What the Austrian DPA ruled:
The Austrian Data Protection Authority declared that websites using Google Analytics are breaching GDPR due to personal data transfers to the US company. This represents one of the most impactful rulings for EU businesses so far following the Schrems II case.
The ruling provides a clear ban to US providers and it could be very impactful for EU businesses and public organizations. The pervasiveness of US cloud and tech providers is so high, that transitioning to other providers or adding security measures could cost billions of Euros and years of work.
What does this mean to companies dealing with personal data?
So far the ban of US cloud providers happened only in specific cases, such as the DVG law in Germany for Digital Therapeutics (DTx or DiGA) reimbursement. The ban focused only on personal health data transfers.
However, the recent enforcement from Austrian DPA, goes far beyond health data, and states that sharing pseudonymous data points (ie. the Google Analytics trackers) from a health focused site called netdoktor.at, represents a breach.
In addition, this case provides clear indications for DPAs to apply (very strictly) the ban of US providers if you haven't taken any preventive measures.
What can you do now?
What are the options left to application providers:
- The safest option is to look for alternatives provided by EU companies, or for solutions that allow you to have local deployments and thus avoid personal data transfers.
But if the above is not a viable option, then you should consider:
- Implementing additional organizational safeguards such as Transfer Impact Assessment (TIAs).
- Implementing additional technical safeguards such as encryption, pseudonymization, and correct key management.
- Documenting everything in your Risk Assessment or Data Protection Impact Assessment (DPIA).
Not sure how any of this is done? No worries, we are here to help. You can book a free assessment here.
More about the ruling
As a reminder, it’s been almost 2 years since the Court of Justice (CJEU) declared personal data transfers to US companies illegal (Schrems II case and the cancellation of the Privacy Shield), but it took a long time to see some real enforcements by Data Protection Authorities (DPA).
In this particular case, the Austrian DPA found that pseudonymous data transfers of analytics trackers represent a breach because the data is considered personal and it could be accessed by US security agencies to re-identify and track EU individuals.
The problem is related to legal entities and not data location and processing. In other words, it doesn’t matter whether Google processes data in the EU or if it transfers data abroad. Google is still subject to FISA, and therefore must oblige to US enforcement agencies and provide your data if requested.
Google claimed that their data centers provide enough security and that data is very pseudonymized, but the DPA argued that data trackers are used for the purpose of tracking users’ behaviour, so they are connected to single users by definition. In addition even though Google’s databases can be secure, the data transfers are still subject to US spying and large scale monitoring revealed by Snowed and part of FISA regulations.
However, there is a huge gap between the privacy standards in the EU and the US, and the Snowden revelations made it clear that it’s very hard to reconcile the two continents to ensure that the EU citizens' privacy is protected.
The only reasonable solution, in addition to changing providers, is to apply additional legal and technical safeguards as suggested by the EU Data Protection Supervisory Board (EDPB).
For many companies, handling compliance can be both a daunting and expensive requirement. Usually, the easiest answer is to rely on external expertise and experience, who is always on par with EU legislation and how it affects businesses like yours.
If you would like to learn more about the impacts for your business and possible solutions, you can book a free assessment here.