AKI (Estonia) - 12.10.2023
| AKI - 101 Complaint (12.10.2023) | |
|---|---|
 | |
| Authority: | AKI (Estonia) |
| Jurisdiction: | Estonia |
| Relevant Law: | Article 44 GDPR Article 60 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 12.10.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 101 Complaint (12.10.2023) |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | AKI (Estonia) (in EN) |
| Initial Contributor: | mg |
The Estonian DPA upheld a complaint filed by noyb and declared that the controller transferred personal data to the U.S. in lack of any legal basis under the GDPR. The controller was ordered to stop the processing.
English Summary
Facts
This decision stems from one of the 101 complaints filed by the NGO noyb in 2020.
On 12 August 2020, the data subject visited the controller’s website, which made use of Google Analytics tools. Therefore, personal data were transferred to the U.S. at the moment of the visit. The data subject claimed that, following the CJEU judgement in case C-311/18 (‘Schrems II’) invalidating the Commission’s Privacy Shield, the transfer occurred in lack of any valid legal basis.
The complaint was originally lodged with the Austrian DPA, which transferred the file to the Estonian one, considering the latter Leading Supervisory Authority (LSA) in the case at issue. The controller had indeed its main establishment in Estonia.
The Estonian DPA started an investigation in the context of Article 60 GDPR.
Holding
The Estonian DPA found that the controller unlawfully transferred personal data to a third country. In particular, none of the legal bases of Chapter V GDPR could be used for the transfer.
As a matter of fact, Google – the data recipient – qualified as a provider of electronic communications services under US law and was therefore subject to disclosure obligations in case of request by the American secret services. As established by the CJEU in the ‘Schrems II’ judgement, this practice was not in line with EU data protection guarantees. The Standard Contractual Clauses ('SCC') implemented by the controller and Google were not sufficient to compensate for this lack of protection from access by public authorities.
Thus, the DPA ordered the controller to stop the processing.
The controller removed Google Analytics from its website and the DPA decided not to take further measures.
Comment
It took more than 3 years to the Estonian DPA to decide on this complaint.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
PROTECTION OF PRIVACY AND TRANSPARENCY OF THE STATE
FOR INTERNAL USE
Holder of information: Data Protection Inspectorate
Notation made: 13.07.2022
The access restriction shall be valid until: 13.07.2097
35 lg 1 p 1235(1)12 of the AvTS § 35 lg 1 p 3, AvTS §
Notice of termination of Termination of proceedings personal data protection case
1. The factual circumstances
The Data Protection Inspectorate (the Inspectorate) received a complaint from XXXXXXXXX
(the applicant), represented through My Privacy is None of Your Business (noyb), concerning
the transfer of the applicant’s personal data to the United States by AllePal OÜ (the data
controller) and the violation of the general data transfer principles. The leading supervisory
authority for the complaint is the Estonian Data Protection Inspectorate, as the controller has
its place of business in the Republic of Estonia.
On 12 August 2020, at 11:44 a.m., the applicant visited the controller’s website
https://www.kuldnebors.ee. He was logged in to his Google account at the time of his visit,
which is linked to the applicant’s email address XXXXXXXXXXXXXXX. The controller had
added the Javascript code for Google services (including Google Analytics) to its website.
During the visit to the page, the controller processed the applicant’s personal data (at least the
applicant’s IP address and cookie data). Some of this data was transferred to Googl11 Under
Section 10 of the Google Advertising Services Data Processing Agreement , the Data
Controller agrees that Google may process personal data, inter alia, in the United States. A
legal basis is required for such transfers, which is in line with Articles 44 et seq. of the
General Data Protection Regulation (GDPR). According to the applicant, the controller had no
legal basis for transferring the data to the United States.
2. Conduct of the proceedings and reasons for the inspection
On 3 June 2021, the Supervisory Authority commenced surveillance proceedings in order to
investigate more closely the circumstances related to the infringement and sent an inquiry to
the controller on 10 June 2021, to which the controller replied on 19.7.2021.
The Data Controller explained that it will use the tool on the basis of standard terms and
conditions concluded with Google, which include, inter alia, a data processing agreement
under which Google may not process personal data for its own purposes or those of third
parties. In addition, the controller considered that the IP address could not be regarded as
personal data for the controller (and also Google) in the present case, in the absence of
additional legal means to identify a particular person on the basis of the IP address. The
controller also confirmed that, as a rule, it will not transfer personal data to Google, but that,
to the limited extent that personal data may be transferred, appropriate safeguards are
provided in accordance with the GDPR.
The Supervision Authority did not agree with the explanations provided by the controller and
justified its position as follows.
The applicant’s personal data were exported to Google LLC, 1600 Amphitheatre
Parkway, Mountain View, CA 94043, because the controller used Google Analytics on
1 Google Advertising Services Data Processing Agreement — Available:
https://business.safety.google/adsprocessorterms/
Tatari tn 39/10134 Tallinn/627 4135/ info@aki.ee / www.aki.ee
Registry code 70004235 the website www.kuldnebors.ee and, in the case of that export, the standard data
protection clauses concluded between the controller and Google LLC do not guarantee
the same level of protection as Article 44 of the GDPR, because:
i) Google LLC is a provider of electronic communications services within the
meaningofSection 4 ofTitle50oftheU.S.Codeand,underTitle50,Section1881a
of the U.S. Code, it is supervised by the US Secret Services; and
ii) The additional measures taken by Google LLC in addition to the standard data
protection clauses do not protect the applicant’s personal data against access by the
American secret services;
Consequently, no other legislation in Chapter V of the GDPR can be relied on and,
consequently, the controller undermined the level of protection of the applicant’s
personal data guaranteed to it by Article 44 of the GDPR.
According to the Inspectorate, both the controller and Google LLC have different elements to
distinguish between the visitors of the website www.kuldnebors.ee. Although unique
identifiers do not in themselves make individuals identifiable, it has to be taken into account
that in this case (and in general for the technology industry as a whole), these unique
identifiers can be combined with additional elements. Additional elements in this case
include, but are not limited to, the specific website visited by the person, the metadata of the
browser and operating system, the date and time of the visit to the website, the IP address, etc.
The controller cannot rely on anyof the provisions of Chapter V of the GDPR for the transferof
the applicant’s personal data, namely its unique identifiers, its IP address and the browser and
metadata to Google LLC in the United States.
The Data Protection Inspectorate required the Data Controller to bring the data processing
into line with Articles 44 et seq. of the GDPR, in particular by suspending the processing
related to the current version of Google Analytics within one month (by 28 April 2022) on the
basis of which personal data is transferred to Google LLC.
26.04.2022 The controller confirmed to the Supervision Authority that the Google Analytics
tool has been removed from the website. The Inspectorate verified the withdrawal of the tool
from the controller’s website after the controller informed the Inspectorate of it. As the
violation has been eliminated, the Supervision Authority will therefore terminate the
supervision proceedings in this case.
This notice of termination may be challenged within 30 days by submitting either:
— an appeal pursuant to the Administrative Procedure Act to the Director General of the Data
Protection Inspectorate, or
— an appeal under the Code of Administrative Court Procedure before the administrative
court (in this case, the challenge in the same case can no longer be examined).
With respect
(signed digitally)
Lawyer
under the authority of the Director General
2 Us Code e. U.S. Law —Available: https://uscode.house.gov/
2 (2)
