Explained: The Austrian data regulator's issue with Google Analytics

Outlined: The Austrian information regulator’s state of affairs with Google Analytics

Posted on

William Fry’s David Cullen and David Kirton take a look on the Austrian information watchdog’s Google Analytics concerns and what it means.

Throughout the latest in a protracted line of challenges to the swap of personal information from Europe to the US, the Austrian information security authority, DSB, has found that the use by an Austrian site of Google Analytics did not alter to EU information security regulation.

The DSB reached this decision on the premise that the utilization of Google Analytics entails the swap of personal information to the US the place, it found, it is not going to acquire adequate security from surveillance by US intelligence firms.

The DSB concluded that measures put in place to protect that private information, akin to encryption, weren’t sufficient to cope with that risk.

This decision is the first issued on foot of 101 complaints filed by Vienna-based privateness non-profit group NOYB with various European information security authorities, along with the Irish Info Security Charge.

These complaints allege that private information transfers to Google and Fb throughout the US breach EU information security regulation as set out throughout the broadly reported Schrems II case.

What’s Google Analytics?

Google Analytics is a tool that site operators can use to look at how company use their internet sites. As an example, it might be used to generate research on buyer numbers, company’ browser parameters, which gadget they’re using and additional. It does this by placing a cookie – a small piece of code – on the buyer’s gadget, which assigns a novel identification amount.

Google Analytics can also combine this distinctive identifier with completely different information, such as a result of the client’s IP cope with, to hint the client in additional strategies. As an example, if the client is logged into their Google account, their go to shall be linked to that account.

The DSB found that this creates a ‘digital footprint’ that may be utilized to find out folks. This digital footprint should not be solely utilized by the site operator. Google moreover collects this information and transfers it to its servers throughout the US.

Worldwide information transfers

EU information security regulation, along with the GDPR, permits the free movement of personal information contained in the EEA, along with between the EEA and positive completely different worldwide areas that are deemed to provide adequate security for personal information, akin to Canada and Japan.

In every other case, a swap of personal information exterior the EEA (along with the US) can solely occur using positive mechanisms set out throughout the GDPR.

One such mechanism is by using commonplace contractual clauses. This mechanism requires the data exporter and importer to enter proper right into a contract requiring the importer to be sure that the personal information receives sufficient security exterior the EEA.

However, pursuant to the selection of the Courtroom of Justice of the EU throughout the Schrems II case, the same old contractual clauses alone is not going to be sufficient.

Info exporters ought to moreover assess the extent of security that the personal information will acquire throughout the trip spot nation and, if that falls wanting the extent equipped throughout the EEA, put in place supplementary measures to cope with these deficiencies.

The DSB’s decision

The DSB’s decision adopted a criticism by a buyer to an Austrian site known as NetDoktor. On account of that site used Google Analytics, the client’s non-public information, along with a novel client identification amount, IP cope with and browser parameters, had been retrieved and despatched to servers operated by Google throughout the US.

The operator of the site and Google had entered into the same old contractual clauses, and Google had carried out positive additional contractual, technical and organizational measures with a view to creating positive an adequate stage of security for EU non-public information exported to the US. This included encryption of the data.

However, the DSB found that the steps taken weren’t sufficient to ensure compliance with the GDPR pointers on transfers of personal information exterior the EEA.

As an digital communication service provider beneath US regulation, Google is subject to compliance with surveillance requests made by US intelligence firms. Google disclosed that it had acquired such enquiries from US authorities.

Throughout the absence of additional measures, subsequently, the DSB determined that there was a risk that private information transferred to the US might probably be accessed by US intelligence firms in a trend which could violate the rights of knowledge matters.

Subsequent, the DSB considered the additional measures that had been in place, akin to encryption, nonetheless found that they weren’t sufficient to cope with the hazard.

As an example, the DSB referred to European Info Security Board (EDPB) options, which state that encryption should not be a sufficient measure if the recipient of the personal information has the encryption key and may be beneath an obligation at hand over that key to the associated authorities.

The DSB subsequently decided that the site operator had not complied with GDPR pointers on transfers of personal information exterior the EEA.

Google’s response

It must be well-known that the DSB did not uncover any wrongdoing on the part of Google – the primary obligation for transfers of knowledge lies with the data controller; on this case, the site operator.

Nonetheless, Google expressed its concern with the selection. Its president of worldwide affairs and chief licensed officer Kent Walker well-known in a blogpost that, in 15 years of offering the Google Analytics machine, Google “has on no account as quickly as acquired the sort of demand [from the US authorities] the [DSB] speculated about”.

“If a theoretical risk of knowledge entry had been adequate to dam information flows, that may pose a risk for lots of publishers and small firms who use the net and highlight the scarcity of licensed stability for worldwide information flows going by all of the European and American enterprise ecosystem, “he said.

Wider implications

It is extremely vital stress that the DSB’s decision should not be however remaining and, in any event, does have impression exterior Austria. As with all regulatory selections, it is explicit to its data.

No person is anticipating to see internet sites all through Europe drop Google Analytics in a single day. However, as that’s the main decision on the foot of 101 complaints filed by NOYB, it is potential that throughout the coming months, we’re going to start to see comparable selections all through Europe.

These selections may properly affect the utilization of various devices, not merely Google Analytics, which include transfers of personal information to the US or elsewhere exterior the EEA.

The EDPB has prepare a taskforce to coordinate and promote communication between the nationwide authorities in relation to these complaints.

In step with BuiltWith, 28m web sites (along with larger than 70pc of probably the most well-liked 10,000 internet sites globally) had been using the Google Analytics machine as of November 2021. There’ll subsequently be an vital many firms, regulators and attorneys these selections very fastidiously.

These selections are in direction of a background the place EU and US negotiators attempt to work out a model new deal to facilitate the continued sharing of knowledge all through the Atlantic.

It is meant that this deal would change the Privacy Defend mechanism rejected by the EU courts in July 2020. These discussions have not however resulted in any concrete proposals and negotiators will not approve any deal till anticipated to satisfy the necessities set down throughout the Schrems II decision and related cases.

Throughout the meantime, it’s crucial that firms working on-line are totally acutely aware of all their worldwide information flows, know what devices they use and what non-public information they course of.

As a result of the Austrian decision illustrates, it is ultimately the site operator that is legally accountable for the protection of its client’s non-public information.

By David Cullen and David Kirton

David Cullen is a affiliate and head of William Fry’s Experience Group. David Kirton is a affiliate in William Fry’s Experience Group.

Don’t miss out on the knowledge you need to succeed. Be a part of the Day by day Momentary ACC Fresno’s digest of need-to-know sci-tech data.