In bad news for US cloud services, Austrian website’s use of Google Analytics found to breach GDPR

A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.

The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.

In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.

Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.

“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” the regulator notes in the decision [via a machine translation of the German language text], adding: “In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”

In reaching its conclusion, the regulator assessed various measures Google said it had implemented to protect the data in the US — such as encryption at rest in its data centers; or its claim that the data “must be considered as pseudonymous” — but did not find sufficient safeguards had been put in place to effectively block US intelligence services from accessing the data, as required to meet the GDPR’s standard.

“As long as the second respondent himself [i.e. Google] has the possibility to access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations,” it notes at one point, dismissing the type of encryption used as inadequate protection.

Austria’s regulator also quotes earlier guidance from German DPAs to back up its dismissal of Google’s “pseudonymous” claim — noting that this states:

” …the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users do not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. This is because, unlike in cases where data is pseudonymised in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect. They are therefore not pseudonymisations within the meaning of Recital 28, which reduce the risks for the data subjects and assist data controllers and processors in complying with their data protection obligations.”

The DPA’s wholesale dismissal of any legally relevant impact of the bundle of aforementioned “Technical and Organizational Measures” (such as standard encryption) — which were cited by Google to try to fend off the complaint — is significant because such claims are the prevailing tactic used by US-based cloud giants to try to massage compliance and ensure EU-to-US data transfers continue so they can continue business as usual.

So if this tactic is getting called out here, as a result of a single website’s use of Google Analytics, it can and will be sanctioned by EU regulators elsewhere. After all, Google Analytics is everywhere online.

(See also the extensive list of extremely standard measures cited by Facebook in an internal assessment of its EU-to-US data transfers’ — in which it too tries to claim ‘compliance’ with EU law, per an earlier document reveal.)

The complaint back story here is that back in August 2020 European privacy campaign group noyb filed a full 101 complaints with DPAs across the bloc targeting websites with regional operators that it had identified as sending data to the US via Google Analytics and/or Facebook Connect integrations.

Use of such analytics tools may seem intensely normal but — legally speaking, in the EU — it’s anything but because EU-to-US transfers of personal data have been clouded in legal uncertainty for years.

The underlying conflict boils down to a clash between European privacy rights and US surveillance law — as the latter affords foreigners zero rights over how their data is scooped up and snooped on, nor any route to legal redress for whatever happens to their information when it’s in the US, making it extremely difficult for exported EU data to get the necessary standard of “essentially equivalent” protection that it gets at home when it’s abroad.

To radically simplify: EU law says European levels of protection must travel with data. While US law says ‘we’re taking your data; we’re not telling you what we’re doing; and you can’t do anything about it anyway, sucker!’.

US cloud providers that are subject to Section 702 of the Foreign Intelligence Surveillance Act (FISA) are all in the frame — which takes in a broad sweep of tech giants, including Google and Facebook, since this law applies broadly to “electronic communications services”.

While Executive Order 12,333, a Reagan era mandate that’s also relevant as it also expanded intelligence agency powers to acquire data, is thought to target vulnerabilities in telecoms infrastructure.

The EU-US legal clash between privacy and surveillance dates back almost a decade at this point.

It was catalyized by the 2013 Snowden disclosures which revealed the extent of US government mass surveillance programs — and led, back in 2015, to the EU’s Court of Justice to invalidate the Safe Harbor arrangement between the bloc and the US on the grounds that EU data could no longer be considered safe when it went over the pond.

And whereas Safe Harbor had stood for around 15 years, its hastily agreed replacement — the EU-US Privacy Shield — lasted just four. So the lifespan of commercially minded European Commission decisions seeking to grease transatlantic data flows in spite of the massive privacy risks has been shrinking radically.

Some complaints about risky EU-to-US data transfers also date back almost a decade at this point. But there’s fresh enforcement energy in the air since a landmark ruling by the CJEU in July 2020 — which struck down the Commission’s reupped data transfer arrangement (Privacy Shield), which — since 2016 — had been relied upon by thousands of companies to rubberstamp their US transfers.

The court did not outlaw personal data transfers to so-called third countries entirely. Which is why these data flows didn’t cease overnight smack bang in the middle of 2020.

However it clarified that such data flows must be assessed on a case by case basis for risks. And it made it clear that DPAs could not just turn a blind eye to compliance — hi Ireland! — rather they must proactively step in and suspend transfers in cases where they believe data is flowing to a risky location like the US.

In a much watched for follow-on interpretation of the court ruling, the European Data Protection Board’s (EDPB) guidance confirmed that personal data transfers out of the EU may still be possible — if a set of narrow circumstances and/or conditions apply. Such as the data can be genuinely anonymized so that it is truly no longer personal data.

Or if you can apply a suite of supplementary measures (such as technical stuff like applying robust end-to-end encryption — meaning there’s zero access to decrypted data possible by a US entity) — in order to raise the level of legal protection.

The problem for adtech firms like Google and Facebook is that their business models are all about accessing people’s data. So it’s not clear how such data-mining giants could apply supplementary measures that radically limit their own access to this core business data without a radical change of model. Or, well, federating their services — and localizing European data and processing in the EU.

The Austrian DPA decision makes it clear that Google’s current package of measures, related to how it operates Google Analytics, is not adequate because it does not remove the risk of surveillance agencies accessing people’s data.

The decision puts heavy underscoring on the need for any such supplementary measures to actually enhance standard provisions if they’re to do anything at all for your chances of compliance.

Supplementary of course means extra. tl;dr you can’t pass off totally standard security processes, procedures, policies, protocols and measures as some kind of special Schrems II-busting legal magic, no matter how much you might want to.

(A quick comparable scenario that might hammer home the point: One can’t — legally speaking — hold a party during a pandemic if lockdown rules ban social gatherings simply by branding a ‘bring your own bottle’ garden soirée as a work event. Not even if you’re the prime minister of the UK. At least not if you want to remain in post for long, anyway… )

It’s fair to say that the the tech industry response to the Schrems II ruling has been a massive, collective putting of heads into sand. Or, as the eponymous Max Schrems himself, honorary chair of noyb, puts it in a statement: “Instead of adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”

This charade has been possible because — to date — there hasn’t been much regulatory renforcement following the July 2020 ruling.

Despite the European Data Protection Board warning immediately that there would be no grace period for coming into compliance.

To the untrained eye that might suggest the industry’s collective strategy — of ignoring the legal nightmare wrapping EU-to-US transfers in the hopes the problem would just go away — has been working.

But, as the Austria decision indicates, regulatory gears are grinding towards a bunch of rude awakenings.

The European Commission — which remains eager for a replacement to the EU-US Privacy Shield — has also warned there will be no quick fix this time around, suggesting major reforms of US surveillance law are required to bridge the legal divide. (Although negotiations between the Commission and the US on a replacement data transfer agreement are continuing.)

In the meanwhile Schrems II enforcements are starting to flow — and orders to cease US data flows may soon follow.

In another sign of enforcement ramping up, the European Data Protection Supervisor (EDPS) — just this week — upheld a complaint against the European Parliament over US data transfers involving use of Google Analytics and Stripe.

The EDPS’ decision reprimands the parliament and also orders it to fix outstanding issues within one month.

The other 101 complaints noyb filed back in 2020 are also still awaiting decisions. And as Schrems notes EU DPAs have been coordinating their response to the data transfer issue. So there’s likely to be a pipeline of enforcements striking at usage of US cloud services in the coming months. And, well, a lot of sand falling out of eyes.

Here’s Schrems on the Austria DPA’s reasoning again: “This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

“We expect similar decisions to now drop gradually in most EU member states,” he adds, further noting that Member State authorities have been coordinating their response to the flotilla of complaints (the EDPB announced a taskforce on the issue last fall).

“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems also said, adding: “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”

While netdoktor has been found to have violated the GDPR, it’s not clear whether it will face a penalty as yet.

It may also seek to appeal the Austrian DPA’s decision.

The company has since moved its HQ to Germany, which complicates the regulatory jurisdiction component of this process — and means it may face additional enforcement, such as an order banning transfers, in a follow on action by a German regulator.

There is another notable element of the decision that has gone Google’s way — for now.

While the regulator upheld the complaint against netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients.

That bit of the decision is a disappointment to noyb which is considering whether to appeal — with Schrems arguing: “It is crucial that the US providers cannot just shift the problem to EU customers.”

noyb further flags that Google may still face some pending sanction, however, as the Austria DPA has said it will investigate further in relation to potential violations of Article 5, 28 and 29 GDPR (related to whether Google is allowed to provide personal data to the US government without an explicit order by the EU data exporter).

The DPA has said it will issue a separate decision on that. So Google may yet be on the hook for a GDPR breach in Austria.

Penalties under the regulation can scale as high as 4% of a company’s annual global turnover. Although orders to ban data transfers may ultimately prove a lot more costly to certain types of data-mining business models.

To wit: Long time EU privacy watchers will be aware that Facebook’s European business is on penalty time in Ireland over this same EU-US transfers issue. A preliminary order that Facebook suspend transfers was issued by Ireland in fall 2020 — triggering legal action from the social media giant to try to block the order.

Facebook’s court challenge failed but a final decision remains pending from the Irish regulator — which promised noyb a swift resolution of the vintage complaint a full year ago. So the clock really is ticking on that data transfer complaint. And someone should phone Meta’s chief spin doctor, Nick Clegg, to ask if he’s ready to pull the plug on Facebook’s European service yet?