In bad news for US cloud services, Austrian website's use of Google Analytics found to breach GDPR

But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” the regulator notes in the decision [via a machine translation of the German language text], adding: “In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”In reaching its conclusion, the regulator assessed various measures Google said it had implemented to protect the data in the US — such as encryption at rest in its data centers; or its claim that the data “must be considered as pseudonymous” — but did not find sufficient safeguards had been put in place to effectively block US intelligence services from accessing the data, as required to meet the GDPR’s standard.“As long as the second respondent himself [i.e. Google] has the possibility to access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations,” it notes at one point, dismissing the type of encryption used as inadequate protection.Austria’s regulator also quotes earlier guidance from German DPAs to back up its dismissal of Google’s “pseudonymous” claim — noting that this states:” …the use of IP addresses, cookie IDs, advertising IDs, unique user IDs or other identifiers to (re)identify users do not constitute appropriate safeguards to comply with data protection principles or to safeguard the rights of data subjects. After all, Google Analytics is everywhere online.(See also the extensive list of extremely standard measures cited by Facebook in an internal assessment of its EU-to-US data transfers’ — in which it too tries to claim ‘compliance’ with EU law, per an earlier document reveal.)The complaint back story here is that back in August 2020 European privacy campaign group noyb filed a full 101 complaints with DPAs across the bloc targeting websites with regional operators that it had identified as sending data to the US via Google Analytics and/or Facebook Connect integrations.Use of such analytics tools may seem intensely normal but — legally speaking, in the EU — it’s anything but because EU-to-US transfers of personal data have been clouded in legal uncertainty for years.The underlying conflict boils down to a clash between European privacy rights and US surveillance law — as the latter affords foreigners zero rights over how their data is scooped up and snooped on, nor any route to legal redress for whatever happens to their information when it’s in the US, making it extremely difficult for exported EU data to get the necessary standard of “essentially equivalent” protection that it gets at home when it’s abroad.To radically simplify: EU law says European levels of protection must travel with data. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”“We expect similar decisions to now drop gradually in most EU member states,” he adds, further noting that Member State authorities have been coordinating their response to the flotilla of complaints (the EDPB announced a taskforce on the issue last fall).“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems also said, adding: “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”While netdoktor has been found to have violated the GDPR, it’s not clear whether it will face a penalty as yet.It may also seek to appeal the Austrian DPA’s decision.The company has since moved its HQ to Germany, which complicates the regulatory jurisdiction component of this process — and means it may face additional enforcement, such as an order banning transfers, in a follow on action by a German regulator.There is another notable element of the decision that has gone Google’s way — for now.While the regulator upheld the complaint against netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients.That bit of the decision is a disappointment to noyb which is considering whether to appeal — with Schrems arguing: “It is crucial that the US providers cannot just shift the problem to EU customers.”noyb further flags that Google may still face some pending sanction, however, as the Austria DPA has said it will investigate further in relation to potential violations of Article 5, 28 and 29 GDPR (related to whether Google is allowed to provide personal data to the US government without an explicit order by the EU data exporter).The DPA has said it will issue a separate decision on that.