Max Schrems, the lawyer who successfully sued Facebook for violating European people’s privacy, has won another case, this time against Google: In a landmark court decision, Austria’s data protection authorities determined that using Google Analytics on European websites is prohibited.
Google Analytics goes illegal in Europe.
When the Privacy Shield regulation was invalidated in 2020, the ramifications for US online services operating in Europe were far-reaching: They were no longer permitted to transfer European citizens’ data to the US since doing so would expose European residents’ data to American mass surveillance, a clear violation of the European GDPR.
The Silicon Valley tech industry, on the other hand, generally ignored the verdict. NOYB adds:
“While this (=invalidation of the Privacy Shield) caused shockwaves through the technology world, US providers and EU data exporters have mostly ignored the matter. Google, like Microsoft, Facebook, and Amazon, has relied on so-called “Standard Contract Clauses” to continue data transfers and reassure its European partners.”
Now, the Austrian Data Protection Authority has reached the same conclusion as the European Court in ruling the Privacy Shield invalid: the usage of Google Analytics infringes the General Data Protection Regulation (GDPR). Google is “subject to surveillance by US intelligence services and may be ordered to give European residents’ data to them.”
What exactly was the case about?
On August 14, 2020, a Google user viewed an Austrian health-related website. This website uses Google Analytics, and information about the user was sent to Google. Google was able to figure out who he or she was based on this information.
The Google user filed a complaint with the Austrian data protection authority on August 18, 2020, with the assistance of the data protection nonprofit NOYB.
The Austrian court has now ruled that the data transfer is illegal.
The problem is that thanks to the American CLOUD Act, US authorities can seek personal data from Google, Facebook, and other US providers even while they are operating outside of the US, such as in Europe.
As a result, Google is unable to provide an acceptable level of protection under Article 44 GDPR, resulting in a clear infringement of European data protection guarantees. The standard contractual clauses invoked by the website operator are ineffective, as the European Court of Justice (ECJ) recognized in 2020 in its decision on the “Privacy Shield” (Schrems II).
Conclusion
The deciding factor in the legal assessment of Google Analytics use is not whether a US intelligence agency obtained the data or whether Google recognized the user. The mere fact that this was theoretically feasible was a breach of the GDPR.
While Silicon Valley IT corporations will find a way to continue offering their services in Europe, the strategy they chose following the invalidation of the Privacy Shield must raise many red signals for European businesses:
As a European firm, you can no longer entrust critical user data to businesses like Google, which actively disregard European privacy legislation and risk substantial fines for its European business clients. (The fines against the Austrian health website in the discussed case have not yet been decided, but we will closely monitor the situation.)