Reflection of surrounding buildings on RPC's building.
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. Austria rules Google safeguards to be insufficient for US-transfer

SHARE:

Austria rules Google safeguards to be insufficient for US-transfer

Published on 08 June 2022

What is the future for data transfers from the EEA to the United States?

The key takeaway

The Austrian Data Protection Authority has decided that the technical and organisational measures put in place by Google to transfer personal data from the EEA to the US were insufficient. In particular, it held that the measures to encrypt and anonymise the data could in theory still allow the identification of a user based on their IP address.

The background

None of your business (NOYB)”, the organisation co-founded by Max Schrems, filed 101 model complaints against various European companies that export data from the EEA to Google LLC and Meta in the US. The complainants alleged that the exporting companies, as well as Google and Meta, had breached their obligations under the GDPR by transferring data under the old SCCS following the Schrems II judgment in July 2020. 

The case before the Austrian Data Protection Authority (ADPA) concerned the transfer of data via Google Analytics from an Austrian website to Google data centres in the US, relying on the old (pre-June 2021) SCCs. The data in question was collected using cookies and included IP addresses and other personal user identifiers (such as individual ID numbers). That data was then sent to Google servers in the US, subject to supplementary technical and organisational measures to safeguard the data. These measures included encryption in transit and at rest, and certain levels of data anonymisation and pseudonymisation. 

The development

The ADPA ruled that the transfer to Google LLC was in violation of Art. 44 GDPR, as the level of protection of the data was insufficient. This was in part because the safeguards in place would not in practice prevent access to the personal data by US intelligence agencies on the basis that:

  1. encryption is not a suitable measure to protect personal data if the recipient of the encrypted data in the US also holds the key to the encryption. This would allow the recipient, and by extension a government authority with access to the recipient’s data, to read the data in plain text; and
  2. IP addresses and online ID numbers constitute personal data, even if the exporting company and Google could not independently determine an individual’s identity based on them. It was sufficient for anyone by any legally permissible means to be able to establish the identity.

Further, the ADPA stated that the SCCs and Chapter V GDPR do not follow a “risk-based” approach. The level of compliance required is not proportionate to the risk that the data will be accessed. Even if the likelihood of data being accessed is low, this does not reduce the potential risk of harm to data subjects. 

Google itself was not deemed non-compliant with GDPR as only the website operator, as a data exporter in the EEA was responsible for GDPR compliance. No fine was issued against either party due to a recent buy-out of the website by a German company, meaning it will be for the relevant German authority to issue a fine.

Why is this important?

This was the first ruling in what will be a string of decisions based on the 101 model complaints, which are an attempt by NOYB to make transfers from the EEA to the US increasingly challenging, if not impossible. Although at the time of the infraction the companies were relying on the old SCCs (which have now been replaced), the fact that Google’s technical and organisational measures to protect personal data were deemed inadequate will be of concern to any organisation that relies on EEA-US data transfer to carry out its business. 

Put another way, the ruling suggests that so long as US law allows government authorities to access data on US servers, organisations may be limited in their ability to adequately protect European personal data in the US. 

Any practical tips?

On the basis of this ruling, organisations might reconsider any “risk based” approach they have taken to compliance with GDPR in situations involving an EEA-US transfer. The likelihood is that there will be more rulings of this kind in coming months from other European supervisory authorities, and companies should ensure rigour and caution when it comes to their use of SCCs and corresponding data safeguards for transfer. Ensuring that the requirements of the new SCCs, such as completing transfer impact assessments, are complied with will also be key.