04/Bescheid%20geschwärzt%20EN.pdf
Article provided by INPLP member: Stephan Winklbauer (Aringer Herbst Winklbauer Rechtsanwälte, Austria)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)