On the 22nd December 2021, the Austrian Data Protection Authority (DSB) has issued its first ruling on a Schrems II model case. In it, the DSB ruled that the Standard Contractual Clauses (SCCs) and Technical Organizational Measures (TOMs) implemented as part of the Google Analytics are not sufficient to protect its EU-US data transfers.
This ruling stems from a complaint issued in 2020 by the privacy advocacy firm None of Your Business (NOYB) regarding failures to adhere to the Schrems II ruling. It is the first decision on NOYB’s 101 model complaints.
What is ‘Schrems II’?
‘Schrems II’ is a commonly used abbreviation for the Data Protection Commissioner v. Facebook Ireland Ltd. Case in 2020. It was named after the individual who brought the case forward, the Austrian privacy advocate Max Schrems.
The most critical consequence of the case was that the EU-US Privacy Shield (a legal mechanism for transferring personal data between the EU and US) was deemed inadequate. This overturned the previous 2016 ruling that had verified the Privacy Shield as an adequate protection mechanism for the transfer of data between the EU and the US.
Consequently, organisations were forced to revisit the way in which they approach international data transfers and ensure that appropriate protective measures (such as SCCs) were in place before any EU-US data transfers could occur.
What happened in this case?
This case was one of 101 model cases issued by Max Schrems and the NOYB Organisation following the Schrems II decision in 2020. Last week’s ruling has fully upheld this initial complaint, dismissing Google’s arguments, and concluding that Google LLC does not offer an adequate level of protection for data subject’s personal data.
Google had attempted to head the complaint off by arguing that the data it was transferring did not qualify as personal data, and that the SCCs and TOMs that it employed provided adequate protections for their data subjects. This ruling put paid to both of those.
The DSB reiterated that online identifiers and IP address transferred as part of Google analytics qualify as personal data as an individual can be identified using these. Equally, the TOMs measures that Google claim to mitigate the data transfer risks were also deemed as completely inadequate insofar as they would not prevent US intelligence agencies from accessing the data stored.
At the time of writing no information has been released as to whether a penalty has been or will be issued by the DSB.
What implications could this have for my business?
This decision will likely be relevant for almost all EU websites. Google analytics is one of the most commonly used marketing tools on all websites. As such, organisations are forwarding their user data to the US under insufficient data transfer protections. Whilst this ruling only effects the Austrian data exported, Schrems (speaking on behalf of NOYB) has stated that he expects similar decisions to drop gradually in most EU member states.
Consequently, data protection services may now begin to declare certain US services illegal. This will hopefully put additional pressure upon EU companies and US providers to move towards more compliant options, such as hosting in an EU member state or adequate territory (such as the UK).
This ruling should be seen as further evidence that data protection laws are being enforced and that these laws will affect almost every business. Tacita recommends that all companies review their third-party cloud software providers to check where their servers are based.