On December 22, 2021, the Austrian Data Protection Authority (DSB) found that medical news company, NetDoktor, violated Europe’s General Data Protection Regulation (GDPR) by using Google LLC’s popular data analytics platform, Google Analytics (GA), on its website, which resulted in the transfer of personal information from Europe to Google’s servers located in the United States (U.S.). Such transfers are generally prohibited unless an adequate level of data protection exists pursuant to Article 44 of the GDPR, including through European Commission-approved standard contractual clauses (SCCs). The complaint that resulted in the decision was filed just one month after Schrems II, a decision by the Court of Justice of the European Union that invalidated the EU-U.S. Privacy Shield Framework (see our prior alert) ― previously used by many small and mid-sized companies to facilitate cross-border data transfers from Europe to the U.S. ― but generally upheld the use of SCCs for transfers. NetDoktor’s reliance on outdated SCCs and supplementary data protection measures (including further contractual, organizational and technical measures) were deemed inadequate protections against possible U.S. government surveillance. This decision highlights the importance of making sure that there is adequate protection for cross-border data transfers, including against possible government access. It also emphasizes that organizations should understand what data they are collecting, whether directly or through vendors, where that data is being stored (particularly if cloud services are used), and whether measures to protect and anonymize data are effective. Notably, the dismissal of the complaint against Google as the processor of the data also provides guidance on the limitations of service provider or recipient liability for violations of the GDPR.
GA collects, analyzes and reports website traffic and visitor activity that can facilitate targeted marketing. This traffic includes pages visited, clicks, login details, user preferences and browser details, among other information. Google’s analytic products are popular and, according to a 2021 survey published by Statista and Datanyze, account for over 70% of the web analytics software market share. Many website building platforms come with GA pre-installed, causing some website owners to collect users’ data without even knowing it.
Personal Data Defined
The case was brought by an individual who visited NetDoktor’s website while logged into his Google account. Like countless other websites, NetDoktor allowed GA to place a cookie on the complainant’s device to track his activity. GA then assigned a unique identification number to his browser in order to keep track of what data belonged to the complainant. Once the complainant’s NetDoktor activity was recorded, GA transferred the data to U.S.-based servers where it was combined with other user data to produce analytic reports.
Google insisted that this entire process is anonymous. GA employs IP masking technology and only generates aggregated, anonymous reports for its users. The DSB found, however, that the IP anonymization feature was not properly implemented, and GA’s unique identification numbers could be used to identify specific users. It was irrelevant that additional information may be required by Google to do so. Since the DSB determined that the data was not truly anonymous, it held that NetDoktor was transferring personal information to the U.S.
Data Exporters Bear the Burden of Compliance with GDPR’s Cross-Border Data Transfer Requirements
Notably, the DSB dismissed the complaint against Google, finding that data recipients have limited responsibility under the cross-border data transfer provisions of the GDPR. Thus, the onus is on website owners and data exporters to understand and limit how and where vendors store personal data. The DSB, however, intends to investigate Google and may issue a separate decision under the GDPR’s data processor requirements.
Use of SCCs to Facilitate Cross-Border Data Transfers
The DSB also held that because Google is considered an electronic communications service provider under U.S. law, it is subject to surveillance by the U.S. government. The DSB noted that the U.S. government could use GA data to specifically identify individuals, despite NetDoktor’s and Google’s supplementary security measures (e.g., published data security policies, encryption and security for physical infrastructure).
Thus, the legacy SCCs could not guarantee an adequate level of protection for personal data transfers and could not be used to lawfully transfer data to the U.S.
The DSB did not impose a fine on NetDoktor, as proceedings to determine fines are separate under Austrian administrative law. Further, the decision does not contemplate a potential penalty, nor has the DSB signaled that it will issue a penalty in the future. At least for now, the decision only serves as a word of caution to companies that transfer data from the European Economic Area (EEA) to the U.S. NetDoktor may appeal the decision, but has not done so at the time of this writing.
Other European nations are taking a closer look at GA as well. On January 26, 2022, the Norwegian Data Protection Authority (Datatilsynet) announced its support of the DSB’s decision and noted that the Datatilsynet was currently assessing the legality of GA in one of its own cases. The Danish Data Protection Agency has also announced that it would issue guidance based on the DSB’s ruling, emphasizing the need for uniform application of the GDPR across the EEA.
The Schrems II decision and DSB ruling, among other things, highlight the complicated issues surrounding cross-border data transfers. The DSB ruling, however, provides some clarity on a few topics:
- If a website is accessible in the EEA, the use of GA may expose website owners to fines under the GDPR. Depending on the severity of the violation, these fines can reach €20 million per violation, or 4% of a company’s worldwide annual revenue from the preceding year, whichever is higher.
- European data protection authorities remain skeptical of U.S. data protection practices, especially when it comes to preventing U.S. intelligence agencies from accessing personal information. Indeed, European authorities are urging U.S. lawmakers to adopt a comprehensive, federal privacy framework in line with the GDPR.
- Organizations should comply with the most recent guidance and documents provided by the European Data Protection Board and data protection authorities instead of relying on outdated information, such as the legacy SCCs at issue in this case.
- Although this decision addresses only GDPR provisions that specifically impose obligations on data exporters relating to cross-border data transfers, data processors are nonetheless required to comply with their own GDPR obligations.
For more information on this topic, please contact a member of the Data Security & Privacy Practice Team or the Phillips Lytle attorney with whom you have a relationship. Our attorneys have a wealth of experience handling cross-border data transfer issues and are available to assess your website to determine whether your company is in compliance with the GDPR and other privacy authorities.
 DSB (Austria) – 2021-0.586.257 (D155.027).
 These legacy SCCs were adopted by the European Commission in 2010, but have since been replaced by the current SCCs effective June 27, 2021. Companies who entered into data processing agreements before the latest SCCs came into effect have until December 27, 2022 to transition to the new SCCs.