Austria data authority rules website’s use of Google Analytics violates GDPR
Austria data authority rules website’s use of Google Analytics violates GDPR

The Austrian Data Protection Authority (DPA) Thursday ruled that an Austrian website provider’s continuous use of Google Analytics and the resultant transfer of personal data to Google violated the European Union’s (EU) privacy law, the General Data Protection Rules (GDPR).

The ruling responded to a series of representations filed by the Austrian privacy advocacy group noyb before the DPA on the basis of the European Court of Justice’s (CJEU) Schrems II decision. The Schrems II ruling established that the transfer of personal data to US companies falling under 50 USC § 1881a and Executive Order 12333 violated international data transfer standards prescribed in Chapter V of the GDPR.

Relying on the Shrems II decision, noyb’s complaint alleged that both Google (the data importer) and the website provider (the data exporter) violated Article 44 of the GDPR by transferring personal data to Google, which qualified as an “electronic communication service provider” under 50 USC § 1881(b)(4), thereby making it legally amenable to US intelligence functionalities. Google argued that the data transferred did not constitute “personal data” under Article 4(1) of the GDPR and that Chapter V of the GDPR was applicable only upon the data exporter and not the data importer.

The DPA decision affirmed all of noyb’s arguments but agreed with Google’s claim that no data importer obligation existed under Chapter V of the GDPR. Therefore, the DPA found the data exporter to be solely liable for breaching GDPR obligations. However, the ruling found that the data transferred to Google, including personal user identifiers, IP address and browser parameters, was personal data under Article 4(1) and consequently dismissed Google’s claims of transfer of non-personal data. No fine or penalty was imposed upon Google and the website provider.

This ruling comes in the immediate aftermath of the European Data Protection Supervisor’s decision on 11 January which sanctioned the European Parliament for violating Schrems II and Chapter V of GDPR by permitting data transfers through Google Analytics and another US-based company named Stripe.