Condor Services, Insights

Enforcement by European DPAs against data transfers

What can organisations do that have relied on Google Analytics to measure the effectiveness of their website as a marketing tool?

In the immediate aftermath of the ECJ ruling dubbed “Schrems II” (C311/18), there was a stunned silence, while companies and data protection authorities alike grappled with the consequences.

The data protection authorities started issuing guidelines and opinions, making it quite clear that there was no grace period for making the necessary changes and that it was their obligation to enforce the ruling, with all its consequences.

And of those there are many. Most notably, any transfer (including making available) of personal data from the EU/EEA to a recipient outside of the EU/EEA now entailed a whole host of new assessments and documentation, without the help of the Privacy Shield for transfers to the US. It seemed that all of a sudden, the question of “adequate level of safety” for the data transferred was now to be taken seriously, even for transfers to the US.

What this means in practice is that for all transfers, the data exporter must assess:
(i) its data transfers;
(ii) the transfer mechanism relied upon (i.e. standard contractual clauses, binding corporate rules, individual consent, or other);
(iii) effectiveness of the transfer mechanism (by assessing inter alia the laws and practices in the recipient country); and
(iv) the supplementary measures necessary, if any, to ensure the adequate level of safety for the personal data which is to be transferred (organisational, contractual and technical measures).

Without recapping all the details of the legal landscape in the US subject to the Schrems II ruling, and going into the fineprint of the US Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, the implications of these legislative acts seem clear:

They generally allow for access to (or request for) personal data of EU citizens in the control of (certain types of) US companies and/or their subsidiaries outside of the US, by certain US governmental and/or national security bodies and agencies, subject to certain conditions. Such access cannot be barred by the companies subject to these laws, although there are legal remedies against this access/request. It can also not be excluded by contract, due to the very nature of national administrative laws granting powers to governmental or national security agencies.

In essence, this means that transfer of personal data to the US seems possible only with comprehensive technological safeguards that render a deciphering of the personal data by unauthorised recipients in the US (and elsewhere) impossible.

There have been several decisions by courts and data protection authorities relating to such transfer to recipients outside the EU/EEA, all of them concerning the US. What seems important is the level of detail in which the transfers have been investigated, and the arguably negligible amount and type of data that was transferred.

While it had seemed clear to most companies transferring data to recipients outside the EU/EEA that they would have to investigate their main business activities, the material data transfers and in particular assess any transfers of sensitive data, this regulatory and judicial review goes far beyond any such initial review. It aims at the fundamental principles of the functionalities of the Internet and global communication as we currently use it, and requires meaningful changes that will come at a price.

Hochschule RheinMain

In a preliminary injunction administrative proceeding before the administrative court in Wiesbaden (Hessen), an individual required the Hochschule RheinMain, a public educational institution (“Hochschule”), to refrain from using the service “Cookiebot” for obtaining consent to cookies if that includes the transfer of personal or personally identifiable data (including IP address) to servers operated by US group Akamai Technologies Inc.

The Hochschule uses a Cookiebot for its cookie consent management tool. The Cookiebot collects the IP address (although it was in dispute as to whether it was anonymised with the last three digits set to “0”, or not), date and time of consent, user agent of the browser, URL, an anonymous, random and encrypted key, and the consent status of the data subject. For its services, it uses the content delivery network of Akamai Technologies, Inc. (“Akamai”) for requesting the consent script hosted on Akamai’s servers.

According to the data processing agreement provided by Akamai, the time stamps of the visited websites and the respective IP addresses, as well as the geographical location based on the IP address and telemetric data are also collected.

The administrative court of Wiesbaden held that this constitutes a transfer without legal basis and therefore not permissible, as none of the legal bases of Art. 48/49 GDPR are applicable. The user has not consented to the transfer, a legitimate interest cannot be determined, and there is no indication for any other justification.

The court went into great detail to determine how the collected data can be combined to identify the user, with the help of the IP address – even if the name of the user is not known, the individual can be identified.

The fact that the contractual partner of the Cookiebot operator Cybot A/S is the German Akamai Technologies GmbH, was of no relevance because the server structure of the parent company Akamai Technologies Inc. was being used for the content delivery network (CDN) services. The existence of model clauses between Cybot A/S and Akamai was also not discussed.

The decision was upturned upon appeal, but only because the Higher Administrative Court held there were no grounds for a decision in preliminary proceedings due to lack of urgency. In the Higher Administrative Court’s opinion, the complexity of the case, as well as its importance, do not permit a decision in preliminary proceedings, and have to be assessed in proceedings on their merits. This case on the merits is (at the time of writing) pending with the Administrative Court of Wiesbaden.

The takeaway from this proceeding is that users and courts are now prepared to take a deep-dive into the details of functionalities that are being used, and that companies have to be prepared to respond to this method in a granularity previously unseen. This extends to seemingly irrelevant/unimportant data such as (anonymised) IP addresses, URLs, time stamps, and other machine information, as the combination of these can lead to creating profiles of individual users. Transfers of such personal data to recipients outside the EU/EEA require a valid justification (e.g. consent).

Google Analytics

The last couple of months have also seen several decisions by Data Protection Authorities (DPAs) involving Google Analytics. Some of these decisions result from investigations following complaints launched by NOYB, the organisation founded by Max Schrems.

NOYB had submitted roughly 100 formal complaints with all European data protection authorities regarding the use of cookies (including Google Analytics) on websites. It is important to note that the European DPAs have orchestrated their responses/decisions on these complaints.

a) Austria’s DPA

In December 2021, the Austrian DPA decided on a complaint by NOYB against a website operator that had implemented the cost-free version of Google Analytics.

The Austrian DPA determined that the combination of information collected by Google Analytics (such as browser type, operating system, host name, referrer and language, screen resolution, and others) with the Unique User Identification (UUI) numbers (which uniquely identify the browser and the device, respectively, of the user – UUI) placed by Google Analytics cookies, and the IP address, together with, in this specific case, the information on the Google Account user (because the individual complainant was logged into his/her Google Account at the time of surfing) constitutes personal data of the individual who is surfing and whose browsing behaviour is tracked.

It is not necessary, in the view of the Austrian DPA, that a specific “face” of an individual, meaning in particular his/her name, is identifiable, with reference to the possibility of “singling out” an individual set forth in recital 26 of GDPR. In addition, a digital footprint is commonly deemed sufficient for uniquely identifying a device, and thereby a concrete user, and thus constitutes personal data. The circumstance that another person (in this case, Google in the US because of the log-in into the Google Account, and possibly US surveillance agencies) had access to further information which may lead to the identification of the individual was a supporting factor in the determination of the individual being identifiable, and thus the data being personal data.

Because the website operator transferred personal data to the recipient outside of the EU by using Google Analytics, it had to comply with the requirements set out by Art. 45, 46, and 49 of the GDPR. While the parties had agreed on standard contractual clauses as a transfer mechanism, it is clear since the Schrems II judgment that adopting standard contractual clauses alone cannot provide an adequate level of data protection.

Following this judgement, Google has implemented supplementary measures to provide for additional protection and thereby, in its view, afford European personal data the level of protection required by the GDPR.

The Austrian DPA though, in its examination of the supplementary measures, questioned whether the contractual and organisational measures (such as information to the data subject in case of a request and publication of a transparency report) supported by Google are even effective in ensuring additional protection. The same applies, in the DPA’s view, to the technical measures – encryption and protection in transit and “on-site security”.

The relevant take-aways of the Austrian DPA’s decision, in summary, are:

  • Information collected and transferred by Google Analytics constitutes personal data
  • A digital footprint is sufficient to count as personal data
  • The supplementary measures implemented by Google to protect the data transferred through Google Analytics are not effective measures.

b) France’s DPA

France’s DPA, the CNIL issued a press release according to which it has received complaints by NOYB regarding the data collected by Google Analytics and investigated the conditions of this service. It also comes to the conclusion, in line with the decision by the Austrian data protection authority, that such transfers are illegal. Consequently, it ordered a French website manager to comply with the GDPR (within one month) and, if necessary, discontinue using this service.

In substance, the CNIL makes the same determinations as the Austrian data protection authority and adds the noteworthy point of using Recital 30 GDPR as additional support for the analysis that online identifiers (such as IP address and cookie information) can commonly be used to identify an individual.

As the CNIL also finds that the data transferred constitutes personal data, it reviews the transfer mechanism, standard contractual clauses, which needs to be supplemented by the supplementary contractual, organisation and technical measures. It highlights the general issue with contractual measures that they can of course not bind the authorities of a third country and therefore require combining them with technical and organisational measures.

However, the same applies to organisational measures which, in itself, are again not sufficient to ensure meeting the “essential equivalence” standard required by EU law. It comes down to adopting appropriate technical measures so that potentially infringing access by foreign authorities cannot identify the data subjects.

The CNIL also investigates the measures implemented by Google and comes to the same conclusion as the Austrian data protection authority that neither the contractual and organisational, nor the technical measures implemented by Google factually prevent or reduce access.

c) Norway’s DPA

Norway’s DPA announced on 28 January 2022 an audit of Telenor ASA and confirmed that it was investigating a complaint regarding Telenor’s use of Google Analytics.
Information on a case before Norway’s DPA, Datatilsynet, is alimited but it references both the Austrian data protection authority’s case as well as the CNIL’s decision. In its press release, it confirms that it has made a similar decision in a case concerning the use of Google Analytics.

d) EDPS

Similarly, the European Data Protection Supervisor (EDPS) issued a decision against the European Parliament in which it found that the European Parliament violated data protection laws (“GDPR for EU institutions”, 2018/1725) in using Google Analytics, among others.

This decision also followed a complaint by NOYB in January 2021 and confirmed that an internal corona testing website transferred personal data to the US without ensuring contractual, technical or organisational measures to ensure essential equivalence of the level of protection.

What next?

It seems clear that other European DPAs will follow suit regarding the NOYB complaints pending with them, and issue orders of compliance and/or cessation.

Website operators are currently in limbo: often their entire analytical framework for website traffic is based on Google Analytics, and they have made considerable investments into this structure, leaving them reluctant to investigate alternatives which may not provide the level of insight Google Analytics can provide.

However, it is currently not possible for them to use Google Analytics in a GDPR-compliant manner – or is there a way?

While there is no official “way forward” from Google yet, the use of server-side tagging may bring some light to the end of the tunnel. Google claims that the server container for the tags and the data runs in the website operator’s own platform or environment, and it has complete control over which data is sent and to where. Without having investigated the technical details, it seems to present a potential solution if the website operator is willing to invest the time to adopt and configure this solution carefully.

However, it can also be expected that Google will react to this concentrated effort at a more general level to address these fundamental concerns.

How Condor can help

With the increasing use of the Internet by individuals, and the information about individuals’ preferences and activities that can be deducted through such individuals’ use, even by only collecting mere technical information (the digital footprint), Internet users become increasingly transparent for website operators.

Companies have capitalised on this knowledge for years – and have got away with it because the information was “only technical information”.

However, it is now abundantly clear that such technical information is the gateway to the digital individual, and data controllers have to concern themselves with all the details of the technical information they collect and ensure compliance with GDPR (and of course other legislation).

Condor can help organisations that qualify as data controllers with their obligations. By working with Fieldfisher’s market-leading data protection practice and using e-discovery tools to efficiently and effectively process, analyse, review and predictively code your collected data and whittle down documents to respond to data subject access requests (DSARs) and related issues.

Find out more about our range of DSAR support packages.

This article was authored by Katharina A. Weimer, technology, outsourcing and privacy partner at Fieldfisher Germany in Munich.

Insights

Menu