A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 20 January 2022
Many organisations are currently busily preparing extensive remediation programmes to implement data transfer requirements arising out of the Schrems II judgement. Often, those running such programmes are asked to quantify the risk and likelihood of enforcement action arising out of failure to adhere to these requirements. Two recent decisions provide some insight.
On 12 January 2022, the Austrian Data Protection Authority (“Datenschutzbehörde" or the "DSB”) held that the continuous use of Google Analytics involving a transfer of personal data to the US by an Austrian data exporter (a website operator) was in violation of Chapter V of the EU GDPR.
This is a landmark decision as it is the first ruling by a Data Protection Authority following 101 complaints filed by the Austrian-based privacy group None of Your Business (“noyb”) (led by Max Schrems) to the European Data Protection Board (EDPB) concerning transfers of data from the EU/EEA of the United States.
In August 2020, a complaint was filed by a data subject, represented by noyb, to the DSB, claiming that a website operator (acting as a data exporter) and Google LLC (acting as the data importer) were in violation of Article 44 EU GDPR (post-Schrems II).
The website operator was alleged to have breached the EU GDPR via the operation of its website as it enabled Google to collect analytical and usage data (including personal user identifiers and IP addresses), via Google Analytics cookies, and subsequently transferred the collected data to Google’s data servers in the U.S.
Google’s data servers are subject to surveillance by U.S. intelligence agencies as Google is defined as an “electronic communication service provider” under the U.S. Foreign Intelligence Surveillance Act (“FISA”). Organisations that are subject to surveillance by U.S. authorities can be ordered to disclose the collected personal data of European citizens.
Google argued that the implementation of technical and organisational measures, including the use of Standard Contractual Clauses (“SCCs”), ring-fencing measures within the data servers and encryption, amounted to adequate protection to ensure compliance with Chapter V EU GDPR.
The DSB disagreed. It found that the measures were not effective as they did not prevent or limit access to the personal data by U.S. intelligence agencies in practice.
The DSB upheld the complaint and found that the website operator transferred personal data to Google in direct breach of the EU GDPR. The DSB ruled that the SCCs in place between the parties, ring-fencing measures and encryption did not offer an adequate level of protection as they did not alter the fact that Google’s servers are subject to surveillance by U.S. intelligence agencies. Therefore, the personal data could not be sufficiently protected.
In a decision based on similar reasoning, the European Data Protection Supervisor (EDPS) ruled that the European Parliament was in breach of Chapter V of the EU GDPR by allowing cookies from Google Analytics and the Stripe payment service to be placed on the devices of users of its Covid testing website.
noyb has submitted 101 EU GDPR complaints alleging Schrems II related breaches. As a result, the EDPB established a bespoke task force to deal with these complaints. We expect to see similar decisions arising from other EU Member States soon. These decisions will have ramifications throughout the EU and are likely to be considered carefully in the UK.
Organisations that are using or intend to use Google Analytics cookies will need to reassess their use. More broadly, this is a timely reminder that requirements arising out of the Schrems II judgement must be complied with. We expect this to be just the beginning of similar decisions and enforcement action.
London - Walbrook
+44(0)20 7894 6744
+44 (0)20 7894 6622
Darryn Hale, David Hill, Sophie Devlin
Aidan Healy, Christopher Air
Jade Kowalski, Christophe Wucher-North, Christopher Air, Alexander Dimitrov
Jade Kowalski, Charlotte Halford, Rebecca Morgan
Jade Kowalski, Charlotte Halford, Eleanor Ludlam, Rebecca Morgan
Jade Kowalski, Ceri Fuller, Khurram Shamsee, Sophie Devlin, Christopher Air
Charlie Christie, Jade Kowalski
Ceri Fuller, Khurram Shamsee, Jade Kowalski, Sophie Devlin, Christopher Air