Austrian DPA has option to fine Google up to €6 billion

Data Transfers
 /  06 May 2021
keep out sign

Google continues to send data from EU websites to the US - despite two Court of Justice rulings. Austrian Data Protection Authority could fine Google up to €6 billion.


Last summer, the European Court of Justice (CJEU) ruled - already for the second time - that US surveillance laws generally make the transfer of personal data from the EU to the US illegal. Google continues to ignore this decision and now argues before the Austrian DSB (PDF) that it may continue to transfer data on millions of visitors of EU websites to the US - in blatant contradiction to the GDPR. The Austrian data protection authority (DSB) now has the option to fine Google up to €6 billion under the GDPR.

noyb complaints against Google. After the so-called "Schrems II" ruling on 16.07.2020, Max Schrems' organization noyb, filed 101 complaints against EU websites in August 2020 that continued to pass data on every visitor to Google and Facebook. All complaints are also directed against the US parent companies of Google and Facebook. As a result, the European Data Protection Authorities formed a "Task Force" in September 2020. The first one of these complaints could soon be decided by the Austrian Data Protection Authority (DPA) - and could lead to a massive fine against Google.

Google: "signs" and "fences" against US law. Google primarily argues that it uses "supplementary measures" that are supposed to help against NSA surveillance (see pages 23 to 26). However, none of the measures are new, nor somehow effective: Google even argues with signs and fences around data centers and average HTTPS encryption which is just a minimum standard even for small websites. That these measures have no impact on US surveillance laws is already evident in Google's own "transparency report": in 2019 alone, more than 201,000 requests under the US surveillance law "FISA" were answered by Google. More recent statistics are missing.

"Google has to hand over all data under US law. It's grotesque that they argue to have fences and signs - US survillance laws are also applicable behind fences. Standard encryption doesn't help either, as Google is required to hand over encryption keys too. In 2019 alone, they gave the US government data on foreigners more than 201,000 times." – Max Schrems, Honorary Chairman of noyb.eu

noyb's submission filed. The Austrian data protection authority has asked noyb to respond to Google's opinion. In the statement of 36 pages, noyb elaborates on the obvious violation of the GDPR. The legal submissions of noyb (German, English Translation) were filed today.

"Google largely admits their GDPR violations and the evidence is overwhelming. The authority get this case on a silver platter." – Max Schrems, Honorary Chairman of noyb.eu

Penalty of more than € 6 billion possible. Since the complaint targets Google LLC which operates separately from its European subsidiary (Google Ireland Ltd) any data protection authority in the EU can impose a penalty under the GDPR. In this specific case, the Austrian Data Protection Authority (DPA) can impose 4% of Google LLC's global turnover -  a record sum of just over €6 billion.

"It is a unique opportunity to do something for the protection of fundamental rights and for a county's budget simultaneously. Under the GDPR, there is even an obligation for authorities to issue appropriate penalties and Google really fulfills every condition to make full use of the penalty range." – Max Schrems, Honorary Chairman of noyb.eu

noyb's submission also points out the legal instruments to enforce any ruling by the DSB throughout the EU and seize any assets of Google LLC also with third parties (like international banks).

Background: The CJEU has ruled in two cases (known as "Schrems I" and "Schrems II") that EU data can no longer be stored with U.S. companies if they fall under U.S. surveillance laws (specifically 50 USC § 1881a, also known as "FISA"). Google indisputably falls under these US laws and the CJEU ruling. Large parts of the US industry however continues to ignore the clear case law to avoid costly upgraded to their systems.