Transfer of Personal Data and the Use of Google Analytics: Austrian Data Protection Authority's Decision

Austrian Data Protection Authority decided that the use of Google Analytics violates the transfer rules under the GDPR.

The Austrian Data Protection Authority has given a decision on the use of Google Analytics. The authority decided that the use of the relevant service by the website in question violates "Schrems II" decision by the Court of Justice of the European Union ("CJEU").

Austria – first one out 

By way of background, in 2020, CJEU invalidated the Privacy Shield framework, which was set up to allow for transfer of personal data from the European Union to the United States. As a result, European entities can no longer transfer personal data to the United States on the basis of the Privacy Shield. As there is no adequacy decision for transfers to the United States, transfers can take place "only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available" (GDPR Art. 46/1).

Following the Schrems II decision, NOYB – European Centre for Digital Rights ("NYOB") submitted 101 complaints in thirty (30) EU/EEA states in relation to European websites which have continued to use cookies and services which transfer personal data to the United States for processing, despite CJEU's ruling. The Austrian Data Protection Authority is the first one to rule on these complaints.

In its decision, the authority determined that the European website in question has been, by using Google Analytics, transferring European users' personal data to the United States. Upon evaluating the standard contractual clauses and the supplementary measures taken by the controller and the processor (including use of encryption and assessment and notification processes for data requests from public authorities), the Authority concluded that the contractual clauses and additional measures did not ensure an adequate level of protection and therefore, the transfer constituted a violation under the GDPR.

As for Google, the Austrian authority ruled that the GDPR applies to the European entities exporting the data outside of the union and not to the recipients in the United States. NOYB is considering whether to appeal the authority's finding with respect to Google.

What will this mean for Norway?

It is important to note that the Austrian Data Protection Authority's decision does not have direct legal effect in Norway. Therefore, for the companies in Norway, the Norwegian Data Protection Authority's position on use of statistics and analysing tools remains valid. 

For now, the Norwegian Data Protection Authority indicates that companies that use tools such as Google Analytics must anonymize the IP addresses that are collected, and inform the users about what the information is used for. Moreover, collected data should only be used for statistical purposes and the companies should not collect more information than is necessary for this purpose. However, we expect that the Norwegian Data Protection Authority will follow the same path as the Austrian one, and it is worth noting that they recommend Norwegian companies to look for alternatives to Google Analytics.

Concerns over the use of tools such as Google Analytics are obviously heightened in light of NOYB's complaints and the Austrian authority's decision. We recommend all entities to keep up to date with developments, rules and guidelines in their own jurisdictions to ensure compliance.

Wikborg Rein has extensive experience and expertise in data protection and privacy compliance. Please contact our partners Line Coll and Gry Hvidsten for assistance on use of cookies, transfer rules and for other privacy related questions.

Co-author: Trainee Ekin Ersvaer

Read our latest articles on data protection

  • Data Protection, Technology and digitalisation

    2022

    Line Coll will be the new Director of the Data Protection Authority

    Our Partner and dear colleague Line Coll will be the new Director-General of the Norwegian Data Protection Authority. We are very proud and will miss her a lot!

  • Data Protection, Technology and digitalisation

    2022

    Transfer of Personal Data and the Use of Google Analytics: Austrian Data Protection Authority's Decision

    Austrian Data Protection Authority decided that the use of Google Analytics violates the transfer rules under the GDPR.

  • Data Protection, Technology and digitalisation

    2021

    New Draft Decision's Potential Impact on GDPR's Strict Consent Rules

    The Irish Data Protection Commissioner's new draft decision has received significant attention. The decision relates to the legal basis of processing under the GDPR and it is criticised by many for giving entities a by-pass from GDPR's strict rules. In this article, Wikborg Rein looks into the draft decision and evaluates what it might mean for the application of the GDPR in the future.