It has been nearly a year and a half since the Schrems II decision issued in July 2020, which invalidated the European Commission’s adequacy decision for the EU-US Privacy Shield Framework. As a result, companies were forced to reexamine their transfers of personal information out of the EU, and the safeguards that they rely on for those cross-border data transfers. Some companies, instead of addressing the safeguards they had in place, took a hard look at the data they were transferring. Did they need to transfer it out of the EU? Was it even personal information? This latter issue was recently addressed by an Austrian data regulator, one of 27 GDPR enforcers. While Google argued that the data was not personal information, the data regulator disagreed. It is yet to be seen if other data regulators will issue similar decisions, and if so, what the fate will be of US technology companies in Europe.
In a recent decision by Austrian’s data regulator, it was held that a website’s use of Google Analytics violates the GDPR because it uses IP address and cookie data identifiers to track information about website visitors, such as the pages read, how long you are on the website, and information about users’ devices. The Austrian decision held that IP addresses and cookie data identifiers are personal information. Thus, when information tied with these identifiers is passed through Google’s servers in the United States, the GDPR is implicated. Specifically, the GDPR provides that in the case of non-EU data transfers of personal data, there must be appropriate safeguards in effect to protect the data. The problem is—after Schrems II, (1) there is no longer an adequacy decision by the EU for US data transfers, and (2) it is unclear if other safeguard measures, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) are sufficient in view of US surveillance practices under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. In other words, there may be no appropriate safeguards that US technology companies can implement to allow for GDPR-compliant cross-border data transfers.
The recent Austrian decision provides that, “US intelligence services use certain online identifiers (such as IP address or unique identification numbers) as a starting point for the surveillance of individuals.” Google had argued that it implemented measures to protect the data in the US, but these were found insufficient to meet the GDPR. Indeed, the very “IDs” that Google pointed to as purportedly constituting pseudonymized safeguards were found to make users identifiable and addressable:
“…the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users do not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. This is because, unlike in cases where data is pseudonymized in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect. They are therefore not pseudoymizations within the meaning of Recital 28, which reduces the risks for the data subjects and assist data controllers and processors in complying with their data protection obligations.”
It remains to be seen whether other EU regulators will follow suit and hold that the GDPR has been violated where European websites use Google Analytics or similar US technology services. It will also be interesting to see if European companies start transferring adtech and analytics services to national companies.