Electronic transfers

Austrian Data Protection Authority finds use of Google Analytics on website violates GDPR

On December 22, 2021, the Austrian Data Protection Authority (DSB) found that the medical information company, NetDoktor, had violated the European General Data Protection Regulation (GDPR) by using the platform of popular data analysis of Google LLC, Google Analytics (GA), on its website, which resulted in the transfer of personal information from Europe to Google’s servers located in the United States (US).[1] Such transfers are generally prohibited unless there is an adequate level of data protection in accordance with Article 44 of the GDPR, including through standard contractual clauses (SCCs) approved by the European Commission. The complaint that led to the decision was filed just a month after Schrems II, a ruling by the Court of Justice of the European Union that invalidated the EU-US Privacy Shield framework (see our alert previous) ― previously used by many small and medium-sized businesses to facilitate cross-border data transfers from Europe to the US ― but have generally supported the use of SCCs for transfers. NetDoktor’s dependency on outdated SCCs[2] and the additional data protection measures (including other contractual, organizational, and technical measures) were found to be inadequate safeguards against possible US government surveillance. This decision highlights the importance of ensuring that there is adequate protection for cross-border data transfers, including against possible government access. It also emphasizes that organizations need to understand what data they collect, whether directly or through vendors, where that data is stored (particularly if cloud services are used), and whether safeguards and anonymization data is effective. Notably, the dismissal of the claim against Google as a data processor also provides guidance on the limitations of liability of the service provider or recipient for breaches of the GDPR.

GA collects, analyzes and reports website traffic and visitor activity which can facilitate targeted marketing. This traffic includes pages visited, clicks, login information, user preferences, and browser details, among other information. Google’s analytics products are popular and, according to a 2021 survey published by Statista and Datanyze, account for over 70% of the web analytics software market share. Many website building platforms come with GA pre-installed, which causes some website owners to collect user data without even knowing it.

Defined personal data

The case was brought by an individual who visited NetDoktor’s website while logged into his Google account. Like countless other websites, NetDoktor allowed GA to place a cookie on the complainant’s device to track his activity. GA then assigned a unique identification number to its browser in order to keep track of the data belonging to the complainant. Once the complainant’s NetDoktor activity was recorded, GA transferred the data to US-based servers where it was combined with other user data to produce analytical reports.

Google insisted that this entire process be anonymous. GA uses IP masking technology and only generates aggregated and anonymous reports for its users. The DSB found, however, that the IP anonymization feature was not properly implemented and that GA’s unique identification numbers could be used to identify specific users. It was irrelevant that additional information might be required by Google to do this. Since the DSB determined that the data was not truly anonymous, it found that NetDoktor was transferring personal information to the United States

Data exporters bear the burden of complying with GDPR cross-border data transfer requirements

Notably, the DSB dismissed the complaint against Google, finding that the recipients of the data have limited liability under the cross-border data transfer provisions of the GDPR. Thus, it is the responsibility of website owners and data exporters to understand and limit how and where vendors store personal data. The DSB, however, intends to investigate Google and may issue a separate ruling under the GDPR’s data processing requirements.

Using SCCs to facilitate cross-border data transfers

The DSB also ruled that because Google is considered a provider of electronic communications services under US law, it is subject to US government oversight. The DSB noted that the U.S. government could use GA data to specifically identify individuals, despite additional security measures from NetDoktor and Google (e.g., published data security policies, encryption and data security). physical infrastructure).

Thus, the old SCCs could not guarantee an adequate level of protection for transfers of personal data and could not be used to lawfully transfer data to the United States.


The DSB did not impose a fine on NetDoktor, as the procedures for determining fines are separate under Austrian administrative law. Further, the decision does not contemplate a potential sanction, nor did the DSB signal that it would impose a sanction in the future. At least for now, the decision only serves as a warning to companies that transfer data from the European Economic Area (EEA) to the US NetDoktor can appeal the decision, but have not done so at the time. to write these lines.

Other European nations are also taking a closer look at the GA. On January 26, 2022, the Norwegian Data Protection Authority (Datatilsynet) announced its support for the DSB’s decision and noted that Datatilsynet is currently assessing the legality of the GA in one of its own cases. The Danish Data Protection Agency also announced that it would issue guidance based on the DSB’s decision, highlighting the need for uniform application of the GDPR across the EEA.

Key points to remember

the Schrem II The DSB ruling and ruling, among others, highlights the complex issues surrounding cross-border data transfers. However, the DSB’s decision sheds some light on a few topics:

  • If a website is accessed in the EEA, using GA may subject website owners to fines under the GDPR. Depending on the seriousness of the offence, these fines can reach up to €20 million per offence, or 4% of a company’s annual worldwide turnover for the previous year, whichever is higher.
  • European data protection authorities remain skeptical of US data protection practices, particularly when it comes to blocking US intelligence agencies from accessing personal information. Indeed, European authorities are urging US lawmakers to adopt a comprehensive, GDPR-compliant federal privacy framework.
  • Organizations should comply with the latest guidance and documents provided by the European Data Protection Board and data protection authorities instead of relying on outdated information, such as the old CSCs at issue in this case.
  • Although this decision only addresses the provisions of the GDPR that specifically impose obligations on data exporters regarding cross-border data transfers, processors are nevertheless required to comply with their own GDPR obligations.