According to Austria’s data protection commission, a complaint filed against one website over the usage of Google Analytics was upheld. This does not bode well for US cloud services in Europe.
With the decision, the European Commission raises a major red flag about the routine use of tools that necessitate the transfer of Europeans’ data to the United States for processing — the watchdog finding that IP addresses and identifiers in cookie data are personal data of site visitors. Thus these transfers fall under the purview of EU data protection legislation.
It was discovered that the website did not have a fully developed “anonymization” mechanism for IP addresses in this particular instance. Even yet, the regulator determined that IP address data is personal data since it could be coupled with other digital data — such as other visitors’ IP addresses — to identify the visitor.
As a result, the Austrian Data Protection Authority (DPA) determined that the website in question — a health-focused website called the net doctor. Which had been exporting visitors’ data to the United States due to implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which governs data transfers outside the EU.
In the decision [which is a machine translation of the German language text], the regulator notes that “US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” and that “it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
In reaching its conclusion, the regulator examined various measures Google claimed it had implemented to protect the data in the United States — such as encryption at rest in its data centers or its claim that the data “must be considered pseudonymous” — but found that not enough safeguards had been put in place to effectively block access to the data by US intelligence services, as required to meet the GDPR’s standard.
According to the court, “as long as the second respondent himself [i.e., Google] can access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations,” the court writes at one point, dismissing the type of encryption used as insufficient security.
Austria’s regulator also cites earlier guidance from German data protection authorities to support its rejection of Google’s “pseudonymous” claim, noting that it states: “…the use of IP addresses, cookie IDs, advertising IDs, unique user IDs, or other identifiers to (re)identify users do not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects.” “…the use of IP addresses, cookie IDs, advertising IDs, unique user This is because, unlike in circumstances where data is pseudonymized to hide or remove the identifying data so that the data subjects may no longer be addressed, IDs or identifiers are used to differentiate and address the persons in question. The result is that no protective effect is seen. As a result, they do not qualify as pseudonymization within the meaning of Recital 28, which reduces risks for data subjects while also assisting data controllers and processors in meeting their data protection requirements.”
This is significant because the DPA’s wholesale dismissal of any legally relevant impact of the bundle of aforementioned “Technical and Organizational Measures” (such as standard encryption) that Google cited in an attempt to fend off the complaint — is the prevailing tactic used by US-based cloud giants to try and massage compliance and ensure EU-to-US data transfers continue so that they can continue business as usual.
Since a single website uses Google Analytics, this practice may be sanctioned by EU authorities in other parts of the EU if brought out in this jurisdiction. After all, Google Analytics can be found almost anywhere on the internet.
(See, for example, the extensive list of high standard measures cited by Facebook in an internal assessment of its EU-to-US data transfers’ — in which it, like Google, attempts to claim ‘compliance’ with EU law, according to an earlier document reveal — and in which it, like Google, claims ‘compliance’ with EU law.)
It is worth noting that in August 2020, the European privacy campaign group noyb filed a total of 101 complaints with data protection authorities across the EU, targeting websites with regional operators that it had identified as sending data to the United States through Google Analytics and Facebook Connect integrations, among other things.
Even if the usage of such analytics tools may seem to be entirely typical, from a legal standpoint in the EU, it is anything but. Personal data transfers from the EU to the United States have been tainted by legal ambiguity for many years.
The underlying conflict boils down to a clash between European privacy rights and US surveillance law — the latter of which provides foreigners with no control over how their data is scooped up and snooped on, nor any avenue for legal redress for whatever happens to their information while it is in the US, making it extremely difficult for exported EU data to receive the necessary standard of “essentially equivalent” protection that it gets at home when it is in the US. The underlying conflict boils down to a clash
To put it in the simplest terms: According to EU legislation, European data protection standards must be sent with the data. As stated by US law, if you provide personal information, you will not prevent the collection or use of that information. You will not be able to avoid collecting or using such information.
Section 702 of the Foreign Intelligence Surveillance Act (FISA) applies to cloud providers in the United States, including a wide range of internet companies, including Google and Facebook, since the provision extends broadly to “electronic communications services” in general.
When it comes to telecommunications infrastructure, Executive Order 12,333, a Reagan-era directive that is still relevant today since it enhanced the authority of intelligence agencies to gather data, is assumed to be targeting holes in the network infrastructure.
It has been over a decade since the legal battle between the EU and the United States over privacy and surveillance began.
In 2013, Edward Snowden’s revelations about the scope of US government mass surveillance programs sparked a global outcry that culminated in the EU’s Court of Justice invalidating the Safe Harbor agreement between the bloc and the United States because EU data could no longer be considered safe once it crossed the Atlantic.
Furthermore, although Safe Harbor had been in effect for around 15 years, its hurriedly agreed-upon counterpart — the EU-US Privacy Shield — only lasted four years. Consequently, the longevity of commercially motivated European Commission directives trying to lubricate transatlantic data flows despite the enormous privacy implications has been drastically reduced.
Some of the issues regarding hazardous EU-to-US data transfers have been around for about a decade at this time as well. The European Court of Justice (CJEU) issued a landmark ruling in July 2020, which invalidated the Commission’s re-upped data transfer arrangement (Privacy Shield), which had been relied on by thousands of companies to rubber-stamp their US data transfers since 2016. Since then, there has been an uptick in enforcement activity.
The court did not outright prohibit the transmission of personal data to so-called third nations, but it did limit their scope. As a result, these data flows did not stop abruptly in the middle of 2020, as some had anticipated.
However, it clarified that the dangers associated with such data transfers must be examined on an individual case-by-case basis. And it made it plain that data protection authorities (DPAs) could not just turn a blind eye to compliance — hello, Ireland! — but instead had to proactively intervene and halt data transfers in circumstances where they believed data was being transferred to a dangerous place such as the United States.
According to the European Data Protection Board’s (EDPB) guideline, personal data transfers out of the EU may still be permissible provided a set of specific situations and restrictions are met. The guidance was widely anticipated as a follow-on interpretation of the court judgment. For example, the data may be anonymized such that it is no longer considered personal information.
You may also use a suite of additional precautions (such as technological measures such as implementing strong end-to-end encryption, which means that a US organization will have no access to decrypted data) to improve the degree of legal protection available to you.
The challenge for tech companies such as Google and Facebook is that their business models are based entirely on gaining access to personal information. As a result, it is unclear how such data-mining behemoths could implement extra measures that would significantly restrict their access to this critical business data without undergoing a significant shift in the business model. Alternatively, they may federate their services while localizing European data and processing inside the EU.
The Austrian Data Protection Authority’s decision clarifies that Google’s current package of measures, which is related to how it operates Google Analytics, is insufficient because it does not eliminate the possibility that surveillance agencies will gain access to people’s personal information.
To be effective in increasing your odds of compliance, any supplemental measures must genuinely improve standard provisions, as stated in the decision.