On December 22, 2021, the Austrian data protection authority (DSB) issued a decision in the analytics service provider case finding an operator of an EU website in violation of Article 44 of the General Data Protection Regulation (GDPR). In the decision, it was highlighted that the website operator had exported personal data to an importer in the US through the use of Google Analytics without ensuring an adequate level of protection required under Chapter V of the GDPR.  

The complaint was initially filed with the DSB in August 2020 by None of your business (NOYB) as one of 101 complaints filed against EU companies for continued use of Google Analytics and Facebook Connect. NOYB filed these complaints alleging that multiple companies had subjected personal data that falls under the protection of the GDPR to U.S. surveillance laws through the use of these analytics services which also violated the requirements of the Schrems II decision.   

Register for the webinar: Austria DSB Rules on Analytics Complaint: The Implications on Data Transfers on January 25 at 3:00 PM GMT

What Were the Austrian DPA’s Findings in the Case?

The DSB addressed whether the data transferred from the website operator to Google Analytics – which in this case included IP address, operating systems, and language selection, among other things – constituted personal data under Article 4(1) of the GDPR. It was concluded that such data was sufficient to identify the data subject and therefore should be considered personal data under the GDPR. As a result, it was determined that a transfer of personal data from the EU to the US had taken place.   

The DSB assessed whether the transfer was subject to the appropriate mechanisms to protect the data to a level equivalent to that found under the GDPR and under the European Data Protection Board’s (EDPB) Guidance on Data Transfers. The DSB noted that Google had relied on Article 46 SCCs as well as technical measures including encryption-at-rest to protect the personal data. The DSB found that the latter cannot be effective owing to Google having a direct obligation to provide access to or surrender imported data in its possession to US surveillance agencies and their ability to access encrypted data as plain text.  

Consequently, the DSB established that the transfer was in direct violation of Article 44 of the GDPR and that the violation was attributable to the website operator. Despite ruling that Chapter V of the GDPR did not apply to Google in this case, the DSB outlined that the future use of Google Analytics would be in violation of Chapter V of the GDPR. 

The DSB will issue a separate decision on a potential violation of Articles 5, 28(3)(a) and 29 of the GDPR by Google. 

What Was the Analytics Provider’s Response?

Following the publication of the decision, Google issued a response detailing the measures they take to protect personal information within their analytics service. The response can be read in full here 

As part of its response Google outlined that an organization’s Google Analytics data can only be transferred when specific privacy conditions are met and that the analytics service provider (1) does not track people or profile people across the internet, (2) gives organizations control the data they collect using Google Analytics, (3) helps customers with compliance by providing them with a range of controls and resources, (4) helps put users in control of their data through browser add-ons, among other things, (5) cannot be used to show advertisements to people based on sensitive information like health, ethnicity, sexual orientation, etc. 

Google also listed the technical measures they rely on to protect against interception in transit which includes HTTPS encryption and application layer transport security 

What Have Other DPAs said?

The Dutch DPA has cast doubt over the use of Google Analytics in a post on its website (only available in Dutch). In the post, the Dutch DPA stated that it too was investigating two complaints relating to the use of Google Analytics and that it expects to issue a decision in early 2022.  

NOYB filed complaints with over 30 data protection authorities in the EU in August 2020. Therefore, it is likely that more data protection authorities across Europe will address the use of Google Analytics and Facebook Connect.   

How OneTrust Addresses International Data Transfers  

At OneTrust, we do not underestimate the significance of protecting personal data. As the most widely used privacy management platform it is important that we lead by example, and that is why we have robust measures in place for protecting personal information.  

OneTrust has a comprehensive integrated privacy and security program designed with applicable data protection/privacy laws, including the GDPR, top of mind:  

  • We have adopted Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments (TIAs) for all international data transfers.  
  • We have supplementary organizational, legal, and technical measures in place to ensure personal data is protected to the highest possible standard.  
  • Our ISO 27701 certification demonstrates our ongoing practice of data minimization to limit the exposure of personal data to unauthorized access and has adopted organizational controls to comply with the accountability principle.  
  • We regularly review our subprocessors to ensure that they are held to a high standard with appropriate measures in place that meet the GDPR requirements.  

Although it is possible that foreign governments may request access to our personal information, it is very unlikely. OneTrust, in the case of most customers, stores very little and non-sensitive personal data. To date, OneTrust hasn’t received any request for access from any foreign government agency as outlined in our Transparency Report that you can access here 

To better understand the Austrian DPA’s decision and potential impact on international data transfers, read the OneTrust DataGuidance article or register for the webinar – Austria DSB Rules on Analytics Complaint: The Implications on Data Transfers on January 25 at 3:00 PM GMT.

Further resources: 

Follow OneTrust on LinkedInTwitter, or YouTube for the latest privacy and security news.