Introduction
On 13 January 2022, the Austrian Data Protection Authority (“DSB“) ruled that the use of Google Analytics (“GA”) and the resulting export of personal data to the United States (“US”) violates the GDPR’s data export requirements. On 10 February 2022 the French data protection authority (“CNIL”) also confirmed that these personal data transfers to the US are a violation of the GDPR. These are the first decisions from EU data protection authorities (“DPAs”) in response to 101 complaints filed by NOYB, a privacy advocacy group, following the Schrems II decision. We expect more decisions in the coming months. If, as is expected, the conclusions in these are similar to those of the DSB and CNIL, US cloud service providers and their EU customers will need to reassess their data export practices.
Background
Pursuant to the European Court of Justice’s (“ECJ”) decision of 16 July 2020 (“Schrems II”), transfers of EU personal data to US companies that fall under US surveillance laws, and may consequently disclose data to US authorities, violate the GDPR unless exporters implement additional safeguards.
In Schrems II, the ECJ confirmed that the EU Standard Contractual Clauses (“SCCs”) could still be used, but ruled that exporters must verify that the importer can effectively protect the personal data. Companies must conduct a case-by-case analysis to this effect. Where adequate protection cannot be guaranteed, additional technical and organizational measures (“TOMs”) are required.
On 18 June 2021, the European Data Protection Board (“EDPB”) issued recommendations on TOMS and other measures (“EDPB Recommendations”). In its initial draft, the EDPB stated that, when assessing the lawfulness of a transfer, organizations could not rely on subjective factors such as “the likelihood of public authorities’ access to your data”. In the final version however, the EDPB adopted a risk-based approach by taking into account the “practices in force in the third country”. Also, the new version of the European Commission’s (“EC”) SCCs indicate in a footnote that, when warranting that no laws prevent them from complying with the GDPR, parties may take such a risk-based approach. According to the SCCs however, the consideration of practical experience needs to be supported by other relevant, objective elements. Hence, the question whether and to what extent parties may take factor in a (low) probability of government access is subject to debate.
The DSB and CNIL decisions follow the European Data Protection Supervisor’s ruling of 11 January 2022 which similarly sanctioned the European Parliament (“EP”) for violating Schrems II and transfer restrictions under the GDPR by placing GA and Stripe cookies on an internal Covid testing website, on which EP Members and staff could register online before being tested on the EP’s premises.
The DSB’s Decision
In this case, NOYB filed a complaint against an Austrian website operator which had implemented a free version of GA on its website. GA is used for statistical analysis and tracking website visitors. To ensure data export compliance, the website operator entered into SCCs with Google. NOYB argued that both the website operator and Google violated the GDPR in light of Schrems II by transferring EU personal data to Google in the US. In particular, NOYB stated that the TOMs which Google implemented did not offer sufficient additional safeguards to ensure an adequate level of protection. The TOMs in this case included (i) notification of data subjects about government access requests to the extent permissible, (ii) the publication of a transparency report or a “guideline for handling government inquiries”, (iii) the careful examination of every data access request, (iv) the protection of communication between Google services, (v) the protection of data in transit between data centers, (vi) the protection of communications between users and websites or an “on-site security”, (vii) encryption technologies such as encryption-at-rest, and (viii) pseudonymisation. Due to a configuration error, however, the website operator had not correctly implemented the IP address anonymisation function offered by Google. The DSB upheld the complaint against the website operator.
The analysis of the personal data
First, the DSB decided that the information exported constitutes personal data, i.e. IP addresses, browser data, website information and unique online identifiers. For the online identifiers, the DSB emphasized that they allow GA to differentiate between – or ‘individualise’ – users. Whether information can be linked to a specific ‘face’ or ‘name’ is not relevant, but it is sufficient to allow a specific individual to be ‘singled out’. Website analytic tools aim to single out visitors. The DSB thus concluded that the online identifiers constitute personal data.
A combination of online identifiers with other data elements, like IP addresses and device information, further enhances the likelihood of identification and thus also constitutes personal data. The DSB also repeated that IP addresses without further re-identification data can be personal data. Furthermore, it is not necessary that all information required to identify the individual is held by the same entity. Instead, the decisive factor is whether identification can be established with reasonable effort, taking into account the capacity and expertise of the persons holding the information. In this case, the US intelligence authorities as well as the analytics provider hold such information and, as a result, personal data was exported.
The transfer of personal data violating the GDPR
After establishing that the website operator acted as the controller and the analytics provider as the processor, the DSB held that by implementing GA on its website, and consequently allowing the tool to collect and analyse information in the US, the website operator was an exporter transferring data to a third country. An exporter must ensure export compliance, in this case by relying on the SCCs with additional safeguards. Referencing Schrems II, it held that in this case, the SCCs do not offer an adequate level of protection, because (i) the analytics provider is subject to surveillance by US intelligence services, and (ii) any additional safeguards are insufficient.
The DSB considers “additional measures” to be effective to the extent that they address the specific gaps identified in a third country’s legal regime. It considered none of the TOMs effective as they do not prevent US authorities from accessing the data. For example, the obligation to surrender data in the US may extend to the cryptographic keys, so encryption cannot exclude government access. The DSB did not take into account the IP address anonymisation tool because it was not activated, but noted that the IP address is one of many elements allowing identification of the data subject, implying that IP anonymisation would not have altered its conclusion.
This position calls into question the risk based approach from the EDPB Recommendations (and new SCCs). The question as to which measures could be deemed to sufficient remains unanswered.
The DSB dismissed the claim against GA on the grounds that it does not disclose personal data but merely receives it. Notably, it clarified that the obligations around data export only apply to the data exporter and not the data importer. The DSB did announce, however, that it would issue a separate decision on a potential violation of the processor obligations under the GDPR by the data importer.
As of yet, the DSB has not issued a penalty. As the website operator in question was originally registered in Austria, but is now registered in Germany as a result of a merger, the DSB will instead refer the case to the competent German DPA.
The CNIL’s decision
The CNIL published a summary of its findings on the NYOB complaints it received on its website. These follow the DSB’s ruling and find GA data transfers to the US in violation of the GDPR. The CNIL ordered compliance with the GDPR within one month, suggesting to either stop using GA or localising it in the EU.
Separately but in the same statement, the CNIL repeated that audience measurement and analytics tools should only produce anonymous statistical data if they are to be exempt from consent. In September 2021, the CNIL published a list of audience measurement tools that may be configured to fall under the exemption.
What is next?
As DPAs have been coordinating their response in a “task force” set up by the EDPB, it is expected that they will come to similar decisions regarding the other complaints filed by NOYB. The Dutch DPA states that “it may soon no longer be permitted to use GA” and that it will be able to confirm this in early 2022 when it finalizes its two investigations on the issue. The Norwegian DPA published a statement indicating it will follow the approach of other DPAs and that it recommends organizations to explore alternatives to GA. The Danish DPA has also indicated that it favors a harmonized approach throughout the EU. In the CNIL’s press release, the DPA mentions its cooperation with other DPAs and refers to “an analysis at European level”.
The decisions may have far reaching consequences for US cloud providers and their EU based customers. In the most likely case that DPAs adopt a consistent approach to all complaints, companies will need to reconsider their approach to data export, at least from a commercial perspective, meaning that local EU data storage may become more favorable. US cloud providers may (be forced to) take action and come up with suggested solutions, unless another export mechanism – like Privacy Shield – is put into place at short notice. As such, on 2 February 2022 (and as was already announced in October 2021), Google Cloud confirmed that its EU customers can now effectively keep their data on data centres located in the EU and request that their data be only handled by customer support in the EU. Meta Platforms, however, warns in its 2021 annual report to the US Securities and Exchange Commission that, if no new transatlantic data transfer framework is adopted, and it will be unable to rely on SCCs or other alternatives, the company may need to stop offering a number of significant products and services in the EU, including Facebook and Instagram.
It seems likely that EU data exporters and US importers will be required to adjust their practices. It remains to be seen whether effective solutions will be introduced on an industry-level. Future decisions from DPAs may offer further guidance as to next steps to be taken by exporters.