In bad news for US cloud services, Austrian website’s use of Google Analytics found to breach GDPR


Photo illustration of the logo of freemium web analytics service Google Analytics is displayed on a smartphone.
Image Credits: Thomas Trutschel / Getty Images

A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.

The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.

In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.

Consequently the Austrian DPA found that the website in question — a health focused site called, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.

“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” the regulator notes in the decision [via a machine translation of the German language text], adding: “In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”

In reaching its conclusion, the regulator assessed various measures Google said it had implemented to protect the data in the US — such as encryption at rest in its data centers; or its claim that the data “must be considered as pseudonymous” — but did not find sufficient safeguards had been put in place to effectively block US intelligence services from accessing the data, as required to meet the GDPR’s standard.

“As long as the second respondent himself [i.e. Google] has the possibility to access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations,” it notes at one point, dismissing the type of encryption used as inadequate protection.

Austria’s regulator also quotes earlier guidance from German DPAs to back up its dismissal of Google’s “pseudonymous” claim — noting that this states:

” …the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users do not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. This is because, unlike in cases where data is pseudonymised in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect. They are therefore not pseudonymisations within the meaning of Recital 28, which reduce the risks for the data subjects and assist data controllers and processors in complying with their data protection obligations.”

The DPA’s wholesale dismissal of any legally relevant impact of the bundle of aforementioned “Technical and Organizational Measures” (such as standard encryption) — which were cited by Google to try to fend off the complaint — is significant because such claims are the prevailing tactic used by US-based cloud giants to try to massage compliance and ensure EU-to-US data transfers continue so they can continue business as usual.

So if this tactic is getting called out here, as a result of a single website’s use of Google Analytics, it can and will be sanctioned by EU regulators elsewhere. After all, Google Analytics is everywhere online.

(See also the extensive list of extremely standard measures cited by Facebook in an internal assessment of its EU-to-US data transfers’ — in which it too tries to claim ‘compliance’ with EU law, per an earlier document reveal.)

The complaint back story here is that back in August 2020 European privacy campaign group noyb filed a full 101 complaints with DPAs across the bloc targeting websites with regional operators that it had identified as sending data to the US via Google Analytics and/or Facebook Connect integrations.

Use of such analytics tools may seem intensely normal but — legally speaking, in the EU — it’s anything but because EU-to-US transfers of personal data have been clouded in legal uncertainty for years.

The underlying conflict boils down to a clash between European privacy rights and US surveillance law — as the latter affords foreigners zero rights over how their data is scooped up and snooped on, nor any route to legal redress for whatever happens to their information when it’s in the US, making it extremely difficult for exported EU data to get the necessary standard of “essentially equivalent” protection that it gets at home when it’s abroad.

To radically simplify: EU law says European levels of protection must travel with data. While US law says ‘we’re taking your data; we’re not telling you what we’re doing; and you can’t do anything about it anyway, sucker!’.

US cloud providers that are subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA) are all in the frame — which takes in a broad sweep of tech giants, including Google and Facebook, since this law applies broadly to “electronic communications services”.

While Executive Order 12,333, a Reagan era mandate that’s also relevant as it also expanded intelligence agency powers to acquire data, is thought to target vulnerabilities in telecoms infrastructure.

The EU-US legal clash between privacy and surveillance dates back almost a decade at this point.

It was catalyized by the 2013 Snowden disclosures which revealed the extent of US government mass surveillance programs — and led, back in 2015, to the EU’s Court of Justice to invalidate the Safe Harbor arrangement between the bloc and the US on the grounds that EU data could no longer be considered safe when it went over the pond.

And whereas Safe Harbor had stood for around 15 years, its hastily agreed replacement — the EU-US Privacy Shield — lasted just four. So the lifespan of commercially minded European Commission decisions seeking to grease transatlantic data flows in spite of the massive privacy risks has been shrinking radically.

Some complaints about risky EU-to-US data transfers also date back almost a decade at this point. But there’s fresh enforcement energy in the air since a landmark ruling by the CJEU in July 2020 — which struck down the Commission’s reupped data transfer arrangement (Privacy Shield), which — since 2016 — had been relied upon by thousands of companies to rubberstamp their US transfers.

The court did not outlaw personal data transfers to so-called third countries entirely. Which is why these data flows didn’t cease overnight smack bang in the middle of 2020.

However it clarified that such data flows must be assessed on a case by case basis for risks. And it made it clear that DPAs could not just turn a blind eye to compliance — hi Ireland! — rather they must proactively step in and suspend transfers in cases where they believe data is flowing to a risky location like the US.

In a much watched for follow-on interpretation of the court ruling, the European Data Protection Board’s (EDPB) guidance confirmed that personal data transfers out of the EU may still be possible — if a set of narrow circumstances and/or conditions apply. Such as the data can be genuinely anonymized so that it is truly no longer personal data.

Or if you can apply a suite of supplementary measures (such as technical stuff like applying robust end-to-end encryption — meaning there’s zero access to decrypted data possible by a US entity) — in order to raise the level of legal protection.

The problem for adtech firms like Google and Facebook is that their business models are all about accessing people’s data. So it’s not clear how such data-mining giants could apply supplementary measures that radically limit their own access to this core business data without a radical change of model. Or, well, federating their services — and localizing European data and processing in the EU.

The Austrian DPA decision makes it clear that Google’s current package of measures, related to how it operates Google Analytics, is not adequate because it does not remove the risk of surveillance agencies accessing people’s data.

The decision puts heavy underscoring on the need for any such supplementary measures to actually enhance standard provisions if they’re to do anything at all for your chances of compliance.

Europe puts out advice on fixing international data transfers that’s cold comfort for Facebook

Supplementary of course means extra. tl;dr you can’t pass off totally standard security processes, procedures, policies, protocols and measures as some kind of special Schrems II-busting legal magic, no matter how much you might want to.

(A quick comparable scenario that might hammer home the point: One can’t — legally speaking — hold a party during a pandemic if lockdown rules ban social gatherings simply by branding a ‘bring your own bottle’ garden soirée as a work event. Not even if you’re the prime minister of the UK. At least not if you want to remain in post for long, anyway… )

It’s fair to say that the the tech industry response to the Schrems II ruling has been a massive, collective putting of heads into sand. Or, as the eponymous Max Schrems himself, honorary chair of noyb, puts it in a statement: “Instead of adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”

This charade has been possible because — to date — there hasn’t been much regulatory renforcement following the July 2020 ruling.

Despite the European Data Protection Board warning immediately that there would be no grace period for coming into compliance.

To the untrained eye that might suggest the industry’s collective strategy — of ignoring the legal nightmare wrapping EU-to-US transfers in the hopes the problem would just go away — has been working.

But, as the Austria decision indicates, regulatory gears are grinding towards a bunch of rude awakenings.

The European Commission — which remains eager for a replacement to the EU-US Privacy Shield — has also warned there will be no quick fix this time around, suggesting major reforms of US surveillance law are required to bridge the legal divide. (Although negotiations between the Commission and the US on a replacement data transfer agreement are continuing.)

In the meanwhile Schrems II enforcements are starting to flow — and orders to cease US data flows may soon follow.

In another sign of enforcement ramping up, the European Data Protection Supervisor (EDPS) — just this week — upheld a complaint against the European Parliament over US data transfers involving use of Google Analytics and Stripe.

The EDPS’ decision reprimands the parliament and also orders it to fix outstanding issues within one month.

The other 101 complaints noyb filed back in 2020 are also still awaiting decisions. And as Schrems notes EU DPAs have been coordinating their response to the data transfer issue. So there’s likely to be a pipeline of enforcements striking at usage of US cloud services in the coming months. And, well, a lot of sand falling out of eyes.

Here’s Schrems on the Austria DPA’s reasoning again: “This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

“We expect similar decisions to now drop gradually in most EU member states,” he adds, further noting that Member State authorities have been coordinating their response to the flotilla of complaints (the EDPB announced a taskforce on the issue last fall).

“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems also said, adding: “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”

While netdoktor has been found to have violated the GDPR, it’s not clear whether it will face a penalty as yet.

It may also seek to appeal the Austrian DPA’s decision.

The company has since moved its HQ to Germany, which complicates the regulatory jurisdiction component of this process — and means it may face additional enforcement, such as an order banning transfers, in a follow on action by a German regulator.

There is another notable element of the decision that has gone Google’s way — for now.

While the regulator upheld the complaint against netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients.

That bit of the decision is a disappointment to noyb which is considering whether to appeal — with Schrems arguing: “It is crucial that the US providers cannot just shift the problem to EU customers.”

noyb further flags that Google may still face some pending sanction, however, as the Austria DPA has said it will investigate further in relation to potential violations of Article 5, 28 and 29 GDPR (related to whether Google is allowed to provide personal data to the US government without an explicit order by the EU data exporter).

The DPA has said it will issue a separate decision on that. So Google may yet be on the hook for a GDPR breach in Austria.

Penalties under the regulation can scale as high as 4% of a company’s annual global turnover. Although orders to ban data transfers may ultimately prove a lot more costly to certain types of data-mining business models.

To wit: Long time EU privacy watchers will be aware that Facebook’s European business is on penalty time in Ireland over this same EU-US transfers issue. A preliminary order that Facebook suspend transfers was issued by Ireland in fall 2020 — triggering legal action from the social media giant to try to block the order.

Facebook’s court challenge failed but a final decision remains pending from the Irish regulator — which promised noyb a swift resolution of the vintage complaint a full year ago. So the clock really is ticking on that data transfer complaint. And someone should phone Meta’s chief spin doctor, Nick Clegg, to ask if he’s ready to pull the plug on Facebook’s European service yet?

Legal clouds gather over US cloud services, after CJEU ruling

Max Schrems on the EU court ruling that could cut Facebook in two

EU websites’ use of Google Analytics and Facebook Connect targeted by post-Schrems II privacy complaints

European parliament found to have broken EU rules on data transfers and cookie consents


More TechCrunch

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google launches a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

OpenAI is removing one of the voices used by ChatGPT after users found that it sounded similar to Scarlett Johansson, the company announced on Monday. The voice, called Sky, is…

OpenAI to remove ChatGPT’s Scarlett Johansson-like voice

Consumer demand for the latest AI technology is heating up. The launch of OpenAI’s latest flagship model, GPT-4o, has now driven the company’s biggest-ever spike in revenue on mobile, despite…

ChatGPT’s mobile app revenue saw biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

24 hours ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

3 days ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people