DSB (Austria) - 2021-0.586.257 (D155.027)

From GDPRhub
DSB (Austria) - 2021-0.586.257 (D155.027)
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 4(7) GDPR
Article 4(8) GDPR
Article 5 GDPR
Article 44 GDPR
Article 46(1) GDPR
Article 46(2)(c) GDPR
Article 51(1) GDPR
Article 57(1)(d) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
Article 80(1) GDPR
Article 93(2) GDPR
§ 18 Abs 1 Austrian Data Protection Act (Datenschutzgesetz - DSG)
§ 24 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Type: Complaint
Outcome: Partly Upheld
Decided: 22.12.2021
Published:
Fine: None
Parties: website visitor and Google user (data subject and complainant)
Austrian website provider (data exporter and respondent #1)
Google LLC (data importer and respondent #2)
National Case Number/Name: 2021-0.586.257 (D155.027)
European Case Law Identifier: unknown
Appeal: Unknown
Original Language(s): German
Original Source: noyb.eu (in DE)
Initial Contributor: n/a

The Austrian DPA held that the use of Google Analytics by an Austrian website provider led to transfers of personal data to Google LLC in the U.S. in violation of Chapter V. of the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Background[edit | edit source]

About a month after the "Schrems II ruling" by the CJEU (CJEU - C-311/18 - Schrems II) the NGO noyb filed 101 complaints regarding data transfers from EEA based websites to Google LLC and Facebook Inc. in the U.S (see here and here). In order to coordinate the work of all involved DPAs, the EDPB created a special task force. The Austrian DPA (Datenschutzbehörde - DSB) now issued the first decision on one of these 101 complaints.

Website visit and data transfer to Google LLC[edit | edit source]

On 14.08.2020, the data subject visited a website on health topics hosted by an Austrian company while logged into his personal Google account. The website used Google Analytics, a tool provided by Google LLC used to measure and track website use. According to the website provider and Google LLC, the website controller qualifies as controller (Article 4(7) GDPR) and Google LLC as processor (Article 4(8) GDPR) for data processing in connection with Google Analytics. Furthermore, according to the privacy documents provided on the website or included via hyperlink, the website provider and Google LLC entered into standard contractual clauses under Article 46(2)(c) GDPR (Commission Decision2010/87 of 05.02.2010; SCCs) as a mechanism for transfers of personal data with regard to Google Analytics.

On 18.08.2020, the data subject (represented by noyb) filed a complaint with the DSB against both the website provider (in its role as data exporter) and Google LLC (in its role as data importer), arguing that both respondents violated Articles 44 et. seqq. GDPR in light of the "Schrems II" ruling by transferring their personal data to Google LLC. As Google LLC qualifies as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4), it is subject to surveillance by U.S. intelligence services and can be ordered to disclose data of European citizens - such as the data subject - to them.

In the course of the procedure, which took almost one and a half years and included the exchange of multiple submissions between the parties, the respondents essentially argued that even if there had been a data transfer to Google LLC in the U.S., the transferred data do not qualify as personal data under Article 4(1) GDPR as they could not be assigned to the data subject. Furthermore, the respondent argued that they had put sufficient additional measures in place in case of an actual transfer of personal data. Lastly, they brought forward the argument that Chapter V GDPR and the concluded SCCs follow a "risk based approach" and that there was a very low risk of the data subject actually having been subject to U.S. surveillance. Google LLC in particular also argued that Chapter V. GDPR only applied to the data exporter (i.e. the entity actually transferring the data to a third country) but not to Google LLC in its role as mere data importer.

Holding[edit | edit source]

On Google LLC[edit | edit source]

In its decision, the DSB mostly followed the data subject's arguments and waived most of the objections raised by the respondents. However, with regard to Google LLC, the DSB held that Chapter V. of the GPPR only imposes legal duties on the data exporter but not on the data recipient. Consequently, the DSB dismissed the complaint against Google LLC, but declared that it will conduct an ex officio investigation and issue a separate decision on the question if Google LLC violated Articles 5 et seqq. GDPR in connection with Article 28(3)(a) and Article 29 GDPR.

On the website provider[edit | edit source]

The DSB fully upheld the complaint with regard to the website provider. It held that:

  • the website had transferred the data subject's personal data to Google LLC on 14.08.2020, including user identifiers, IP address and browser parameters;
  • The SCCs concluded between the respondents do not offer an adequate level of protection, because
    • Google LLC qualifies as as "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services and
    • any additional safeguards which have been put into place in addition to where insufficient as they could not prevent US intelligence services from accessing the data subject's personal data.
  • the website provider could not rely on other transfer mechanisms under Chapter V. of the GDPR. Consequently, the website provider failed to provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR.

In its legal reasoning, the DSB pointed out the following aspects in particular:

  • The DSB considered itself competent under Article 55(1) GDPR. The fact that Google LLC argued that Google Analytics was allegedly provided by Google Ireland Ltd since April 2021 was not considered relevant, as the violation occurred in August 2020.
  • IP addresses and online identifiers qualify as personal data under Article 4(1) GDPR, especially because they allow to single out a data subject within the meaning of recital 26 of the GDPR. It is sufficient that the data subject can be identified; an actual identification is not necessary.
  • It is irrelevant that the website provider might require additional information from Google LLC in order to identify the data subject. According to CJEU 20.12.2017, C-434/16 and 19.10.2016, C‑582/14, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person.
  • The fact that Google allows user to opt in and out of personalized ads shows that Google LLC possesses all means to identify the data subject.

On the supplementary measures[edit | edit source]

Google relies on the SCCs and so-called "supplementary measures" or "technical and organizational measures", but neither respondent showed the existence of additional measures that would provide an adequate level of protection within the meaning of Articles 44 et seqq. GDPR together with the concluded SCCs. Google LLC in particular had tried to frame basic technical and organisational measures under Article 32 GDPR as "additional measures" (see submission of Google here, at page 23), which were rejected by the DSB as irrelevant in relation to US surveillance laws (see decision, page 37 and 38).

Comment[edit | edit source]

This decision is the first DPA decision following noyb's 101 complaints regarding EEA-US data transfers. The EDPB formed a "task force" on these cases to come to similar decisions in the EEA. Further decisions are expected soon. For details see here and here.

Further Resources[edit | edit source]

Share blogs or news articles here!

Barichgasse 40-42
A-1030 Wien
Tel.: +43-1-52152 302565
E-Mail: official in charge

official in charge: [REDACTED]

Case: D155.027 
2021-0.586.257

zH NOYB - European Center for Digital Rights
[REDACTED]
Goldschlagstraße 172/4/3/2
1140 Wien

Data protection complaint (Art. 77 (1) DSGVO)
[REDACTED]/1. [REDACTED] Verlags GmbH (formerly: [REDACTED]at GmbH), 2. Google LLC

(101 Dalmatians)

by e-delivery/email [REDACTED].

PARTIAL DECISION

ORDER

The data protection authority decides on the data protection complaint of [REDACTED] (complainant) of 18. August 2020, represented by NOYB - European Center for Digital Rights, Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, against 1) Verlags GmbH (formerly: [REDACTED]at GmbH) (first respondent), represented by [REDACTED] and 2) Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (second respondent), represented by [REDACTED] for a violation of the general principles of data transfer pursuant to Article 44 GDPR as follows:

1. the decision of the data protection authority of 2 October 2020, no. D155.027, 2020-0.527.385, is repealed.

2. the complaint against the first respondent is upheld and it is found that

a) the first respondent, as the responsible party, by implementing the "Google Analytics" tool on its website at www.[REDACTED]at, transmitted personal data of the complainant (these are at least unique user identification numbers, IP address and browser parameters) to the second respondent at least on August 14, 2020, 

(b) the standard data protection clauses concluded by the first respondent with the second respondent do not provide an adequate level of protection pursuant to Article 44 GDPR, since

(i) the Second Respondent qualifies as an electronic communications service provider within the meaning of 50 U.S. Code § 1881(b)(4) and, as such, is subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S. Code § 1881a ("FISA 702"); and

(ii) the measures taken in addition to the standard data protection clauses set forth in item 2.(b) are not effective because they do not eliminate the possibility of surveillance and access by U.S. intelligence agencies,

c) in the present case, no other instrument pursuant to Chapter V of the GDPR can be used for the data transfer referred to in item 2.a) and the first respondent has therefore not ensured an adequate level of protection pursuant to Art. 44 GDPR for the data transfer referred to in item 2.a).

3) The complaint against the respondent to the second complaint on the grounds of a violation of the general
principles of data transfer pursuant to Art. 44 GDPR is dismissed. 

Legal basis: Art. 4 (1), (2), (7) and (8), Art. 5, Art. 44, Art. 46 (1) and (2) (c), Art. 51 (1), Art. 57 (1) (d) and (f), Art. 77 (1), Art. 80 (1) and Art. 93 (2) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ. No. L 119, 4.5.2016 p. 1; Sections 18(1) and 24(1), (2)(5) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999, as amended; Section 68(2) of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette 51/1991, as amended. 

REASONS

A. Submission of the parties and course of proceedings

A.1 In his submission of August 18, 2020, the complainant submitted the following in summary:

He had visited the website of the first respondent at www.[REDACTED]at/ on August 14, 2020, at 10:45 a.m.. During the visit, he had been logged into his Google account, which was linked to the complainant's email address, [REDACTED]. The first respondent had embedded HTML code for Google services (including Google Analytics) on its website. In the course of the visit, the first respondent had processed personal data, namely at least the IP address and cookie data of the complainant. In the process, some of these data had been transmitted to the second respondent. Such data transfer required a legal basis pursuant to Art. 44 et seq. of the GDPR.

Following the ECJ's judgment of July 16, 2020, Rs C-11/18 ("Schrems II"), the respondents could no longer rely on an adequacy decision ("Privacy Shield") under Article 45 GDPR for a data transfer to the US. The first respondent would also not be allowed to base the data transfer on standard data protection clauses if the third country of destination does not ensure adequate protection of personal data transferred on the basis of standard data protection clauses in accordance with Union law. The Second Respondent qualifies as an electronic communications service provider within the meaning of 50 U.S.Code § 1881(b)(4) and, as such, is subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S.Code § 1881a ("FISA 702"). Second Respondent actively provides personal information to the U.S. Government pursuant to 50 U.S.Code § 1881a.

As a result, the Respondents are unable to provide adequate protection of the Complainant's personal information when the Complainant's information is transferred to the Second Respondent. The transfer of the complainant's data to the USA was unlawful. Several enclosures were attached to the complaint.

A.2 In its statement of December 16, 2020, the first respondent submitted the following in summary:

The first respondent was only domiciled in Austria. It was responsible for the decision to embed the tool on the [REDACTED]at website. The tool is used to enable general statistical evaluations of the behavior of website visitors. However, the tool does not allow the content to be adapted to a specific website user, as the evaluation is carried out anonymously and no reference to a specific user is made possible. User IP addresses are also anonymized before storage or transmission ("IP anonymization"). The so-called user agent string is used to inform the server of the system specification with which the user is accessing the server. Only the device, operating system and operating system version, browser and browser version, and the device type would be displayed without any personal reference. In the best case, an assignment to a specific device would be possible, but never to a specific person using the device. The anonymous statistics are processed predominantly in data centers in Europe, but also by the second respondent on servers outside the EEA.

If the GDPR is applicable, the first respondent is the controller and the second respondent is the processor. A processor agreement had been concluded. Since no personal data would be transferred, the judgment of the ECJ of July 16, 2020 in Case C311/18 was not applicable. However, in order to take precautions for a possible transfer of personal data to the second respondent - e.g., in the event that IP anonymization is deactivated due to a data breach - the first respondent had concluded a processor agreement with the second respondent, as well as included standard data protection clauses (SDK). This had been implemented purely as a precautionary measure. The second respondent had implemented further technical and organizational measures to provide a high level of data protection for the data processed via the tools. Several enclosures were attached to the Opinion. 

A.3 In its Opinion of January 22, 2021, the complainant submitted the following in summary:

In the case of a processor in a third country, a breach of anonymization is not enforceable or ascertainable. When in doubt, 50 U.S.C § 1881a applies, not an advertising blurb on Google's website. The personal data processed first would only be anonymized subsequently in a second step. This anonymization, which may have occurred after the transfer, would not affect the prior processing. The opinion contains a more detailed technical description at this point.

Apart from that, the complainant did not only rely on the processing of his IP address, but also of other personal data, such as cookie data. At the time of the website visit, he was logged into his private Google account. Google" cookies had been set. In order to prevent a violation of Art. 44 et seq. of the GDPR, a complete removal of the tool was necessary and a change to another tool without data transfer to the USA was recommended. If the first respondent is convinced that no personal data is processed, the conclusion of order processing conditions is absurd. Several enclosures were attached to the statement. 

A.4 In its statement of April 9, 2021, the second respondent submitted its responses to the questionnaire of the data protection authority.

A.5 In its statement of May 4, 2021, the first respondent submitted the following in summary regarding the second respondent's statement of April 9, 2021:

The first respondent was only using the free version of Google Analytics. In doing so, it had agreed to both the terms of use and the SDK. In doing so, neither the Google Analytics 4 version had been implemented nor the data release setting had been activated. The code had been embedded with the anonymization function. The second respondent was only used as a processor. The first respondent issued the instructions via the settings of the Google Analytics user interface and via the global website tag. Google Signals is not used. The first respondent does not have its own authentication system and does not use a user ID function. Currently, it does not rely on the exception of Article 49 (1) of the GDPR. 

A.6 In its statement of May 5, 2021, the complainant submitted the following in summary regarding the statement of the second respondent of April 9, 2021:

The complaint was directed against the first and second respondents. Google Ireland Limited was not a party to the proceedings. The data protection authority is directly responsible for the second respondent, which violated Art. 44 et seq. of the GDPR. As a processor, the second respondent is the norm addressee of Chapter V of the GDPR. The second respondent disputes that all data collected by Google Analytics is hosted in the USA.

At least some of the cookies set on the occasion of the website visit on August 14, 2020 would contain unique user identification numbers. In the transaction between the complainant's browser and https://tracking.[REDACTED]at, which was started on the specified date, the user identification numbers "_gads", _"ga" and "_gid" were set. These numbers were subsequently transmitted to https://www.google-analytics.com/. The numbers are "online identifiers" which serve to identify natural persons and can be specifically assigned to a user. With regard to the IP address, it should be noted that Chapter V of the GDPR does not provide for any exceptions for "subsequently anonymized data". It had to be assumed that the complainant's IP address had not even been anonymized in all transactions. The request for the imposition of a fine was withdrawn; this was now a suggestion.

A.7 In its statement of June 10, 2021, the second respondent submitted the following in summary: 

The complainant's right to bring an action had not been established, as it had not been proven that the data transmitted constituted personal data of the complainant. The cookies in question were first party cookies that had been set under the domain [REDACTED]at. They were therefore cookies of the first and not of the second respondent. Accordingly, they were not unique Google Analytics cookie IDs per user, which were used on several websites that used Google Analytics. A user had different cid numbers for different websites. It was not established that the numbers at issue would make the complainant identifiable. At this point, the submission contains further technical explanations regarding the cookies used. With regard to the IP address, it had to be examined whether the IP address of the device connected to the Internet could actually be attributed to the complainant and whether the controller or "another person" had the legal means to obtain connection owner information from the provider in question.

As a processor, the second respondent provided the website operator with numerous configuration options of Google Analytics. Based on the information received, it should be noted that the first respondent had configured Google Analytics as indicated. Due to a possible configuration error, the first respondent had not activated the IP anonymization function in all cases. Under normal operating conditions and as far as users based in the EU are concerned, a web server is located in the EEA, which is why the IP anonymization is generally performed within the EEA. In the present case, normal operating conditions existed.

On August 14, 2020, the [REDACTED] account enabled the Web & App Activities setting. However, the account had not opted to include activities from websites that used Google services. According to the First Respondent, since the First Respondent had also not enabled Google Signals, the Second Respondent would not be able to determine that the user of the [REDACTED] account had visited that website.

With regard to international data traffic, it should be noted that - even assuming that the data were personal data of the complainant - they were limited in terms of quantity and quality. To the extent that the data transferred qualified as personal data at all, it would also be pseudonymous data. Standard contractual clauses had been concluded with the first respondent, and additional measures had been implemented. The second respondent does not disclose user data pursuant to EO 12333. FISA § 702 was irrelevant in the present case in view of the encryption and anonymization of IP addresses. Art. 44 et seq. of the GDPR could not be the subject of a complaint procedure pursuant to Art. 77(1) of the GDPR, and the complaint should therefore be rejected in this respect. Articles 44 et seq. of the GDPR are also not applicable with regard to the second respondent as data importer.

A.8 In its comments of June 18 and 24, 2021, the first respondent submitted the following in summary:

As part of an asset deal, the website www.[REDACTED]at was transferred to [REDACTED] GmbH in Munich with effect from February 1, 2021. Subsequently, the first respondent was renamed from [REDACTED]at GmbH to [REDACTED] Verlags GmbH. In addition, the first respondent had instructed the second respondent to immediately delete all data collected via the Google Analytics properties. The configuration error in connection with the IP anonymization function had been corrected. In the meantime, the second respondent had confirmed the final deletion of all data, and an enclosure was submitted as proof. It is suggested that the proceedings be discontinued pursuant to Section 24 (6) of the Austrian Data Protection Act.

A.9 In its comments of July 9, 2021, the second respondent submitted the following in summary:

According to the European Data Protection Board (EDSA), an adequacy assessment is not limited to an examination of the legal provisions of the third country, but must also take into account all specific circumstances of the transfer at issue. This was relevant for the case at hand. Pseudonymization is an effective supplementary measure here - in accordance with the EDSA guidelines. It was not to be expected that US authorities would have additional information that would enable them to identify the data subjects behind the first party cookie values "gid" and "cid" or behind an IP address. The complainant had also not requested a finding that his rights had been violated in the past. 

A.10. In comments dated July 9, 2021, the complainant submitted, in summary, the following:

There had been a processing of personal data, this had been proven, inter alia, by the enclosures submitted. If it was ultimately only a prerequisite for the identification of a website visitor whether he or she made certain declarations of intent in his or her account (such as the activation of "ad personalization"), all possibilities of identifiability would be available for the second respondent. Otherwise, the second respondent would not be able to comply with a user's wishes expressed in the account settings for "personalization" of the advertising information received.

The UUID (Universally Unique Identifier) in the _gid cookie with the UNIX timestamp 1597223478 had been set on Wednesday, August 12, 2020 at 11:11 and 18 seconds CET, those in the cid cookie with the UNIX timestamp 1597394734 on Friday, August 14, 2020 at 10:45 and 34 seconds CET. It followed from this that these cookies had already been used prior to the visit that was the subject of the complaint and that longer-term tracking had also taken place. To his knowledge, the complainant had not immediately deleted these cookies and had also repeatedly visited the website [REDACTED]at.

The second respondent fails to take into account the broad understanding of the GDPR when assessing the existence of personal data. The actual IP address used was also no longer ascertainable for the complainant. However, this is irrelevant, as there is a clear personal reference in the cookies via the UUID anyway. In particular, the combination of cookie data and IP address allows tracking and the evaluation of geographical localization, Internet connection and context of the visitor, which can be linked to the cookie data already described. However, this would also include data such as the browser used, the screen resolution or the operating system ("device fingerprinting").

What is more relevant in the context of the complaint is that U.S. authorities use data that is easy for intelligence agencies to determine, such as the IP address, as a starting point for monitoring individuals. It was the standard procedure of intelligence agencies to "shimmy on" from one date to another. If, for example, the complainant's computer repeatedly appeared on the Internet via the IP address of [REDACTED], this could be used to spy on the work of [REDACTED] and to target the complainant. In a further step, other identifiers would then be searched for in the data, such as the aforementioned UUIDs, which in turn would allow the individual to be identified for surveillance elsewhere. In this context, U.S. intelligence services are therefore "other persons" within the meaning of recital 26 of the GDPR. The Complainant works [REDACTED] but also has a relevant role in these efforts as a model complainant. Thus, under U.S. law, surveillance of the Complainant under 50 USC § 1881a (as well as of all other persons entrusted with this complaint) is legally possible at any time. Even applying the supposed "risk-based approach," the case at issue was a prime example of high risk.

The e-mail address [REDACTED] had to be assigned to the complainant, who had used the last name [REDACTED] until a marriage. However, the old Google account was still being used. It was not explained to what extent the indisputably available data was linked, evaluated or the result of an evaluation was only not displayed to the user.

Furthermore, Chapter V of the GDPR does not know a "risk-based approach". This can only be found in certain articles of the GDPR, such as Art. 32 leg.cit. The new standard contractual clauses in the Implementing Decision (EU) 2021/914 are not relevant to the facts of the case due to their lack of temporal validity. A "transfer" is not a unilateral act of a data exporter, every "transfer" also requires a receipt of the data. Accordingly, Chapter V of the GDPR is also applicable to the second respondent, it is a joint action of data exporter and importer.

Even if the respondent had not violated Art. 44 et seq. of the GDPR, the provisions pursuant to Art. 28(3)(a) and Art. 29 of the GDPR had to be taken into account as a "catch-all provision". If the second respondent complies with a corresponding instruction from a U.S. intelligence agency, it thereby makes the decision to process personal data beyond the first respondent's specific order pursuant to Art. 28 and Art. 29 GDPR and the corresponding contractual documents. This would make the second respondent itself the controller pursuant to Art. 28(10) GDPR. As a result, the second respondent must also comply with the provisions of Art. 5 et seq. of the GDPR. A secret transfer of data to U.S. intelligence services in accordance with U.S. law would undoubtedly not be compatible with Art. 5(1)(f) GDPR, Art. 5(1)(a) GDPR and Art. 6 GDPR.

A.9 In its final submission of August 12, 2021, the Second Respondent submitted in summary the following: 

The complainant had not established its legitimacy to lodge a complaint. He had not answered any questions raised by the second respondent regarding the identifiability of his person on the basis of the IP address. With regard to the _gid number and cid number, it should be noted that no directory existed in order to make the complainant identifiable. However, the fact that recital 26 of the GDPR mentions "segregation" as a possible means of identification does not change the understanding of the words "identify" or "identification" or "identifiability".

The identifiability of the complainant presupposed at least that his identification was possible on the basis of the data in question and by means that were likely to be used according to general discretion. This had not been established and could not be assumed and, on the contrary, was even unlikely, if not impossible. Also, the fact that the second respondent had entered into processor agreements did not mean that the data that were the subject of these proceedings were personal data, nor did it mean that they were the complainant's data.

The complainant's view that the transfer of data was not to be assessed according to a risk-based approach ("all-or-nothing") could not be accepted. This was not in line with the GDPR and had to be seen against Recital 20 of the European Commission's Implementing Decision (EU) 2021/914. Likewise, this is evident from the different versions of EDSA Recommendation 01/2020. Even if access to the above-mentioned numbers by U.S. authorities was "legally possible at any time", it had to be examined how likely this was. The Complainant has not presented any convincing arguments as to why or how the "cookie data" related to his visit to a publicly accessible, and widely used, Austrian website such as the one at issue is "foreign intelligence information" and thus could become a target of the purpose-restricted data collection under Section 702. 

B. Subject Matter of the Complaint

Based on the complainant's submissions, it can be seen that the subject matter of the complaint is, in any event, the question

- whether the first respondent, by implementing the Google Analytics tool on its website www.[REDACTED]at, transmitted personal data of the complainant to the second respondent and,

- whether an adequate level of protection pursuant to Art. 44 GDPR was ensured for this data transfer.

In this context, it must also be clarified whether, in addition to the first respondent (as data exporter), the second respondent (as data importer) was also obliged to comply with Art. 44 GDPR.

It is not necessary to rule on the request to impose an immediate ban on data transfers to the second respondent against the first respondent (as the responsible party), since - as will be explained below - the responsibility for operating the website www.[REDACTED]at was transferred to [REDACTED] GmbH, headquartered in Munich, in the course of the complaint proceedings (although only after the data transfer relevant to the complaint). With regard to the imposition of such a ban, the data protection authority would have to take the case to the competent German supervisory authority.

Likewise, there is no need to rule on the application for the imposition of a fine, as this was withdrawn by the complainant in its statement of May 5, 2021, and this is now to be understood as a suggestion.

Finally, it should be noted that the partial decision at issue does not address the alleged violations of the second respondent pursuant to Art. 5 et seq. in connection with Art. 28 Par. 3 lit. a and Art. 29 GDPR. In this regard, further investigative steps are necessary and will be discussed in a further decision. 

C. Findings of Fact

C.1 The first respondent was in any case the website operator of www.[REDACTED]at on August 14, 2020. The Austrian version of [REDACTED] is an information portal on the subject of health. The website www.[REDACTED]at is only offered in German. The first respondent did not operate any other versions of the website www.[REDACTED]at in the EU. Furthermore, the first respondent is only based in Austria and has no other branches in other EU countries. For Germany, there is a German version of [REDACTED] at www.[REDACTED]de, which, however, was not operated by the first respondent.

Evaluation of evidence regarding C.1: The findings made are based on the statement of the first respondent dated December 16, 2020 (questions 1 to 3) and were not disputed by the complainant in this respect.

C.2. As of February 1, 2021, the website www.[REDACTED]at was transferred to [REDACTED] GmbH, based in Munich, as part of an asset deal. Subsequently, the first respondent was renamed from [REDACTED]at [REDACTED] GmbH to [REDACTED] Verlags GmbH. The first respondent managed the website www.[REDACTED]at for [REDACTED] GmbH until August 2021. Since August 2021, the first respondent has no longer been the operator of www.[REDACTED]at and also no longer makes the decision as to whether the Google Analytics tool is used. 

Evaluation of evidence regarding C.2: The findings made are based on the statement of the first respondent dated June 18, 2021 and were not disputed by the complainant. In addition, the findings are based on an official search by the data protection authority in the company register for Zl. FN [REDACTED].

C.3 The second respondent developed the Google Analytics tool. Google Analytics is a measurement service that enables customers of the Second Respondent to measure traffic characteristics. This includes measuring the traffic of visitors who visit a specific website. This allows tracking the behavior of website visitors and measuring how they interact with a specific website. Specifically, a website owner can create a Google Analytics account to view reports about the website using a dashboard. Similarly, Google Analytics can be used to measure and optimize the effectiveness of advertising campaigns that website owners run on Google ad services.

There are two versions of Google Analytics: a free version and a paid version called Google Analytics 360. In any case, the free version was made available by the second respondent until the end of April 2021. Since the end of April 2021, both Google Analytics versions have been provided by Google Ireland Limited. 

Evaluation of evidence regarding C.3: The findings made are based on the second respondent's statement of April 9, 2021 (p. 3 as well as questions 1 and 2) and were not disputed by the complainant in this respect. 

C.4 The first respondent - as the website operator - in any case made the decision on the cut-off date of August 14, 2020 to use the free version of the Google Analytics tool for the website www.[REDACTED]at. For this purpose, it has incorporated a JavaScript code ("tag") provided by the second respondent into the source code of its website. The first respondent used the tool to enable general statistical analyses of the behavior of website visitors. The additional tool Google Signals was not activated. 

In any case, these evaluations are used by the first respondent to present the content of the website www.[REDACTED]at according to the general interest in the topic in such a way that the channels that are most in demand are given priority and the presentation can be adjusted according to the topicality of a specific topic. The first respondent created a Google Analytics account for this purpose. The Google Analytics account ID with the account name [REDACTED] is [REDACTED]. The first respondent can perform the above analyses by logging into the [REDACTED] Google Analytics account and viewing reports on traffic from www.[REDACTED]at in the dashboard. The reports are divided into the categories real-time, target group, acquisition, behavior and conversions. The first respondent can select user-defined defaults for the report generation; the second respondent has no influence on this. The Second Respondent also has no influence on the extent to which the First Respondent subsequently uses the reports created.

The dashboard is excerpted as follows (formatting not reproduced 1:1): 

[REDACTED]

Evaluation of evidence regarding C.4: The findings made are based on the submission of the first respondent dated December 16, 2020 and were not disputed by the complainant. The screenshots cited were taken from Exhibits ./1 and ./10; the presentation of the reporting version is set out in detail in Exhibit ./1.

C.5 The Google Analytics tool works as follows: When visitors view the website www.[REDACTED]at, JavaScript code inserted in the source code of the website refers to a JavaScript file previously downloaded to the user's device, which then performs the tracking operation for Google Analytics. The tracking operation retrieves data about the page request by various means and sends this information to the Analytics server via a list of parameters attached to a single pixel GIF image request.

The data collected using Google Analytics on behalf of the website operator comes from the following sources:

- The user's HTTP request;
- Browser/system information;
- (first-party) cookies.

An HTTP request for any website contains details about the browser and computer making the request, such as host name, browser type, referrer, and language. In addition, the browser DOM interface (the interface between HTML and dynamic JavaScript) provides access to more detailed browser and system information, such as Java and Flash support and screen resolution. Google Analytics uses this information. Google Analytics also sets and reads first-party cookies on a user's browsers that allow it to measure user session and other information from the page request. 

When all of this information is collected, it is sent to the Analytics servers in the form of a long list of parameters sent to a single GIF image request (the meaning of the GIF request parameters is described here) to the google-analytics.com domain. The data contained in the GIF request is that which is sent to the Analytics servers and then further processed, ending up in the website operator's reports.

On the secondary respondent's information page on the Google Analytics tool, the following information can be found in excerpts (formatting not reproduced 1:1, retrieved on December 22, 2021): 

[begin screenshot]

gtag.js and analytics.js (Universal Analytics) - cookie usage

The analytics.js JavaScript library or the gtag.js JavaScript library can be used for Universal Analytics. In both cases, the libraries use first-party cookies to:

- Distinguish unique users
- Throttle the request rate

When using the recommended JavaScript snippet cookies are set at the highest possible domain level. For example, if your website address is blog.example.co.uk , analytics.js and gtag.js will set the cookie domain to .example.co.uk. Setting cookies on the highest level domain possible allows measurement to occur across subdomains without any extra configuration.

* Note: gtag.js and analytics.js do not require setting cookies to transmit data to Google Analytics.

gtag.js and analytics.js set the following cookies:

Cookie Name        | Default expiration time | Description
-------------------|-------------------------|--------------------------------------
_ga                | 2 years                 | Used to distinguish users.

_gid               | 24 hours                | Used to distinguish users.

_gat               | 1 minute                | Used to throttle request rate. If Google 
                                               Analytics is deployed via Google Tag 
                                               Manager, this cookie will be named 
                                               _dc_gtm_<property-id>.
    

AMP_TOKEN          | 30 seconds to 1 year    | Contains a token that can be used to 
                                               retrieve a Client ID from AMP Client ID 
                                               service. Other possible values indicate 
                                               opt-out, inflight request or an error 
                                               retrieving a Client ID from AMP Client 
                                               ID service.

_gac_<property-id> | 90 days                 | Contains campaign related information 
                                               for the user. If you have linked your 
                                               Google Analytics and Google Ads accounts, 
                                               Google Ads website conversion tags will 
                                               read this cookie unless you opt-out. 
                                               Learn more.

[end screenshot]

Evaluation of evidence regarding C.5: The findings made are based on the second respondent's statement of April 9, 2021 (question 2) and an official search by the data protection authority at https://developers.google.com/analytics/devguides/collection/gajs/cookie-usage and https://developers.google.com/analytics/devguides/collection/gtagjs/cookies-user-id (both retrieved on December 22, 2021).

C.6 The First and Second Respondents entered into a contract entitled "Order Processing Terms and Conditions for Google Advertising Products". This contract was valid in the version of August 12, 2020 at least on August 14, 2020. The contract governs order processing conditions for "Google advertising products". It applies to the provision of order processing services and related technical support services for customers of the second respondent. The aforementioned contract in the version dated August 12, 2020 (Exhibit ./7) shall form the basis for the findings of fact.

In addition, on August 12, 2020, the First and Second Respondents entered into a second contract entitled "Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors." These are standard contractual clauses for international data traffic. The above-mentioned second contract in the version dated August 12, 2020 (Exhibit ./11) also forms the basis for the findings of fact.

With regard to the data categories listed in Annex 1 of the second contract, reference is made to the link https://privacy.google.com/businesses/adsservices/. Under the aforementioned link, the following is displayed in excerpts (red emphasis on the part of the data protection authority, formatting not reproduced 1:1, retrieved on December 22, 2021)

[begin screenshot]

Order data processing terms and conditions:

Order processing services

The following Google services fall within the scope of the Google Advertising Products Order Data Processing Terms:

- Ads Data Hub
- Audience Partner API (formerly known as DoubleClick Data Platform)
- Campaign Manager 360 (former name: Campaign Manager)
- Display & Video 360 (former name: DoubleClick Bid Manager)
- Advanced Conversions
- Google Ads Manager order processing capabilities
- Googel Ads Manager 360 order processor features
- Google Ads customer matching
- Google Ads store sales (direct upload)
- Google Analytics
- Google Analytics 360
- Google Analytics for Firebase
- Google Data Studio
- Google Optimize
- Google Optimize 360
- Google Tag Manager
- Google Tag Manager 360
- Google Search Ads 360 (former name: DoubleClick Search)
Google may update this list in accordance with the terms of the Google Advertising Products Order Processing Terms.

Types of personal data

With respect to the Google Advertising Products Order Data Processing Terms (and depending on which processor services are used under each agreement), the following types of Personal Data may constitute Customer Personal Data.

Processor Services | Types of Personal Data |
-----------------------------------------------------------------------|-------------------------------------|
Ads Data Hub                                              | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-assigned identifiers

Audience Partner API (formerly DoubleClick Data Platform) | Online identifiers (including cookie identifiers)
                                                            and device identifiers

Campaign Manager 360 (formerly Campaign Manager)          | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            precise location data, client-assigned identifiers 

Display & Video 360                                       | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            precise location data, customer-assigned identifiers

Advanced Conversions                                      | Names, email addresses, phone numbers, addresses,
                                                            customer-provided identifiers, online identifiers
                                                            (including internet protocol addresses)

Google Ad Manager Order Processor Features                | Encrypted Signals

Google Ad Manager 360 Order Processor Features            | Encrypted Signals

Google Ads Customer Matching                              | Names, Email Addresses, Addresses and 
                                                            Partner-Provided Identifiers

Google Ads store sales (direct upload)                    | names, email addresses, phone numbers and addresses

Google Analytics                                          | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-provided identifiers

Google Analytics 360                                      | Online identifiers (including cookie identifiers),
                                                            Internet Protocol addresses and device identifiers,
                                                            customer-assigned identifiers 

[end screenshot]

In addition to concluding standard contractual clauses, the second respondent has implemented further contractual, organizational and technical measures. These measures supplement the obligations contained in the standard contractual clauses. The measures are described in the Second Respondent's comments of April 9, 2021, Question 28. This description is used as the basis for the findings of fact.

The Second Respondent regularly publishes so-called transparency reports ("Transparency Reports") on data requests from US authorities. These are available at:

https://transparencyreport.google.com/user-data/us-national-security?hl=en

Evaluation of evidence regarding C.6: The findings made are based on the first respondent's statement of December 16, 2020, question 15. The cited enclosures ./7 and ./11 are included in the file and are known to all parties. Furthermore, the findings made are based
findings are based on an official search by the data protection authority at https://privacy.google.com/businesses/adsservices/ (queried on December 22, 2021). The findings made with regard to the "additional measures implemented" result from the second respondent's statement of April 9, 2021 (question 28). The second respondent's statement of April 9, 2021 is included in the file and is known to all parties. The finding with regard to the transparency reports results from an official search by the data protection authority at https://transparencyreport.google.com/user-data/us-nationalsecurity?hl=en (queried on December 22, 2021). 

C.7 In the course of using the Google Analytics tool, the option to use an "IP anonymization function" is offered. In any case, this function was not implemented correctly on www.[REDACTED]at on August 14, 2020.

Evaluation of evidence regarding C.7: The findings made are based on the statement of the first respondent dated June 18, 2021, in which it admits that the "IP anonymization function" mentioned was not implemented properly due to a code error.

C.8. The complainant visited the website www.[REDACTED]at at least on August 14, 2020, at 10:45 am. During the visit, he was logged into his Google account, which is linked to the email address [REDACTED]. The e-mail address belongs to the complainant. The complainant had the last name [REDACTED] in the past.

A Google account is a user account that is used for authentication with various Google online services of the second respondent. For example, a Google account is a prerequisite for using services such as "Gmail" or "Google Drive" (a file hosting service). 

Evaluation of evidence regarding C.8: The findings made are based on the submission of the complainant dated August 18, 2020 (p. 3) and were not disputed by the respondents. The findings made with regard to the basic functions of a Google account are based on an official search by the data protection authority at https://support.google.com/accounts/answer/27441?hl=de and https://policies.google.com/privacy (both retrieved on December 22, 2021). 

C.9. in the transaction between the complainant's browser and https://tracking.[REDACTED]at/, unique user identification numbers were set at least in the cookies "_ga" and _"gid" on August 14, 2020, at 12:46:19.344 CET. Subsequently, on August 14, 2020, at 12:46:19.948 CET, these identification numbers were transmitted to https://www.google-analytics.com/ and thus to the Second Respondent.

Specifically, the following user identification numbers located in the Complainant's browser were transmitted to the Second Respondent (identical values that occurred in different transactions were color-coded orange and green, respectively):

[begin screenshot]
Domain Name Value Purpose
https://tracking.[REDACTED]at/ _ga GA1.2.1284433117.1597223478 Google Analytics
https://tracking.[REDACTED]at/ _gid GA1.2.929316258.1597394734 Google Analytics
https://tracking.[REDACTED]at/ _gads ID=D7767ed5b074d05:T=1597223569:S=ALNI_MZcJ9EjC13lsaY1Sn8Qu5ovyKMhPw Google Advertising
https://www.google-analytics.com/ _gid 929316258.1597394734 Google Analytics
https://www.google-analytics.com/ cid 1284433117.1597223478 Google Analytics 
[end screenshot]

These identification numbers each contain a UNIX timestamp at the end, which indicates when the respective cookie was set. The _gid cookie with the UNIX timestamp "1597394734" was set on Wednesday, August 14, 2020, at 11:11 and 18 seconds CET, and the cid cookie with the UNIX timestamp "1597223478" was set on Friday, August 12, 2020, at 10:45 and 34 seconds CET.

With the help of these identification numbers, it is possible for the respondents to distinguish website visitors and also to obtain the information whether it is a new or a returning website visitor to www.[REDACTED]at.

In addition, the following information (parameters) was in any case also transmitted to the second respondent via the complainant's browser in the course of requests to https://www.google-analytics.com/collect (excerpt from HAR file, request URL https://www.google-analytics.com/collect, excerpt of request with time stamp 2020-08- 14T10:46:19.924+02:00):

General
- Request URL https://www.google-analytics.com/collect
- Request Method GET
- HTTP Version HTTP/2
- Remote Address 172.217.23.14

Headers
- Accept: image/webp,*/*
- Accept-Encoding: gzip, deflate, br
- Accept-Language: en-US,en;q=0.7,en;q=0.3
- Connection: keep-alive
- Host: www.google-analytics.com 
- Referer: https://www.[REDACTED]at/
- TE: Trailers
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0

Query Arguments
- _gid: 929316258.1597394734
- _s: 1
- _u: QACAAEAB~
- _v: j83
- a: 443943525
- cid: 1284433117.1597223478
- en: UTF-8
- dl: https://www.[REDACTED]at/
- dt: [REDACTED]at home page - [REDACTED]
- ea: /
- ec: scroll depth
- el: 25
- gjid:
- gtm: 2wg871PHBM94Q
- ea: 0
- jid:
- ni: 0
- sd: 24-bit
- sr: 1280x1024
- t: event
- tid: UA-259349-1
- ul: en-us
- v: 1
- vp: 1263x882
- z: 1764878454

Size
- Headers 677 bytes
- Body 0 bytes
- Total 677 bytes

From these parameters, it is thus possible to draw conclusions about the browser used, the browser settings, language selection, the website visited, color depth, screen resolution and AdSense link number.

The remote address 172.217.23.14, is that of the second respondent.

The IP address of the complainant's device is transmitted to the second respondent as part of these requests to https://www.google-analytics.com/collect. 

The content of the HAR file (Exhibit ./4), which was submitted by the complainant in its submission of August 18, 2020, will form the basis for the findings of fact. 

Evaluation of evidence regarding C.9: The findings made are based on the complainant's submission of August 18, 2020 and the HAR file, Annex ./4, submitted therein. A HAR file is an archive format for HTTP transactions. The HAR file was reviewed by the data protection authority. The complainant's submission is consistent with the archive data contained therein. The HAR file submitted (or its contents) is known to the parties involved. Furthermore, the findings made are based on the complainant's statement of May 5, 2021 (p. 8 ff) and the screenshots contained therein. As already stated above, according to the second respondent, the purpose of the identification numbers is to distinguish users. The established times of cookie setting are calculated from the respective UNIX time stamps. Unix time is a time definition developed for the Unix operating system and established as a POSIX standard. Unix time counts the elapsed seconds since 00:00 UTC on Thursday, January 1, 1970. The determination with regard to the RemoteAddress results from an official Who-Is query of the data protection authority at https://who.is/whois-ip/ip-address/172.217.23.14 (queried on December 22, 2021). 

C.10. To the extent that the Google Analytics tool is implemented on a website, the Second Respondent has the technical possibility to obtain the information that a certain Google Account user has visited this website (on which Google Analytics is implemented), provided that this Google Account user is logged into the Google Account during the visit. 

Evaluation of evidence regarding C.10.: In his statement of April 9, 2021, the second respondent argued in question 9 that he only receives such information if certain requirements are met, such as the activation of specific settings in the Google account. In the opinion of the data protection authority, this argument is not convincing. Indeed, if the request of a Google account user for "personalization" of the advertising information received can be complied with on the basis of a declaration of intent in the account, then from a purely technical point of view it is possible to receive the information about the website visited by the Google account user. In this context, explicit reference must be made to the accountability under data protection law, which will be discussed in more detail in the context of the legal assessment. For the determination of the facts, this accountability under data protection law means that the respondent (or, in any case, the first respondent as the responsible party) - and not the complainant or the data protection authority - must provide sufficient proof. Such sufficient proof - i.e., that from a technical point of view there is no possibility for the second respondent to obtain data - was not provided in this context, especially since it is precisely an essential part of the concept of Google Analytics to be implemented on as many websites as possible in order to be able to collect data.

C.11. In the course of the proceedings, the first respondent instructed the second respondent to delete all data collected via Google Analytics Properties for the website www.[REDACTED]at. The respondent to the second complaint confirmed the deletion.

Evaluation of evidence regarding C.11.: The findings made are based on the statement of the first respondent dated June 18 and June 24, 2021, as well as the submitted copy of the correspondence between the first and second respondents. 

D. In legal terms, it follows that:

D.1 General

a) On the competence of the data protection authority

The European Data Protection Board (hereinafter: EDSA) has already addressed the relationship between the GDPR and Directive 2002/58/EC ("ePrivacy Directive") (see Opinion 5/2019 on the interaction between the ePrivacy Directive and the GDPR of March 12, 2019).

The data protection authority also addressed the issue in its decision of November 30, 2018, no. DSB-D122.931/0003-DSB/2018, dealt with the relationship between the GDPR and the national implementation provision (in Austria now: TKG 2021, BGBl. I No. 190/2021 as amended).

It was basically stated that the ePrivacy Directive (or the respective national implementation provision) takes precedence over the GDPR as lex specialis. Thus, Art. 95 GDPR states that the Regulation does not impose any additional obligations on natural or legal persons with regard to processing in connection with the provision of publicly available electronic communications services in public communications networks in the Union, insofar as they are subject to specific obligations set forth in the ePrivacy Directive which pursue the same objective. 

However, the ePrivacy Directive does not contain any obligations within the meaning of Chapter V of the GDPR in case of transfer of personal data to third countries or to international organizations.

It should be noted again at this point that the responsibility for operating the website www.[REDACTED]at was only transferred to a German company after the data transfer relevant to the complaint took place on August 14, 2020.

Against this background, the GDPR applies to such a data transfer and the data protection authority is therefore competent to deal with the complaint in question pursuant to Art. 77 (1) GDPR. 

b) Regarding Art. 44 GDPR as a subjective right

Based on the previous practice of the data protection authority and the courts, it should be noted that both the lawfulness of data processing pursuant to Art. 5(1)(a) in conjunction with Art. 6 et seq. of the GDPR and the data subject rights postulated in Chapter III of the Regulation can be asserted as a subjective right in the context of a complaint pursuant to Art. 77(1) of the GDPR.

The transfer of personal data to a third country that does not (allegedly) ensure an adequate level of protection within the meaning of Art. 44 GDPR has not yet been the subject of a complaint in the context of a complaint procedure before the data protection authority.

In this context, it should be noted that Art. 77(1) GDPR (and, incidentally, the national provision of Section 24(1) DPA) only requires that "[...] the processing of personal data relating to them infringes this Regulation" in order to invoke the right of appeal.

The ECJ also assumed in its judgment of July 16, 2020 that the finding that "[...] the law and practice of a country do not ensure an adequate level of protection [...]" as well as "[...] the compatibility of this (adequacy) decision with the protection of privacy and the freedoms and fundamental rights of individuals [...]" in the context of a complaint under Art. 77(1) GDPR as a subjective right (see the ECJ judgment of 16 July 2020, CǦ311/18 para 158).

While it should be noted that the question referred in the aforementioned proceedings did not concern the "scope of the right of appeal under Article 77(1) GDPR", the ECJ obviously considered the fact that a breach of provisions of Chapter V GDPR can also be invoked in the context of a complaint under Article 77(1) GDPR as a necessary condition. If it had been considered otherwise, the ECJ would probably have stated that the question of the validity of an adequacy decision cannot be clarified at all in the context of an appeal procedure.

As far as the second respondent furthermore denies the assertion of Art. 44 GDPR as a subjective right - with reference to the wording of recital 141 leg.cit. - it must be countered that the aforementioned recital is linked to the fact that the "rights under this Regulation" are accessible to a complaint under Article 77(1) of the GDPR (and not, for example, "the rights under Chapter III of this Regulation"). 

Although the term "rights of a data subject" is used in certain places in the GDPR, this does not mean by implication that other norms in which this wording is not chosen cannot also be invoked as a subjective right. Most of the provisions of the GDPR are, on the one hand, an obligation of the controller (and partly of the processor), but on the other hand, they can also be asserted as a subjective right of a data subject. For example, it is undisputed that Art. 13 and Art. 14 GDPR establish a subjective right to information, although the right to information is not defined in Art. 12 para. 2 leg. cit. as "their rights" (i.e., "rights of the data subject") and Art. 13 and Art. 14 GDPR are designed according to the wording as an information obligation of the controller.

The decisive factor is whether a data subject's individual legal position is affected by an alleged infringement. The alleged infringement must therefore have a negative impact on the data subject and affect him or her.

Apart from that, while the recitals are an important tool for interpreting the GDPR, they cannot be used to reach a result that is inconsistent with the text of the regulation (here, as stated above, the fact that the administrative remedy is generally linked to "the processing") (cf. the judgment of the ECJ of 12 May 2005, C-444/03 para. 25 and the further case law cited there).

Finally, also according to the national case law of the Administrative Court, it is to be assumed in case of doubt that norms which prescribe an official procedure also and especially in the interest of the person concerned grant him a subjective right, i.e. a right which can be enforced by way of appeal (cf. e.g. VwSlg. 9151 A/1976, 10.129 A/1980, 13.411 A/1991, 13.985 A/1994).

Against the background of the wording of Art. 77 (1) GDPR and the cited case law of the ECJ and the Administrative Court, it must be noted as an interim result that the obligation for controllers and processors to ensure the level of protection for natural persons guaranteed by the Regulation, which is standardized in Chapter V and in particular in Art. 44 GDPR, can conversely also be asserted as a subjective right before the competent supervisory authority pursuant to Art. 77 (1) GDPR. 

c) The declaratory competence of the data protection authority

According to the case law of the VwGH and the BVwG, the data protection authority has a declaratory competence with regard to violations of the right to secrecy in appeal proceedings (thus explicitly the ruling of the BVwG of May 20, 2021, Zl. W214 222 6349-1/12E; implicitly the finding of the Administrative Court of February 23, 2021, Ra 2019/04/0054, in which the Administrative Court dealt with the determination of a past violation of the obligation to maintain secrecy without addressing the lack of competence of the authority against which the complaint was filed).

There are no factual reasons not to use the declaratory competence pursuant to Art. 58 (6) GDPR in conjunction with Art. 24 (2) No. 5 GDPR and Art. 5 DPA also for the determination of a violation of Art. 44 DPA, since also in the case at hand, among other things a violation of the law in the past - namely a data transfer to the USA - is complained about and the right to complain pursuant to Section 24 (1) DSG - as well as Article 77 (1) DSGVO - is generally linked to a violation of the DSGVO. Indeed, if the award of an official notice in an appeal procedure could exclusively contain instructions pursuant to Art. 58(2) GDPR, there would be no room for Sections 24(2)(5) and 24(5) DPA as a result.

Contrary to the view of the respondents, Section 24 (6) DSG is not applicable to the subject matter of the complaint relevant here, since the complaint concerns a data transfer in the past. In other words, the alleged unlawfulness (here: incompatibility with Art. 44 DPA) of a data transfer that has already been completed is not amenable to a conclusion of proceedings pursuant to Section 24 (6) DPA.

Against the background of the above, it can be stated as a further interim result that the data protection authority has the competence to make a determination in the present appeal proceedings. 

D.2. ruling point 1

As stated, the data protection authority discontinued the proceedings in question by decision of October 2, 2020, Zl. D155.027, 2020-0.527.385, until it is determined which authority is responsible for the substantive conduct of the proceedings (lead supervisory authority) or until a decision is made by a lead supervisory authority or the EDSA.

Based on the current investigation results, it must be noted that there is no cross-border data processing within the meaning of Article 4(23) in conjunction with Article 56(1) of the GDPR with regard to the subject matter of the complaint - a data transfer to the USA in August 2020 - and the "one-stop store" mechanism pursuant to Article 60 of the GDPR therefore does not apply to this: 

Thus, according to the first respondent's own statements (cf. statement of December 16, 2020, question 2), the first respondent is neither established in more than one Member State (data processing within the meaning of Art. 4(23)(a) GDPR in the context of the activities of establishments in more than one Member State can therefore not exist), nor does the data transfer and thus the processing of personal data of the first respondent have a significant impact on data subjects in more than one Member State (Art. 4(23)(b) leg. cit.).

With regard to the effects of the data processing in question, it is clear from the findings of fact that the target audience of the www.[REDACTED]at website relevant here is (primarily) persons resident in Austria, also because there is a separate version for the German audience in the form of the www.[REDACTED]de website. According to the information provided by the first respondent (cf. the statement of December 16, 2020, question 2), the latter was (at least in August 2020) only responsible for the Austrian version of www.[REDACTED]at.

The theoretical possibility that German-speaking persons from a Member State other than Austria can access www.[REDACTED]at does not constitute grounds for the "impact on data subjects in more than one Member State" under Article 4(23)(b) of the GDPR. If this were not the case, any complaint against the operator of a website - regardless of the intended target audience of the website - would have to be dealt with in accordance with the rules under Art. 60 et seq. of the GDPR. This would lead to an overly broad interpretation of Article 4(23)(b) of the GDPR (and consequently to an overly broad scope of application of the "one-stop store"), which - in the opinion of the data protection authority - cannot be intended by the legislator.

Consequently, with regard to the subject matter of the complaint relevant here, the complaint was to be dealt with exclusively by the Austrian data protection authority pursuant to Art. 55(1) GDPR.

Since ex officio decisions from which no right has accrued to anyone can be revoked or amended both by the authority that issued the decision and by the relevant higher authority in the exercise of its supervisory right, and since no right to a non-decision accrues to a party to the proceedings as a result of a stay of proceedings, the above-mentioned decision of October 2, 2020 was amenable to a remedy pursuant to Section 68 (2) AVG. 

D.2. ruling point 2. a)

a) General information on the term "personal data

The material scope of application of Art. 2 (1) GDPR - and thus the success of this complaint - fundamentally presupposes that "personal data" are processed. 

According to the legal definition of Article 4(1) of the GDPR, "personal data means any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

As can be seen from the findings of fact (see point C.9.), the first respondent - as operator of the website - implemented the Google Analytics tool on its website. As a result of this implementation - i.e. triggered by the JavaScript code executed when visiting the website - at least the following information was transmitted from the browser of the complainant who visited the website www.[REDACTED]at to the servers of the second respondent:

- unique online identifiers ("unique identifiers") that identify both the complainant's browser or device and the first respondent (through the Google Analytics account ID of the first respondent as website operator);

- The address and HTML title of the website and the subpages visited by the complainant;

- Information about the browser, operating system, screen resolution, language selection and the date and time of the website visit;

- the IP address of the device used by the complainant.

It must be verified whether this information falls under the definition of Art. 4 Z 1 DSGVO, i.e. whether it is personal data of the complainant. 

b) Identification numbers as "personal data".

With regard to the online identifiers, it should be recalled once again that the cookies at issue, "_ga" or "cid" (Client ID) and "_gid" (User ID), contain unique Google Analytics identifiers and were stored on the end device or in the browser of the complainant. As stated, it is possible for certain bodies - in this case, for example, the respondents - to distinguish website visitors with the aid of these identification numbers and also to obtain information as to whether they are new or returning website visitors to www.[REDACTED]at. In other words, only the use of such identification numbers makes it possible to distinguish between website visitors, which was not possible prior to this assignment. 

In the opinion of the data protection authority, an infringement of the fundamental right to data protection pursuant to Art. 8 EU-GRC and Art. 1 DSG already exists if certain bodies take measures - in this case the assignment of such identification numbers - to individualize website visitors in this way.

A standard of "identifiability" to the effect that it must also be immediately possible to associate such identification numbers with a specific "face" of a natural person - i.e., in particular with the name of the complainant - is not required (cf. in this regard already Opinion 4/2007, WP 136, 01248/07/DE of the former Art. 29 Data Protection Working Party on the term "personal data" p. 16 f; cf. the March 2019 guidance of the supervisory authorities for telemedia providers, p. 15).

Such an interpretation is supported by Recital 26 of the GDPR, according to which the question of whether a natural person is identifiable takes into account "[...] any means reasonably likely to be used by the controller or by any other person to identify the natural person, directly or indirectly, such as singling out" (English language version of the regulation: "singling out"). The term "singling out" is to be understood as "picking out from a crowd" (cf. https://www.duden.de/rechtschreibung/aussondern, retrieved on December 22, 2021), which corresponds to the considerations on the individualization of website visitors cited above.

In the literature, it is also explicitly argued that a "digital footprint", which allows devices - and subsequently the specific user - to be clearly individualized, already constitutes personal data (cf. Karg in Simitis/Hornung/Spiecker, DSGVO Kommentar Art. 4 Z 1 Rz 52 mwN). This consideration can be applied to the case at hand due to the uniqueness of the identification numbers, especially since - which will be discussed in more detail below - these identification numbers can also be combined with other elements. 

To the extent that the respondents argue that no "means" are used to link the identification numbers at issue here with the person of the complainant, it must again be countered that the implementation of Google Analytics at www.[REDACTED]at results in a segregation within the meaning of Recital 26 of the GDPR. In other words: Anyone who uses a tool that makes such segregation possible in the first place cannot take the position that, according to "general discretion", no means are used to make natural persons identifiable.

As an interim result, it must therefore be noted that the Google Analytics identification numbers at issue here may constitute personal data (in the form of an online identifier) pursuant to Article 4(1) of the GDPR. 

c) Combination with other elements

The fulfillment of Article 4(1) of the GDPR becomes even more apparent if one considers that the identification numbers can be combined with other elements:

By combining all of these elements - i.e., unique identification numbers and the other information listed above, such as browser data or IP address - it is all the more likely that the complainant can be identified (see again Recital 30 of the GDPR). The complainant's "digital footprint" is made even more unique by such a combination.

In this regard, the respondents' arguments around the "anonymization function of the IP address" can be left aside, as the respondents have admitted that this function was not implemented correctly (at the time subject to the complaint) (see, for example, the first respondent's statement of 18 June 2021).

Likewise, the question of whether an IP address in isolation is a personal data can be left open, since - as mentioned - it can be combined with other elements (in particular the Google Analytics identification number). In this context, it should be noted that according to the case law of the ECJ, the IP address can constitute a personal data (cf. the judgments of the ECJ of June 17, 2021, CǦ597/19, para. 102, as well as of October 19, 2016, CǦ582/14, para. 49) and this does not lose its characteristic as a personal data merely because the means of identifiability lie with a third party.

Finally, the data protection authority points out that it is precisely an essential part of the concept of Google Analytics (at least in the free version) to be implemented on as many websites as possible in order to collect information about website visitors. Accordingly, it would be incompatible with the fundamental right to data protection under Article 8 EU-GRC or Section 1 DSG to exclude the applicability of the GDPR to the data processing operations related to the Google Analytics tool - where individual website visitors are individualized on the basis of the Google Analytics identification number. 

d) Traceability to the complainant

Irrespective of the above considerations, however, traceability to the "face" of the complainant - such as his or her name - must be assumed in any case:

It is not necessary that the respondents can establish a personal reference on their own, i.e. that all information required for identification is with them (cf. the ECJ judgments of December 20, 2017, C-434/16, para. 31, as well as of October 19, 2016, C-582/14, para. 43). Rather, it is sufficient that anyone - with legally permissible means and reasonable effort - can establish this personal reference (see Bergauer in Jahnel, DSGVO Kommentar Art. 4 Z 1 Rz 20 mVa Albrecht/Jotzo, Das neue Datenschutzrecht der EU 58).

Such an interpretation of the scope of application of Art. 4(1) GDPR can be derived - in addition to the cited sources of law and literature - from Recital 26 GDPR, according to which not only the means of the controller (here: the first respondent) are to be taken into account in the question of identifiability, but also those of "another person" (English language version of the Regulation: "by another person"). This also follows from the idea of offering data subjects the greatest possible protection of their data.

Thus, the ECJ has repeatedly stated that the scope of application of the GDPR is to be understood "very broadly" (see, for example, the judgments of the ECJ of June 22, 2021, C-439/19, para 61; for the legal situation comparable in this respect, the judgments of December 20, 2017, C-434/16, para 33, as well as of May 7, 2009, C-553/07, para 59).

It is not overlooked that according to Recital 26 of the GDPR, the "likelihood" of anyone using means to directly or indirectly identify natural persons must also be taken into account. In fact, in the opinion of the data protection authority, the term "anyone" - and thus the scope of application of Art. 4 No. 1 GDPR - should not be interpreted so broadly that any unknown actor could theoretically have special knowledge in order to establish a reference to a person; this would lead to almost any information falling within the scope of application of the GDPR and a demarcation from non-personal data would become difficult or even impossible. 

Rather, the decisive factor is whether an identifiability can be established with a justifiable and reasonable effort (cf. in this regard the decision of December 5, 2018, GZ DSB-D123.270/0009-DSB/2018, according to which personal data are not - anymore - present if the controller or a third party can only establish a personal reference with a disproportionate effort).

In the case at hand, however, there are now certain actors who possess special knowledge that makes it possible to establish a reference to the complainant in the sense of the above statements and therefore to identify him.

First of all, this is the second respondent: 

As can be seen from the findings of fact, the complainant was logged in with his Google account [REDACTED] at the time he visited the website www.[REDACTED]at. The second respondent has stated that due to the fact that the Google Analytics tool is implemented on a website, the latter receives information. This includes the information that a certain Google Account user has visited a certain website (see the opinion of April 9, 2021, question 9). 

This means that the second respondent has at least received the information that the Google account user [REDACTED] has visited the website www.[REDACTED]at. 

Thus, even if one takes the view that the online identifiers listed above must be assignable to a certain "face", such an assignment can in any case be made via the complainant's GoogleAccount.

Not to be overlooked are the further statements of the second respondent that for such an allocation certain requirements have to be fulfilled, such as the activation of specific settings in the Google account (cf. again its statement of April 9, 2021, question 9).

However, if - and this has been convincingly explained by the complainant - the identifiability of a website visitor depends only on whether certain declarations of intent are made in the account, all possibilities for identifiability are present (from a technical point of view). Viewed otherwise, the second respondent could not comply with a user's wishes expressed in the account settings for "personalization" of the advertising information received.

In this context, it is necessary to explicitly refer to the unambiguous wording of Article 4(1) of the GDPR, which is linked to a capability ("can be identified") and not to whether an identification is ultimately also made.

Likewise, it must be expressly pointed out that the first respondent - as the responsible party, see below - has an accountability obligation under the GDPR to implement appropriate technical and organizational measures in accordance with Article 5 (2) in conjunction with Article 24 (1) in conjunction with Article 28 (1) of the GDPR in order to ensure and provide evidence that the processing (with the help of a processor) is carried out in accordance with the Regulation. This is therefore an obligation to provide evidence.

This also includes proof that a processing operation is not subject to the Regulation. Such proof was not provided - despite several opportunities to do so.

Irrespective of the second respondent, however, the U.S. authorities must be taken into account - and this is of greater relevance to the case:

As the complainant has just as correctly pointed out, intelligence services in the U.S. take certain online identifiers (such as the IP address or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant. 

The fact that this is not merely a "theoretical danger" is demonstrated by the judgment of the ECJ of July 16, 2020, CǦ311/18, which ultimately also declared the EU-US adequacy decision ("Privacy Shield") invalid due to the incompatibility of such methods and access possibilities of the US authorities with the fundamental right to data protection pursuant to Article 8 EU-GRC.

In particular, this is shown by the transparency report of the second respondent - cited in the findings of fact - which proves that there are data requests from U.S. authorities to the second respondent. In the process, metadata and content data may be requested by the Second Respondent.

While it is not misjudged that it is admittedly not possible for the first respondent to check whether such accesses by US authorities occur in individual cases - i.e. per website visitor - and what information US authorities already possess; conversely, however, this circumstance cannot be held against affected persons, such as the complainant. Thus, it was ultimately the first respondent as (then) website operator who - despite publication of the aforementioned ECJ ruling of July 16, 2020 - continued to use the Google Analytics tool.

As a further interim result, it must therefore be noted that the information cited in the findings of fact under C.9. (at least in combination) constitutes personal data pursuant to Art. 4 Z 1 DSGVO. 

e) Allocation of roles

As already explained, the first respondent, as the website operator, made the decision to implement the "Google Analytics" tool on the website www.[REDACTED]at at the time relevant to the complaint. Specifically, it inserted a JavaScript code ("tag") provided on the part of the second respondent into the source code of its website, whereby this JavaScript code was executed in the complainant's browser when the website was visited. The first respondent has stated in this regard that the said tool is used for the purpose of statistical evaluations of the behavior of website visitors (see statement of December 16, 2020, question 2).

In this way, the first respondent has decided on the "purposes and means" of the data processing in connection with the tool, which is why it is (in any case) to be regarded as a controller within the meaning of Article 4(7) of the GDPR.

As far as the second respondent is concerned, it should be noted that the subject matter of the complaint relevant here relates (only) to the transfer of data to the second respondent in the USA. A possible further data processing of the information cited in the findings of fact under C.9. (by Google Ireland Limited or the second respondent) is not the subject of the complaint and was therefore not addressed.
subject of the complaint and was therefore not investigated in more detail in this direction.

As far as the data processing in connection with the Google Analytics tool is concerned, it should be noted that the second respondent merely makes this tool available and also has no influence on whether and to what extent the first respondent makes use of the tool functions and which specific settings it selects.

Insofar as the second respondent therefore only provides Google Analytics (as a service), it has no influence on the "purposes and means" of the data processing and is therefore to be qualified as a processor in accordance with Article 4(8) of the GDPR.

These considerations are made without prejudice to a further official review procedure pursuant to Art. 58 (1) b of the GDPR and without prejudice to the data protection role of the second respondent with regard to possible further data processing. 

D.3 Heading 2. b)

a) Scope of application of Chapter V of the GDPR

First, it must be verified whether the first respondent is subject to the obligations standardized in Chapter V of the Regulation.

According to Article 44 of the GDPR, any "[...] transfer of personal data already processed or to be processed after their transfer to a third country or an international organization [...] shall only be allowed if the controller and processor comply with the conditions laid down in this chapter and also with the other provisions of this Regulation, including any onward transfer of personal data from the third country or international organization concerned to another third country or international organization. All the provisions of this chapter shall be applied to ensure that the level of protection afforded to natural persons by this Regulation is not undermined."

In "Guidelines 5/2021 on the relationship between the scope of Art. 3 and the requirements for international data flows under Chapter V of the GDPR" (currently still in public consultation), the EDSA has identified three cumulative conditions for when a "transfer to a third country or an international organization" as defined in Art. 44 of the GDPR exists (ibid. para. 7):

- the controller or a processor is subject to the GDPR for the processing in question;

- that controller or processor ("data exporter") discloses, by transmission or otherwise, personal data which are the subject of that processing to another controller, joint controller or processor ("data importer"); 

- the Data Importer is located in a third country or is an international organization, whether or not such Data Importer is subject to the GDPR with respect to the Processing in question pursuant to Article 3.

The first respondent is based in Austria and was the data controller for the operation of the website www.[REDACTED]at at the time subject to the complaint. In addition, the first respondent (as data exporter) disclosed personal data of the complainant by proactively implementing the Google Analytics tool on its website www.[REDACTED]at and as a direct result of this implementation, among other things, a data transfer to the second respondent (to the USA) took place. Finally, the Second Respondent, in its capacity as a processor (and data importer), is located in the United States.

Since all the conditions set forth in the EDSA Guidelines are met, the First Respondent is subject to the provisions of Chapter V of the Regulation as a data exporter.

b) Regulatory framework of Chapter V of the GDPR

Subsequently, it is necessary to verify whether the data transfer to the USA took place in accordance with the provisions of Chapter V of the GDPR.

Chapter V of the Regulation provides three instruments to ensure the adequate level of protection required by Art. 44 GDPR for data transfers to a third country or an international organization:

- Adequacy Decision (Art. 45 GDPR);
- Appropriate safeguards (Art. 46 GDPR);
- Exemptions for specific cases (Art. 49 GDPR). 

c) Adequacy Decision

The ECJ has pronounced that the EU-US adequacy decision ("Privacy Shield") - without maintaining its effect - is invalid (see the judgment of 16 July 2020, CǦ311/18 para 201 f).

The data transfer at issue therefore does not find coverage in Article 45 GDPR.

d) Appropriate safeguards

As can be seen from the findings of fact, on August 12, 2020, the respondents entered into standard data protection clauses (hereinafter: SDK) pursuant to Art. 46(2)(c) of the GDPR for the transfer of personal data to the United States ("Google Ads Data Processing Terms: Model Contract Clauses, Standard Contractual Clauses for Processors"). Specifically, at the time under appeal, the clauses in question were those in the version of the Implementing Decision of the European Commission 2010/87/EU of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors in third countries pursuant to Directive 95/46/EC of the European Parliament and of the Council, OJ L 2010/39, p. 5.

In the aforementioned judgment of July 16, 2020, the ECJ stated that SDKs as an instrument for international data flows are not objectionable on the merits, but the ECJ also pointed out that SDKs are by their nature a contract and, accordingly, cannot bind authorities from a third country:

"Accordingly, while there are situations in which the recipient of such a transfer can, in the light of the legal situation and practice in the third country concerned, guarantee the necessary data protection on the basis of the standard data protection clauses alone, there are also situations in which the rules contained in those clauses may not constitute a sufficient means of ensuring, in practice, the effective protection of the personal data transferred to the third country concerned. This is the case, for example, when the law of that third country allows its authorities to interfere with the rights of data subjects with respect to those data" (ibid. para. 126).

However, a more detailed analysis of the legal situation of the USA (as a third country) can be omitted here, as the ECJ has already dealt with this in the cited judgment of July 16, 2020. It came to the conclusion that the EU-US adequacy decision does not ensure an adequate level of protection for natural persons due to the relevant US law and the implementation of official surveillance programs - based, inter alia, on Section 702 of FISA and E.O. 12333 in conjunction with PPD-28 (ibid., para. 180 et seq.).

These considerations can be applied to the case at hand. Thus, it is evident that the Second Respondent qualifies as a provider of electronic communications services within the meaning of 50 U.S.Code § 1881(b)(4) and is thus subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S.Code § 1881a ("FISA 702"). Accordingly, Second Respondent has an obligation to provide personally identifiable information to U.S. authorities pursuant to 50 U.S.Code § 1881a.

As can be seen from the Second Respondent's Transparency Report, such requests are also regularly made to it by U.S. authorities (see https://transparencyreport.google.com/user-data/us-national-security?hl=en, accessed December 22, 2021).

However, if the EU-US adequacy decision has already been declared invalid due to the legal situation in the USA, it cannot be assumed that the (mere) conclusion of SDKs ensures an adequate level of protection pursuant to Art. 44 GDPR for the data transfer in question. 

Against this background, the ECJ also stated in the cited judgment of July 16, 2020 that "[...] standard data protection clauses cannot, by their very nature, provide guarantees that go beyond the contractual obligation to ensure compliance with the level of protection required by Union law [...]" and that it "[...] may be necessary, depending on the situation prevailing in a particular third country, for the controller to take additional measures to ensure compliance with that level of protection" (ibid. para. 133).

Therefore, the data transfer at issue cannot be based solely on the standard data protection clauses concluded between the respondents pursuant to Article 46(2)(c) GDPR. 

e) General information on "additional measures"

In its "Recommendations 01/2020 on measures to supplement transfer tools to ensure the level of protection of personal data under Union law", the EDSA has stated that in case the law of the third country has an impact on the effectiveness of appropriate safeguards (such as SDK), the data exporter must either suspend the data transfer or implement additional measures ("supplementary measures") (ibid. para. 28 et seq. as well as para. 52).

According to the recommendations of the EDSA, such "supplementary measures" within the meaning of the ECJ ruling of July 16, 2020 can be of a contractual, technical or organizational nature (ibid., para. 47):

With regard to contractual measures, it is stated that they "[...] complement and reinforce the safeguards offered by the transfer instrument and the relevant legislation in the third country to the extent that the safeguards, taking into account all the circumstances of the transfer, do not fulfil all the conditions necessary to ensure a level of protection substantially equivalent to that existing in the EU. Since contractual measures, by their nature, generally cannot bind the authorities of the third country if they are not themselves party to the contract, they must be combined with other technical and organizational measures to ensure the required level of data protection. Just because one or more of these measures has been selected and applied does not necessarily mean that it is systematically ensured that the envisaged transfer meets the requirements of Union law (ensuring a substantially equivalent level of protection)" (ibid. para. 93).

Regarding organizational measures, it is stated that they "[...] may be internal policies, organizational methods and standards that controllers and processors might apply to themselves and impose on data importers in third countries. [...] Depending on the specific circumstances of the transfer and the assessment carried out of the legal situation in the third country, organizational measures are necessary to complement the contractual and/or technical measures in order to ensure that the protection of personal data is substantially equivalent to the level of protection ensured in the EU (ibid. para. 122).

Regarding technical measures, it is stated that these are intended to ensure that "[...] access to the transferred data by authorities in third countries does not undermine the effectiveness of the appropriate safeguards listed in Article 46 of the GDPR. Even if the access by authorities is in compliance with the law in the country of the data importer, these measures should be considered if the access by authorities goes beyond what is a necessary and proportionate measure in a democratic society. These measures aim to eliminate potentially infringing access by preventing authorities from identifying data subjects, inferring information about them, identifying them in other contexts, or linking the transferred data to other data sets held by authorities, including data on online identifiers of devices, applications, tools, and protocols used by data subjects in other contexts (ibid. para. 74).

Finally, the EDSA has stated that such "additional measures" are to be considered effective within the meaning of the judgment of 16 July 2020 only "[...] if and to the extent that the measure precisely closes the legal protection gaps identified by the data exporter in its examination of the legal situation in the third country. If it is ultimately not possible for the data exporter to achieve a substantially equivalent level of protection, it may not transfer the personal data" (ibid. para. 70).

Applied to the case at hand, this means that it must be examined whether the "additional measures taken" by the second respondent close the legal protection gaps identified in the context of the ECJ ruling of June 20, 2020 - i.e., the access and surveillance possibilities of U.S. intelligence services. 

f) "Additional Measures" of the Second Respondent.

The second respondent has now implemented various measures in addition to the conclusion of the SDK (see its statement of April 9, 2021, question 28).

With regard to the contractual and organizational measures outlined, it is not apparent to what extent notifying the data subject of data requests (should this be permissible at all in individual cases), publishing a transparency report or a "guideline for handling government requests" are effective in the sense of the above considerations. Similarly, it is unclear to what extent "careful consideration of any data access request" is an effective measure, given that the ECJ pronounced in the aforementioned judgment of June 20, 2020 that permissible (i.e., legal under U.S. law) requests from U.S. intelligence agencies are not compatible with the fundamental right to data protection under Article 8 of the EU CFR.

Insofar as the technical measures are concerned, it is likewise not discernible - and was also not comprehensibly explained on the part of the respondents - to what extent the protection of communications between Google services, the protection of data in transit between data centers, the protection of communications between users and websites or an "on-site security" actually prevent or restrict the access possibilities of US intelligence services on the basis of US law.

Insofar as the second respondent subsequently refers to encryption technologies - for example, to the encryption of "data at rest" in the data centers - the EDSA's Recommendations 01/2020 must once again be countered. Indeed, it is stated there that, with respect to imported data in its possession or custody or under its control, a data importer (such as the Second Respondent) subject to 50 U.S. Code § 1881a ("FISA 702") has a direct obligation to provide access to or surrender such data. This obligation may expressly extend to the cryptographic keys without which the data cannot be read (ibid. para. 76).

As long as the second respondent has the possibility to access data in plain text, the technical measures cited cannot be considered effective in the sense of the above considerations.

As a further technical measure, the second respondent argues that insofar as "[...] Google Analytics data for measurement by website owners is personal data, [...] it must be considered pseudonymous" (see its opinion of April 9, 2021, p. 26). However, this must be countered by the convincing view of the German Data Protection Conference, according to which "[...] the fact that users are made identifiable, for example via IDs or identifiers, does not constitute a pseudonymization measure within the meaning of the GDPR. Moreover, the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users does not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. This is because, unlike in cases where data is pseudonymized in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect. They are therefore not pseudonymizations within the meaning of Recital 28, which reduce the risks for the data subjects and assist data controllers and processors in complying with their data protection obligations" (cf. the March 2019 guidance of the supervisory authorities for telemedia providers, p. 15).

Furthermore, the second respondent's argument is also not to be followed because the Google Analytics identifier - as explained above - can be combined with further elements anyway and can even be associated with a Google account indisputably attributable to the complainant.

The "anonymization function of the IP address" mentioned is not relevant in relation to the case, as this was not implemented correctly - as also explained above. Apart from that, the IP address is in any case only one of many "puzzle pieces" of the complainant's digital footprint.

As a further interim result, it must therefore be noted that the "additional measures" at issue are not effective, as they do not close the legal protection gaps identified in the context of the ECJ's ruling of June 20, 2020 - i.e., the access and monitoring possibilities of U.S. intelligence services.

The data transfer in question is therefore not covered by Art. 46 GDPR.

D.4. bullet point 2. c)

a) Regarding Art. 49 GDPR

According to the first respondent's own statements, the exemption pursuant to Art. 49 GDPR was not relevant for the data transfer at issue (cf. the Opinion of December 16, 2020).

Consent pursuant to Art. 49(1)(a) of the GDPR was not obtained. The data protection authority also fails to see how any other element of Art. 49 GDPR is fulfilled.

Therefore, the data transfer in question cannot be based on Art. 49 GDPR.

b) Result

Since no adequate level of protection was ensured by an instrument of Chapter V of the Regulation for the data transfer at issue by the first respondent to the second respondent (in the USA), there is a violation of Art. 44 GDPR.

The first respondent was (at any rate) responsible for the operation of the website www.[REDACTED]at at the time relevant to the complaint - i.e. August 14, 2020. The relevant data protection violation against Art. 44 of the GDPR is therefore attributable to the first respondent.
is attributable to the first respondent.

Therefore, the decision had to be made in accordance with the ruling. 

D.5 Remedial powers

In the opinion of the data protection authority, the Google Analytics tool (at least in the version of August 14, 2020) can thus not be used in accordance with the provisions of Chapter V of the GDPR.

Since the responsibility for operating the website www. at was transferred to the GmbH with its registered office in Munich in the course of the complaint procedure (but only after August 14, 2020) and Google Analytics continued to be implemented at the time of the decision, the data protection authority will refer the case to the competent German supervisory authority with regard to the (possible) use of the remedial powers pursuant to Article 58 (2) of the GDPR.

D.6 Point 3

It is necessary to verify whether the second respondent (as data importer) is also subject to the obligations set forth in Chapter V of the Regulation.

Based on the EDSA Guidelines 5/2021 already cited above, it should be noted once again that a "transfer to a third country or an international organization" within the meaning of Article 44 GDPR only exists if, among other things, the controller or processor (data exporter) discloses personal data that are the subject of such processing to another controller, joint controller or processor (data importer) by means of transfer or otherwise.

This requirement does not apply to the second respondent in the present case, as the second respondent (as data importer) does not disclose the personal data of the complainant, but (only) receives them. In other words, the requirements of Chapter V of the GDPR must be complied with by the data exporter, but not by the data importer.

The complainant's argument that a data transfer necessarily presupposes a recipient and that the second respondent is part of the data transfer (at least from a technical point of view) is not overlooked. However, it should be countered that data protection responsibility in a processing operation can nevertheless be "shared" (from a legal point of view), i.e., there can be a different degree of responsibility depending on the phase of the processing operation (cf. EDSA Guidelines 7/2020 on the concept of controllers and processors, para. 63 ff. mwN).

In the opinion of the data protection authority, there was therefore no violation of Article 44 of the GDPR by the second respondent.

Overall, the decision was therefore in accordance with the ruling.

Finally, it should be noted that the issue of a (possible) violation of Art. 5 ff in conjunction with Art. 28 Par. 3 lit. a and Art. 29 of the GDPR by the second respondent will be addressed in a further decision. 

LEGAL REMEDY

An appeal against this decision may be filed in writing with the Federal Administrative Court within four weeks of service. The appeal must be filed with the data protection authority and must

- the designation of the contested decision (GZ, subject)
- the name of the authority against which the appeal has been lodged
- the grounds on which the allegation of illegality is based,
- the request and
- the information necessary to assess whether the appeal was filed in time,

shall be included.

The data protection authority has the option of either amending its decision within two months by means of a preliminary decision on the complaint or submitting the complaint together with the files of the proceedings to the Federal Administrative Court.

The appeal against this decision is subject to a fee. The fixed fee for a corresponding submission including enclosures is 30 euros. The fee is to be paid to the account of the Tax Office Austria, stating the purpose of use.

The fee must always be transferred electronically using the "Tax Office Payment" function. The Tax Office Austria - Special Responsibilities Department is to be indicated or selected as the recipient (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore, the tax number/levy account number 10 999/9102, the type of levy "EEE -Appeal Fee", the date of the notice as the period and the amount are to be indicated.

If your bank's e-banking system does not have the "Finanzamt payment" function, the eps procedure in FinanzOnline can be used. An electronic transfer can only be dispensed with if no e-banking system has been used so far (even if the taxpayer has an Internet connection). In this case, the payment must be made by means of a payment order, and care must be taken to ensure that it is correctly allocated. For more information, contact the tax office and refer to the manual "Electronic Payment and Notification for Payment of Self-Assessment Taxes". 

Proof of payment of the fee must be provided when filing the complaint with the DPA by means of a payment voucher to be attached to the submission or a printout showing that a payment order has been issued. If the fee is not paid or not paid in full, a notification will be sent to the competent tax office.

A timely and admissible appeal to the Federal Administrative Court has a suspensive effect. The suspensive effect may have been excluded in the ruling of the decision or may be excluded by a separate decision.

December 22, 2021
For the head of the data protection authority: 
[REDACTED]