In the absence of a framework agreement between Europe and the United States, data transfers must be irreproachable from a security point of view between the two “blocks”, under penalty of infringing the GDPR.
The Datenschutzbehörde, the Austrian data protection authority, believes that the use of Google Analytics violates the General Data Protection Regulation (GDPR). This brick of the Google arsenal is used by website publishers to measure their audience and monitor their traffic. URL addresses consulted, origin of visitors, time spent on each page… Google Analytics is a very powerful tool that works by installing a cookie on the browser of Internet users. Except that according to the data regulator in Austria, the data in question passes through Google’s American servers without being sufficiently protected, at the risk of being intercepted.
This decision was taken as part of the analysis of the functioning of the NetDoktor site, a medical information portal. For the same reason, the Datenschutzbehörde had also pointed the finger at the operation of the European Parliament’s Covid-19 test website, which uses Google Analytics like millions of others. And the Austrian authority can count on the support of the European Data Protection Board in its accusations, the latter considering that the breach of the GDPR is well and truly characterized.
Millions of sites affected
Of course, if such decisions can be made, it is because the famous Privacy Shield data transfer agreement, supposed to protect exchanges between Europe and the United States, has been invalidated. This is enough to increase the pressure on the authorities of the two blocs who are working on another agreement of this type to let the data circulate more freely. Because obviously, Google is not the only one concerned and many companies, Gafam as well as SMEs, transfer data between Europe and the United States as part of their activities. But what worries Europeans is that US law allows government agencies to monitor foreign data.
Max Schrems, Austrian activist behind the invalidation of the Privacy Shield and Safe Harbor, its earlier version, believes that if the United States treated the data of American citizens in the same way, it would constitute a violation of the 4th amendment of their constitution. “Just because people are foreign doesn’t mean there isn’t a violation of the US Constitution”, he says. And to remember that in the current state of things, it is up to companies to ensure that a sufficient level of security exists during data transfers, such as encryption or access restrictions to datacenters. In the case of NetDoktor, the data protection of Google Analytics was deemed insufficient.
When the Privacy Shield fails
For the moment, only a few sites are concerned. But quickly, these decisions could snowball. Noyb, Max Schrems’ association, became interested in the NetDoktor case in August 2020, but it is not the only site for which he has filed a complaint. A hundred other files have been transferred to the Austrian regulator. And actions could be taken all over Europe, not just against Google Analytics. Indeed, Facebook Connect, the API of the Meta company, is also in the sights for insufficiently secure data transfers.
If these cases were to escalate and lead to fines or significant costs, the publishers concerned could end up turning to the Gafam responsible for these free services because of which the operation of their sites and services is found in the illegality. We understand why Google officials are urging negotiators to quickly produce a device replacing the Privacy Shield.