Landmark decision in Austria: use of Google Analytics found to breach GDPR

In a recent decision, the Austrian Data Protection Authority ("DPA") held that the use of Google Analytics violates the GDPR because it does not meet its requirements for the safe transfer of personal data.¹ This decision was issued against an Austrian website operator as the defendant. How will it impact the use of Google Analytics? Is there a way to use Google Analytics that complies with data protection rules or are there alternatives? And how does this decision impact broader international data transfers? Let's take a deeper look.

What is Google Analytics?

Google Analytics is a web tracking and analysis tool used from almost every website and many web-shop operators. Recent surveys show that more than 86 % of the websites that use a traffic analysis tool are running Google Analytics.² It provides basic analytics and statistics tools to track website performance, conversion rate (i.e. how many website users become paying customers), bounce rate (i.e. how many website users enter the site and then leave again, rather than staying within the sites' "digital environment"), marketing effectiveness, etc. and analyses how users interact with the website and its features. Google Analytics is free to use for anyone with a Google account.

Google Analytics works by the website operator implementing the "Google Analytics Tracking Code" ("tag") into the JavaScript of their website. This tracking code is activated if the user accesses the website, then collects user data and sends this data to Google LLC, the US technology company headquartered in California, USA. Furthermore, the tracking code sets a first-party cookie on the user's computer. First-party cookies are used from websites to re-identify users that enter the website again, to collect data for different purposes (e.g. identification of shopping cart, website performance on different types of web browsers, data for general website usability, surfing behaviour for personalised advertising, etc.) and to create a user profile. The collected cookie data is then also sent to Google.

Background and previous proceedings

In the Schrems II³ decision, the ECJ declared one means on which data transfers to the USA under the GDPR have been based – the EC's Privacy Shield Decision – invalid on account of invasive US surveillance programmes. Furthermore, the Court stipulated stricter requirements for another data transfermeans – Standard Contract Clauses (SCCs). The ECJ considered these SCCs to be generally suitable to provide for an "adequate" (EU-like) level of data protection in the data recipient's country as assessed on a case-by-case basis. If necessary, additional measures to compensate for gaps in protection of third-country legal systems must be implemented. Failing that, operators must suspend the transfer of personal data outside the EU.

Following this decision of the ECJ, the Austrian data protection organisation noyb⁴analysed numerous source codes of EU webpages and lodged numerous complaints against various websites throughout Europe that continued to use US providers despite the ECJ's ruling.

The Austrian DPA was the first in Europe to decide on one of those complaints. Although the decision is not yet legally binding, in light of the ECJ's ruling it can be expected that the other European DPAs will issue similar decisions.

Key messages from the DPA's decision

The Austrian DPA held that

• the analysed data collected by Google Analytics are personal data under the GDPR; and
• these data are not transferred to Google LLC in a GDPR-compliant manner.

First, the DPA regards user identifiers, IP address and browser parameters (such as browser type, operating system, screen resolution, language selection, etc.) as personal data because they contain unique reference numbers and other, more general information. After connecting these data, a digital footprint can be created that allows the user to be identified.⁵

Second, the transfer of personal data to third countries (i.e. countries outside the EU) is only admissible if the European Commission has decided that the country in question ensures an adequate level of protection for the personal data (adequacy decision) or if "appropriate safeguards" are provided for the safety of the data.⁶ For the case at hand, Google and the website provider concluded SCC. However, the supplementary measures provided for by Google LLC (e.g. a fence surrounding the data centre sites, standard encryption of stored data, "careful review" of each request for disclosure) were not deemed sufficient or effective by the DPA because they cannot remove the possibility of surveillance and access by US intelligence agencies to the stored data.

The DPA, however, held that Google LLC as a US company is not subject to the GDPR when it comes to the transfer of personal data to third countries, since the requirements of Chapter V of the GDPR must be complied with by the data exporter (i.e. website provider), but not by the data importer (i.e. Google LLC).⁷ However, it also noted that the proceedings on the possible violation of Art. 5, 28, 29 GDPR by Google LLC are still pending.

Key takeaways

It is noteworthy that the SCC that were subject to this proceeding were the "old" set of SCC, since in response to the Schrems II decision, the EC substantially revised the SCC and published "new SCC" last summer (see here). The new SCC will replace the old ones, companies having been granted a transition period of 18 months until the end of 2022 to switch to the new version. Companies contracting with new customers must immediately use the new SCC.

The new SCC are designed to be more flexible than the older version, and cover data protection safeguards, use of sub-processors, data subject rights (including redress), liability and supervision for transfers from controller to controller, controller to processor, processor to processor, and processor to controller. Of course, companies will still have to undertake the relevant risk assessment, i.e. the so-called "Transfer Impact Assessment" (TIA).

As mentioned, the DPA did not analyse a new set of SCC including a TIA, but the old set of SCC in the context of the ECJ ruling. In other words, the DPA was bound to apply the new and higher level TIA requirement to an old contract (SCC).    

However, the DPA illustrated with this decision that the leeway for adjustment to the ECJ's requirements is rather small.

The key takeaway from this decision is that it's time for companies to accept their active role as a data controller and get their international data transfers in order.

¹ DSB 22.12.2021, D155.027/2021-0.586.257.
² Cf Usage statistics of traffic analysis tools for websites, (accessed on 01.02.2022).
³ ECJ 16.07.2020, C-311/18, ECLI:EU:C:2020:559.
⁴ Noyb is an NGO led by Max Schrems that "focusses on commercial privacy issues on a European level, i.e. privacy violations of your digital rights as a private citizen by companies and corporations" (accessible at noyb).
⁵ Cf DSB ruling, D.2., p. 26 et seq.
⁶ Cf Chapter V – Art. 44 et seq. GDPR.
⁷ Cf DSB ruling D.6., p. 40 et seq.: The data importer does not disclose the personal data, but (only) receives it.

authors: Florian Terharen and Veronika Wolfbauer