The lawyer who had previously sued Facebook for violation of the privacy of the citizens of the European Union, Max Schrems, has now gained another victory against Google. In the ruling that was considered a landmark, the data protection authorities of Austria found Google Analytics to be making illegal use of the European websites. When the legislation of Privacy Shield was invalidated in 2020, the consequences were far-reaching for the online services of the United States that were operating in Europe. They no longer had authorization for transferring data of the citizens of the European Union to the United States, as this would also make the citizens vulnerable to the mass surveillance of America, a situation that clearly violates the European GDPR.
The ruling was largely ignored by the tech industry in Silicon Valley. The Privacy Shield invalidation was shocking for the tech industry. The provider from the United States and the data exporters from the European Union largely ignored it. Facebook, Microsoft, Amazon and even Google tended to rely on the Standard Contract Clauses for the continued transfer of data and to keep the European business partners calm.
The Data Protection Authority of Austria struck a chord with the chords of Europe when they declared the invalidity of the Privacy Shield. They decided that using Google Analytics was violating the General Data Protection Regulation. Intelligence services in the United States could order Google to disclose data related to European Citizens to them. This means that the data of the citizens of the EU should not be transferred across the Atlantic.
About The Case
August 14th in 2020 saw a user of Google accessing an Austrian website about healthcare. The website made use of Google Analytics and the data of that particular user was transferred to Google, and the data could be used to identify the user. The user complained about this on August 18th to the data protection authorities of Austria taking the help of the NYOB, a data protection organization. The Austrian court has now declared such a transfer illegal.
The issue is also due to the American CLOUD Act by the United States authorities, who are able to demand the personal data of users of Facebook, Google and other providers based in the United States, even if they are operating outside the country, Europe for instance. This means that Google is unable to provide an adequate level of protection as is needed under Article 44 of the GDPR. This violates the data protection guarantee in Europe. The standard clauses of the contract were invoked by the website operator, but they did not help because the European Court of Justice made a decision based on Privacy Shield.
The factor to finalize the decision of the legal assessment on the use of Google Analytics was not if the intelligence agencies of the United States actually gained the data or if Google identified the user. The fact that it was theoretically a possibility was in violation of the GDPR. Google users are allowed to make changes to the settings in their Google account from stopping Google from doing an evaluation of their usage of third-party websites in detail. But the existence of this feature how’s that Google has the ability to merge the usage of data with the individual user.
This ruling is being considered the biggest success of NOYB, which is the data protection organization. Max Schrems and the NOYB have been very happy about this decision. Companies cannot make use of the cloud services of the United States in the European Union anymore. The Court of Justice confirmed this one and a half years ago and now it has become enforced by the law.
Many companies are now considering whether they should leave the usage of Google Analytics or pay the penalty for violating the GDPR. The future will require either the United States to make changes to their law of surveillance to strengthen the tech industry or the provider in the United States will have to host the data of the user from Europe in Europe.