BVwG - W245 2252208-1/36E and W245 2252221-1/30E
|BVwG - W245 2252208-1/36E & W245 2252221-1/30E|
|Relevant Law:||Article 44 GDPR|
Article 46(2)(c) GDPR
|Parties:||Österreichischen Datenschutzbehörde (Austrian data protection authority)|
|National Case Number/Name:||W245 2252208-1/36E & W245 2252221-1/30E|
|European Case Law Identifier:|
|Original Source:||Bundesverwaltungsgericht Republik Österreich (in German)|
|Initial Contributor:||Norman Aasma|
The use of Google Analytics by an Austrian website was declared unlawful by the Austrian Federal Administrative Court. The Court also held that Chapter V of the GDPR does not apply to the Google US, the data importer.
English Summary[edit | edit source]
Facts[edit | edit source]
This case concerns a judicial review against a 2021 decision of the Austrian DPA (Datenschützbehörde - DSB). The decision originally stemmed from a complaint filed by the NGO noyb, following the CJEU judgement in case C-311/18 ("Schrems II").
The Austrian DPA found that the use of Google Analytics by an Austrian website led to the transfer of personal data to the US in violation of Chapter V of the GDPR. At the same time, the supervisory authority ruled that Chapter V of the GDPR sets out obligation only for the data exporter - in the present case, the Austrian website - and not the data importer - Google LLC.
Google LLC appealed the decision. Google stated that transfers were lawful as they relied on Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. It also claimed to have adopted a "risk-based approach" to the transfers, by implementing technical and organisational measures aiming at mitigating the risks to Europeans' data protection rights.
The data subject also appealed the decision, arguing that Chapter V of the GDPR applies to data importers, too.
Holding[edit | edit source]
In addressing the controller's appeal, the court confirmed that the data transfer to Google LLC was unlawful.
Referring to the CJEU judgement in case C-311/18, the court held that SCCs can be considered effective only as long as - on their own or in combination with additional technical and organisational measures - they are able to compensate for the risks taken by a data exporter when transferring data to third countries. If the data exporter is not able to meet these requirements, data transfers are unlawful and shall not take place.
With regard to the present case, the court found that even though Google had implemented certain organisational and technical measures, these were not sufficient to prevent US intelligence agencies from accessing Europeans' personal data. As a matter of fact, Google's own report indicated that the number of requests made by such agencies was actually very high.
Assessing Google's organisational measures, the court noted that a contractual obligation to inform the data exporter about an access request by a public authority was not sufficient to address the risks to data subjects' fundamental rights. In case of emergency, US law enables public authorities to order the controller not to share with third parties information about the disclosure. In addition, and above all, Europeans have no effective legal remedy against unlawful disclosure. The publication of a transparency report by Google did not solve the issue, either.
As far as technical measures were concerned, the court stressed that encryption was not an effective tool. Under US law, Google is obliged to provide the requesting authority not only with data transferred, but also with encryption keys to decypher them. More in general, the court explicitly clarified that Chapter V of the GDPR is incompatible with the "risk-based approach" envisaged by the Google. As a matter of fact, a "business-friendly interpreation" of the GDPR did not play any role in C-311/18 and was thus inadmissible.
As far as the data subject's appeal was concerned, the court dismissed the data subject's arguments. The court upheld the Austrian DPA's interpretation that Chapter V of the GDPR applies only to the data exporter, and not to the data importer. The court stressed that obligations stemming from Chapter V of the GDPR should not be confused with contractual obligation binding the data importer in the context of SCCs or other private law agreements with the data exporter.
Comment[edit | edit source]
The data subject expressed their willingness to appeal the decision before the Austrian Supreme Administrative Court.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.