Transfer of Personal Data and the Use of Google Analytics: Austrian Data Protection Authority's Decision

The Austrian Data Protection Authority has given a decision on the use of Google Analytics. The authority decided that the use of the relevant service by the website in question violates "Schrems II" decision by the Court of Justice of the European Union ("CJEU").

Austria – first one out

By way of background, in 2020, CJEU invalidated the Privacy Shield framework, which was set up to allow for transfer of personal data from the European Union to the United States. As a result, European entities can no longer transfer personal data to the United States on the basis of the Privacy Shield. As there is no adequacy decision for transfers to the United States, transfers can take place "only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available" (GDPR Art. 46/1).

Following the Schrems II decision, NOYB – European Centre for Digital Rights ("NYOB") submitted 101 complaints in thirty (30) EU/EEA states in relation to European websites which have continued to use cookies and services which transfer personal data to the United States for processing, despite CJEU's ruling. The Austrian Data Protection Authority is the first one to rule on these complaints.

In its decision, the authority determined that the European website in question has been, by using Google Analytics, transferring European users' personal data to the United States. Upon evaluating the standard contractual clauses and the supplementary measures taken by the controller and the processor (including use of encryption and assessment and notification processes for data requests from public authorities), the Authority concluded that the contractual clauses and additional measures did not ensure an adequate level of protection and therefore, the transfer constituted a violation under the GDPR.

As for Google, the Austrian authority ruled that the GDPR applies to the European entities exporting the data outside of the union and not to the recipients in the United States. NOYB is considering whether to appeal the authority's finding with respect to Google.

What will this mean for Norway?

It is important to note that the Austrian Data Protection Authority's decision does not have direct legal effect in Norway. Therefore, for the companies in Norway, the Norwegian Data Protection Authority's position on use of statistics and analysing tools remains valid.

For now, the Norwegian Data Protection Authority indicates that companies that use tools such as Google Analytics must anonymize the IP addresses that are collected, and inform the users about what the information is used for. Moreover, collected data should only be used for statistical purposes and the companies should not collect more information than is necessary for this purpose. However, we expect that the Norwegian Data Protection Authority will follow the same path as the Austrian one, and it is worth noting that they recommend Norwegian companies to look for alternatives to Google Analytics.

Concerns over the use of tools such as Google Analytics are obviously heightened in light of NOYB's complaints and the Austrian authority's decision. We recommend all entities to keep up to date with developments, rules and guidelines in their own jurisdictions to ensure compliance.

Wikborg Rein has extensive experience and expertise in data protection and privacy compliance. Please contact our partner Gry Hvidsten for assistance on use of cookies, transfer rules and for other privacy related questions.