Context behind the Austrian DPA Ruling
With the emergence of the infamous Cambridge Analytics scandal, various data protection and privacy non-governmental organisations (‘NGOs’) and interested parties have increased their focus and scrutiny on mass data harvesting activities to provide analytics-related conclusions. Google Analytics has similarly been on the radar in light of the increased awareness of data protection and privacy rights.
Data Protection concerns following the Schrems II judgement
In 2020, the NGO co-founded by privacy activist Max Shrems issued close to a hundred complaints before thirty data protection authorities within the European Economic Area (‘EEA’) relating to Google Analytics data transfer activity. The basis for these related to the legality of Google Analytics data transfers - deriving from cookie use - from the EU to Google and Facebook in the US, in light of the notable Schrems II judgement.
The Shrems II judgement in a nutshell
The influential Schrems II judgement essentially invalidated the ‘Privacy Shield’ data corridor existing between the EU and the US. Data transfer activities undertaken by US Companies which were listed under the Privacy Shield, i.e. companies which were considered to afford equivalent data protection measures to those found in the EU’s GDPR, were not considered as transfers to third countries outside the EU, but rather on the same standing as intra EU data transfers.
This meant that data transfers were able to cross borders more smoothly. Although the EU-US Privacy Shield was invalidated by the Schrems II judgement, the EU court albeit confirmed the validity of Standard Contractual Clauses (‘SCCs’) for the transfer of data between the EU and the US.
Austrian DPA first to rule in relation to US bound data transfers
As a result of the numerous complaints filed to the various data protection authorities, the European Data Protection Board (‘EDPB’) set up a task force to address the response for these. The Austrian DPA was the first to provide a ruling in relation to the transfer of personal data to the US, deriving from Google Analytics cookies, which were collected and transferred by an Austrian website operator. The Austrian DPA held that the SCCs concluded between Austrian website operator and Google, did not guarantee an adequate level of protection in terms of the GDPR.
Insufficient safeguards ruled for Google data transfers
The reasons for finding of inadequate level of protection under the GDPR were twofold.
First, given Google is considered as an electronic communications service provider, it is subject to US intelligence surveillance. In this respect, the Austrian DPA found that the technical measures implemented to remove the possibility of such surveillance were not effective. This is because it considered that encryption of the data was not enough to prevent access thereto by US governmental authorities, with the possibility of data subjects becoming identifiable nonetheless.
Second, the Austrian DPA determined that the additional safeguard measures implemented did not satisfactorily address the legal protection gaps elicited in the Schrems II judgement. Hence, consequently, such transfer of data from the EU to the US was found to be in breach of the pertinent GDPR provisions on transfers to countries outside the EU.
Key Legal Issues
- Schrems II judgement places Data Controllers in murky waters
- Encryption of data insufficient in certain cases when processing takes place in the US
- Additional GDPR safeguard measures also deemed to fall short of Schrems II ruling in certain circumstances
What this means for you
The ruling highlights concerns for Maltese businesses, especially SMEs, which carry out their processing operations externally, such as in the US. Nowadays, in order to meet tight budgets and keep costs in reason, more cost-effective outsourced processing, storage and security offerings are selected. The consequence being possible bankruptcy of the company if the SME’s third-country data transfer policy is not sufficiently adequate.
How we can help
Chetcuti Cauchi has specialized in meeting the regulatory needs of local family businesses and SMEs for over twenty-five years now. We know the most important considerations our clients face on a day-to-day basis. Coupled with our pragmatic and knowledgeable Data Protection law team, we’re able to offer holistic support for all data protection compliance requirements. As running a SME business faces its own particular challenges, at Chetcuti Cauchi we utilise a creative approach to tailor and meet our client’s particular needs.