UPDATE on 101 complaints: Austrian DPA rejects “risk based approach” for data transfers to third countries
After the groundbreaking decisions by the Austrian and French DPA that the use of Google Analytics is illegal, the Austrian DPA has now issued a second decision, going even further: It declared the use of Google’s IP anonymisation a useless protection measure for data transfers between the EU and the United States. The DSB further rejected the notion of a “risk based approach” that had been argued by Google.
Some authorities in Europe have at the same time closed the cases: The Spanish and Luxemburgish DPAs have both closed complaints proceudres without commenting on the unlawful use of Google Analytics, as the relevant website stopped using Google Analytics.
- Link to English translation of redacted decision
- Link to redacted German original
- Link to prior Austrian Decision
- Link to prior French Decision
GDPR doesn’t foresee “risk-based approach” for data transfers. After Schrems II, Big Tech and industry lawyers promoted a “risk-based approach” for data transfers. They suggested that additional safeguards, as requested by the CJEU, should only be necessary in case of a “substantial risk to the data subject’s rights and freedoms”. So-called standard contractual clause should suffice for “low-risk cases”, e.g. when “only” data such as online-identifiers or IP-addresses are transferred. The DSB now found this view to be wrong: the GDPR doesn’t know a risk-based approach for data transfers to insecure third countries, such as the U.S.
“The DSB has finally exposed the “risk-based approach” for data transfers for what it is: a clumsy attempt to soften the clear case law of the CJEU. The relevant articles on data transfers do not uses the word "risk" a single time.” - Marco Blocher, data protection lawyer at noyb
Google’s IP anonymisation doesn’t protect data. The Austrian DSB also rejected Google’s arguments that websites could activate IP anonymization when using tools like Google Analytics to effectively protect the transferred data from surveillance. This was rejected for two reasons: first, Google’ IP anonymisation only affects the IP address as such. Data such as online-identifiers set per cookies or device data are transferred in the clear. Second, the IP anonymization only takes place after the data have been transferred to Google.
“It is now confirmed that just because IP addressed get anonymized at a stage of the process, the IP addresses are still processed initially. Anonymizing one identifier also does not overcome the fact that there are other identifiers.” - Marco Blocher, data protection lawyer at noyb
National approaches despite EDPB task force. The DPAs were planning to have taken a coordinated approach regarding noyb’s 101 complaints, but the installed taskforce doesn’t seem to deliver: while the Austrian and French DPA have thoroughly investigated the use of tools that transfer personal data to the U.S., the Spanish DPA has simply dismissed a complaint because the website provider has removed Google Analytics from the website after the complaint. No word about whether the data transfers to the U.S. before the removal have been unlawful or not. Likewise, the DPA of Luxembourg has dismissed three complaints regarding data transfers to Facebook servers in the U.S, because the websites have removed the tools.
“Stopping violations does not make a past violation legal. According to the logic of these authorities, you shouldn't get a speeding ticket if stop speeding at some point.” - Marco Blocher, data protection lawyer at noyb