DSB (Austria) - 2021-0.586.257 (D155.027)
|DSB (Austria) - 2021-0.586.257 (D155.027)|
|Relevant Law:||Article 4(1) GDPR|
Article 4(2) GDPR
Article 4(7) GDPR
Article 4(8) GDPR
Article 5 GDPR
Article 44 GDPR
Article 46(1) GDPR
Article 46(2)(c) GDPR
Article 51(1) GDPR
Article 57(1)(d) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
Article 80(1) GDPR
Article 93(2) GDPR
§ 18 Abs 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 24 Austrian Data Protection Act (Datenschutzgesetz - DSG)
|Parties:||website visitor and Google user (data subject and complainant)|
Austrian website provider (data exporter and respondent #1)
Google LLC (data importer and respondent #2)
|National Case Number/Name:||2021-0.586.257 (D155.027)|
|European Case Law Identifier:||unknown|
|Original Source:||noyb.eu (in DE)|
The Austrian DPA held that the use of Google Analytics by an Austrian website provider led to transfers of personal data to Google LLC in the U.S. in violation of Chapter V. of the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Background[edit | edit source]
About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force. The Austrian DPA (Datenschutzbehörde - DSB) now issued the first decision on one of these 101 complaints.
Website visit and data transfer to Google LLC[edit | edit source]
On 14.08.2020, the data subject visited a website on health topics hosted by an Austrian company while logged into his personal Google account. The website used Google Analytics, a tool provided by Google LLC used to measure and track website use. According to the website provider and Google LLC, the website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore, according to the privacy documents provided on the website or included via hyperlink, the website provider and Google LLC entered into standard contractual clauses under Article 46(2)(c) GDPR (Commission Decision2010/87 of 05.02.2010; SCCs) as a mechanism for transfers of personal data with regard to Google Analytics.
On 18.08.2020, the data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.
In the course of the procedure, which took almost one and a half years and included the exchange of multiple submissions between the parties, the respondents essentially argued that even if there had been a data transfer to Google LLC in the U.S., the transferred data do not qualify as personal data under Article 4(1) GDPR as they could not be assigned to the data subject. Furthermore, the respondent argued that they had put sufficient additional measures in place in case of an actual transfer of personal data. Lastly, they brought forward the argument that Chapter V GDPR and the concluded SCCs follow a "risk based approach" and that there was a very low risk of the data subject actually having been subject to U.S. surveillance. Google LLC in particular also argued that Chapter V. GDPR only applied to the data exporter (i.e. the entity actually transferring the data to a third country) but not to Google LLC in its role as mere data importer.
Holding[edit | edit source]
On Google LLC[edit | edit source]
In its decision, the DSB mostly followed the data subject's arguments and waived most of the objections raised by the respondents. However, with regard to Google LLC, the DSB held that Chapter V. of the GPPR only imposes legal duties on the data exporter but not on the data recipient. Consequently, the DSB dismissed the complaint against Google LLC, but declared that it will conduct an ex officio investigation and issue a separate decision on the question if Google LLC violated Articles 5 et seqq. GDPR in connection with Article 28(3)(a) and Article 29 GDPR.
On the website provider[edit | edit source]
The DSB fully upheld the complaint with regard to the website provider. It held that:
- the website had transferred the data subject's personal data to Google LLC on 14.08.2020, including user identifiers, IP address and browser parameters;
- The SCCs concluded between the respondents do not offer an adequate level of protection, because
- Google LLC qualifies as as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services and
- any additional safeguards which have been put into place in addition to where insufficient as they could not prevent US intelligence services from accessing the data subject's personal data.
- the website provider could not rely on other transfer mechanisms under Chapter V. of the GDPR. Consequently, the website provider failed to provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR.
In its legal reasoning, the DSB pointed out the following aspects in particular:
- The DSB considered itself competent under Article 55(1) GDPR. The fact that Google LLC argued that Google Analytics was allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.
- IP addresses and online identifiers qualify as personal data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that the data subject can be identified; an actual identification is not necessary.
- It is irrelevant that the website provider might require additional information from Google LLC in order to identify the data subject. According to CJEU 20.12.2017, C-434/16 and 19.10.2016, C‑582/14, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person.
- The fact that Google allows user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.
On the supplementary measures[edit | edit source]
Google relies on the SCCs and so-called "supplementary measures" or "technical and organizational measures", but neither respondent showed the existence of additional measures that would provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR together with the concluded SCCs. Google LLC in particular had tried to frame basic technical and organisational measures under Article 32 GDPR as "additional measures" (see submission of Google here, at page 23), which were rejected by the DSB as irrelevant in relation to US surveillance laws (see decision, page 37 and 38).
Comment[edit | edit source]
This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. The EDPB formed a "task force" on these cases to come to similar decisions in the EEA. Further decisions are expected soon. For details see here and here.
Further Resources[edit | edit source]
Share blogs or news articles here!