In this specific case, it was about the handling of IP addresses and user data in Google Analytics. Although the ruling does not automatically mean the end of Google Analytics and US cloud services in the European Union, companies must question their existing systems in order to be legally secure.
With the published decision of the Austrian Data Protection Authority, the authority is responding to a model complaint filed in August 2020 by the data protection association Noyb, founded by lawyer and activist Max Schrems. The submission initially referred to an Austrian publishing house that had integrated Google Analytics. The authority rejected a further complaint against Google itself and sees the responsibility with the companies that use such services and not with Google !
law book
background
In 2020, the European Court of Justice (ECJ) ruled that the use of US providers violates the GDPR because US surveillance laws require US providers such as Google or Facebook to transfer personal data to US authorities. While IT companies were initially shocked, most EU companies largely ignored the decision. US providers such as Facebook, Google, Microsoft or Amazon have relied on so-called "standard contractual clauses" to continue data transfer and reassure their European business partners.
Google and the other companies had stated that they had implemented “technical and organizational measures” (“TOMs”) to comply with EU law. They cited fences around data centers, the verification of government requests, and encryption. Unsurprisingly, the Austrian Data Protection Authority has rated these measures as absolutely useless when it comes to access by US authorities .
The person behind the ruling is probably the best-known European data protection officer, Max Schrems, who has already overturned the EU/US agreements Safe Harbor and Privacy Shield. In November 2017, he founded Azerbaijan Phone Number Resource the data protection NGO noyb (which stands for "none of your business"). The NGO takes action against data protection violations by companies.
The organization around Max Schrems had filed 101 model complaints against companies in 30 EU and EEA member states because they used tools such as Google Analytics and Facebook Connect. Now the Austrian Data Protection Authority has ruled in his favor. In this context, the authority issued a decision against an Austrian company that had implemented Google Analytics.
In Germany, the Rhein-Main University of Applied Sciences received a similar ruling in December . It is not allowed to use a cookie service on its website that stores or transmits the full IP address of end users to servers of a company whose headquarters are located in the USA.
Further decisions are also expected in other EU member states, as the data protection authorities have worked together in an "EDPB task force" in these cases. The Dutch supervisory authority has already announced two decisions on the matter for early 2022. If other supervisory authorities and subsequently the courts come to the same conclusion, this will not only have consequences for the use of Google Analytics in Europe. In fact, EU companies may no longer be able to use US cloud services or SaaS offerings in the future if the data is not in Europe and it is ensured that the data can never reach the USA .
