At the end of December 2021, the Austrian data protection authority objected to the transmission of website visitor data – cookie IDs – to the USA (to Google LLC) as inadmissible. Here’s what the decision means for the use of Google Analytics and other US-based services.
Website operator violated GDPR
In August 2020, “NOYB” – the association of the Salzburg data protection activist Max Schrems – lodged a complaint with the data protection authority against the (then) media owner of a website and against Google LLC. The object of the complaint was the use of Google Analytics and the associated transmission of data to Google LLC – i.e. to the USA. There are two versions of Google Analytics: a free version and a paid version called Google Analytics 360. The free version was provided by Google LLC at the relevant time for the procedure; both Google Analytics versions have been provided by Google Ireland Limited since the end of April 2021. Google Analytics offers an “IP anonymization function” which was not activated on the affected website at the relevant time – according to the facts determined by the DPO. The data protection authority found a violation of the GDPR by the website operator.
Cookies with IDs are personal data
The unique online identifiers stored in the browser and thus on the user’s device by Google Analytics via the cookies “_ga”, “cid”, “_gid”form, according to the Austrian data protection authority, personal datawithin the meaning of the GDPR – regardless of a link to IP addresses; however, by linking these identifiers to IP addresses, the identifiability of users is even increased.
Data transfer to the USA illegal
In the opinion of the data protection authority, the Google Analytics tool “at least in the version of August 14, 2020” – i.e. insofar as data is transferred to the USA – could not be used in accordance with the requirements of the GDPR and was therefore unlawful in this constellation. Whether this is resolved in the current constellation (intermediary of Google Ireland Ltd. as a provider for Google Analytics in the EU) remains open (since not the subject of the proceedings) – the decisive question here is whether a third country transfer (to Google LLC) is de facto takes place.
Website operator responsible, Google not
A website operator who uses Google Analytics [Note. as well as any other online service based in the USA that transmits user data there] implemented on its website is the person responsible for the use of this tool on the website in question within the meaning of the GDPR, which is the provider of the tool (in the main proceedings Google LLC). just processors. The addressee of the GDPR specifications for data export to a third country is the exporter, i.e. the Austrian website operator; a US service that only receives the data (here: Google LLC) is not responsible for compliance – accordingly, an infringement of the law by the Austrian website operator was determined in the case at hand, but not an infringement of the law by Google LLC.
Standard data protection clauses are not a sufficient justification
A data transmission to Google LLC [Note. as well as to any other online service based in the US] cannot be justified solely by the agreement of standard data protection clauses due to the powers of US intelligence agencies over such online services under the Foreign Intelligence Surveillance Act (FISA 702). A website operator who uses a tool such as Google Analytics has to implement additional technical and organizational measures as a data exporter in order to achieve an EU-equivalent level of protection if the use triggers a transfer of data to the USA (as in the case in point). or – if such measures are out of the question – to obtain an effective consent from the affected users (website visitors) after they have been informed about the risks or to suspend the data transmission (i.e. in the event of an incident: the use of Google Analytics).
Continue using Google Analytics?
As the Austrian data protection authority itself states in its decision, since the end of April 2021 both Google Analytics versions (the paid and the free one) have been provided by Google Ireland Limited, so it does not have to be inferred from the decision that the use of Google Analytics (in the free version) is illegal even today, when this service is provided in the EU by Google Ireland Limited. In addition, according to the notification, the website operator did not use the “IP anonymization” configuration option. However, the DPO leaves open whether the activation of “IP anonymization” would have led to a different assessment. The decision by the DSB also does not deal with the question of whether the current “intermediary” of Google Ireland Ltd. based in Ireland, an EU member state, rules out any transfer of user data to the USA that can be decrypted by Google LLC (since this question was not the subject of the proceedings). A little reassuring: the data protection authority did not impose any penalties in the initial proceedings.
What does the decision mean for web services from the USA in general?
Two general deductions can be drawn from the decision: First, that the implementation of third-party technology from the USA on websites regularly violates the GDPR, insofar as such technology transmits user data to the USA unencrypted or decryptable for the recipient and does not constitute effective consent of all affected website users, also specifically for third-country transfers – after the risks have been clarified. And secondly, that the responsibility for the use of such technology lies with the Austrian website operator and not with the provider of the technology based in the USA.
Original text of the decision: