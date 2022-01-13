



Austrian DSB: The use of Google Analytics violates the CJEU’s “Schrems II” decision.

In a groundbreaking decision, the Austrian data protection agency (“Datenschutzbehrde” or “DSB”) has decided on a model case by noyb that continued use of Google Analytics violates the GDPR. This is the first decision regarding 101 model complaints filed by noyb following the so-called “Schrems II” decision. In 2020, the Court (CJEU) ruled that the use of U.S. providers violates the GDPR, as U.S. surveillance laws require U.S. providers such as Google and Facebook to provide personal information to U.S. authorities. did. Similar decisions are expected in other EU member states as regulators are cooperating in these cases with the EDPB’s Task Force. It seems that the Austrian DSB decision was first issued.

The 2020 CJEU decision will hit the real world. In July 2020, the CJEU issued a groundbreaking “Schrems II” decision, determining that transfers to US providers applicable to FISA 702 and EO 12.333 violate the GDPR’s rules for international data transfer. As a result, the CJEU disabled the transfer transaction “Privacy Shield” after disabling the previous transaction “Safe Harbor” in 2015. This shocked the tech industry, but US providers and EU data exporters largely ignored the case. Like Microsoft, Facebook, and Amazon, Google has relied on so-called “standard terms and conditions” to continue data transfers and calm European business partners.

Max Schrems, Honorary Chairman of noyb.eu: “Instead of actually adapting the service to GDPR compliance, US companies have added text to their privacy policy and tried to ignore the court. Switching to legal options. . “

SCC and “TOM” are not enough. Google has implemented “technical and organizational measures” (“TOM”) that include ideas such as building fences around data centers, confirming requests, and performing baseline encryption. However, the DSB rejected these measures as completely useless. To US surveillance (decisions pages 38 and 39):

“To what extent it is not clear about the contractual and organizational measures outlined. [the measure] Effective in the sense of the above considerations. “

“As far as technical measures are concerned, it is also unrecognizable (…) [the measure] It will actually prevent or limit access by US intelligence in light of US law. “

Max Schrems: “This is a very detailed and sound decision. The conclusion is: Companies are no longer able to use US cloud services in Europe. After the court confirmed this twice, 1. It’s been five years, more than the time the law comes into force. “

Decisions related to almost all EU websites. Google Analytics is the most popular statistical program. While there are many options that can be hosted or self-hosted in Europe, many websites rely on Google to transfer user data to US multinationals. The fact that data protection authorities may gradually declare U.S. services illegal has put further pressure on EU companies and U.S. providers to move to secure and legitimate options, such as hosting outside the U.S. increase. A similar decision on EU-US transfer was made a week ago by the European Data Protection Supervisor (EDPS).

Max Schrems: “We expect similar decisions to gradually decline in most EU member states. Almost all member states have filed 101 complaints and authorities have coordinated their response. Similar decisions were made last week. Published by the European Data Protection Supervisor. “”

Long-term solution. In the long run, there seem to be two options. The United States must adopt foreign baseline protection to support the technology industry, or a US provider must host foreign data outside the United States.

Max Schrems: “In the long run, you will need proper protection in the US or it will be a separate product in the US and EU. Personally, I want better protection in the US, but this Is up to US legislators-to anyone in Europe. “

Does Google LLC meet the forwarding rules? The DSB has rejected a claim against Google LLC as a data recipient, saying that the rules regarding data transfer apply only to EU entities and not to US recipients. However, the DSB is skeptical of whether Google was allowed to provide personal data to the U.S. government without explicit order from EU data, so Articles 5, 28, and 29 of the GDPR. He said he would investigate Google LLC further regarding possible violations. Exporter. The DSB makes another decision on this issue.

Max Schrems: “It’s important for us that US providers can’t transfer the issue to EU customers. Therefore, we have also filed a proceeding against US recipients. The DSB has partially taken this approach. Refused to. Ask if you would like to challenge this. Element of the decision. “

There is no penalty (yet). This decision does not address potential penalties, as this is considered a “public” enforcement procedure in which the petitioner’s opinion is not heard. There is no information as to whether a penalty has been issued or if the DSB plans to issue a penalty as well. The GDPR forecasts a penalty of up to 20 million in such cases, or 4% of global sales.

Max Schrems: “We assume that EU data exporters also have penalties, but so far we have only made a partial decision not to address this question.”

Further enforcement by the German DPA. The Austrian DSB had only jurisdiction over violations in the past, as an Austrian data exporter merged with a German company. The DSB said it would raise the ban on future data transfers with relevant authorities at the new headquarters of German data exporters.

Background and legal analysis. noyb also publishes a more detailed legal analysis of GDPRhub.eu.

