The European Data Protection Supervisor (“EDPS”) and the Austrian Data Protection Authority have both recently issued a decision ruling that the transfers of personal data to Google LLC (US) entailed by the use of Google Analytics tool on the European Parliament and by a company located in Austria (the “website operator”) websites, were not GDPR compliant.
Indeed, they considered that despite the fact that the parties had entered into the Standard Contractual Clauses, there were no additional measures in place that could prevent the US Authorities from accessing the data.
These decisions stems from the European Court of Justice ruling of July 2020 “Schrems 2” which requires that additional measures be implemented when the parties enter into Standards Contractual Clauses to frame a personal data transfer to the US.
However, the European court did not define in its ruling what these measures could be and left organisations with the burden of assessing third countries legal regime and define what these additional measures could be.
In this article and although the outcome of these decisions is similar, we will focus on the Austrian DPA decision as, unlike the EDPS ruling, it provides a more detailed analysis of the authority’s requirements for these additional measures to be valid.
What is google analytics ?
Google Analytics is a tool allowing the tracking of visitors’ website browsing.
The information is collected thanks to cookies/trackers implemented by the website operator, is accessible via a DashBoard and is used for the purposes of statistics and evaluation.
However, in order to make the information available to website operator, Google LLC hosts the information in its severs based in the US and it appears that Google LLC may also use this information for further, yet undefined purposes (in this decision).
What is it required to do when personal data is transferred to the US?
The hosting of data and maybe reuse of these data for further purposes from a company based in the US constitute a personal data transfer outside of the EU.
The US not being considered as providing an adequate level of protection by the European Commission, it is necessary to frame the data transfer with adequate safeguards such as the Standard Contractual Clauses (SCCs).
Besides, the ECJ, in its decision Schrems 2 of July 2020, stated “[…] By their nature, standard data protection clauses cannot offer guarantees that go beyond the contractual obligation to ensure compliance with the level of protection required by Union law […]” and it “[…] Depending on the situation in a particular third country, it may be necessary for the controller additional measures takes to ensure compliance with this level of protection “
In this regard, it also ruled that the US government surveillance programs – based on Section 702 of FISA and EO 12333 in conjunction with PPD-28 – did not offer an adequate level of protection for natural persons and required that additional measures be implemented when an organisation wishes to transfer data to the US.
However, the European court did not define what these measures could be and organisations could only rely on EDPB guidelines.
The personal data transfer to the US is illegal as long as the additional measures cannot prevent US authority from accessing the data.
US Authority can force Google to give access to the personal data transferred
In its decision the Austrian DPA considered that:
- the website operator, acting as controller, disclosed the data to Google LLC by proactively using the Google Analytics tool (which is acting as a processor, although the authority specified that these considerations were made without prejudice to Google’s role regarding futher data processing operations carried out in the US.).
- The collected data was personal data and was transferred to Google in the USA for hosting and further purposes (not defined).
- Under US laws, Google LLC remained forced to provide personal data to US Authority on request, which contradicts the content of the SCCs.
As a result, additional measures must be implemented to prevent such access.
If the additional measure does not close the gap between the EU and US legal system, the transfer must not take place
According to the recommendations of the European Data Protection Board (EDPB), “additional measures” within the meaning of the judgment of the ECJ of 16 July 2020 can be of a contractual, technical or organizational nature.
However, the data exporter must determine if and to what extent such measures precisely close the legal protection gaps between the EU and the third country legal system.
If it is ultimately not possible for the data exporter to achieve an essentially equivalent level of protection, the exporter may not transmit the personal data.
The measures implemented were not sufficient to prevent US auhtority from accessing the data
In the present case, the Austrian authority assessed whether the measures implemented by Google and the website operator could prevent the US authority from accessing the data.
Contractual and organisational measured implemented by Google were deemed irrelevant to that case and therefore, the Authority focused more specifically on the technical measures that Google had implemented.
Google had implemented technical measures such as pseudonimisation, anonymisation of the IP Address and encryption of the data.
However, the DPA pointed out that the US intelligence law provides that data importer has an obligation to grant access or release the data it processes. Such obligation can force the processor to surrender the cryptographic key.
Therefore, the Authority considered that “as long as Google has the opportunity to access data in plain text, the technical measures cannot be regarded as effective”.
Besides it did not consider either that pseudonymisation of data or the anonymization of the IP addresss as effective insofar as it was not sufficient to anonymise the data completely.
In order for additional measures to be deemed valid when transferring data to the US, it seems that :
Full anonymisation or encryption by the Exporter (not the importer) could be a solution to transfer data to the US.
The French State Council (“Conseil d’Etat”), had already open the door to such possibilities (see here)
If you are using Google Analytics, the safest way to be GDPR compliant at the moment is to change your analytics tool for European ones. However, it is easier said than done … Google LLC will surely makes the necessary changes to ensure Google Analytics do not transfer data to the US.
If you have any question, do not hesitate to contact Arnaud Blanc, French & UK qualified lawyer based in France.