Austria data authority rules website’s use of Google Analytics violates GDPR News
PhotoMIX-Company / Pixabay
Austria data authority rules website’s use of Google Analytics violates GDPR

The Austrian Data Protection Authority (DPA) Thursday ruled that an Austrian website provider’s continuous use of Google Analytics and the resultant transfer of personal data to Google violated the European Union’s (EU) privacy law, the General Data Protection Rules (GDPR).

The ruling responded to a series of representations filed by the Austrian privacy advocacy group noyb before the DPA on the basis of the European Court of Justice’s (CJEU) Schrems II decision. The Schrems II ruling established that the transfer of personal data to US companies falling under 50 USC § 1881a and Executive Order 12333 violated international data transfer standards prescribed in Chapter V of the GDPR.

Relying on the Shrems II decision, noyb’s complaint alleged that both Google (the data importer) and the website provider (the data exporter) violated Article 44 of the GDPR by transferring personal data to Google, which qualified as an “electronic communication service provider” under 50 USC § 1881(b)(4), thereby making it legally amenable to US intelligence functionalities. Google argued that the data transferred did not constitute “personal data” under Article 4(1) of the GDPR and that Chapter V of the GDPR was applicable only upon the data exporter and not the data importer.

The DPA decision affirmed all of noyb’s arguments but agreed with Google’s claim that no data importer obligation existed under Chapter V of the GDPR. Therefore, the DPA found the data exporter to be solely liable for breaching GDPR obligations. However, the ruling found that the data transferred to Google, including personal user identifiers, IP address and browser parameters, was personal data under Article 4(1) and consequently dismissed Google’s claims of transfer of non-personal data. No fine or penalty was imposed upon Google and the website provider.

This ruling comes in the immediate aftermath of the European Data Protection Supervisor’s decision on 11 January which sanctioned the European Parliament for violating Schrems II and Chapter V of GDPR by permitting data transfers through Google Analytics and another US-based company named Stripe.

THIS DAY @ LAW

Charles Manson sentenced to death

On April 19, 1971, Charles Manson was sentenced to death for ordering the murders of Sharon Tate and others. The sentence was then commuted to life after the Supreme Court of California overturned the death penalty in 1972. Learn more about the trial of Charles Manson from the University of Missouri - Kansas City School of Law.

The Beatles signed 10-year partnership

On April 19, 1967, John, Paul, George and Ringo - aka "The Beatles" - signed a partnership deed agreeing that the group would continue for a (further) period of ten years. When The Beatles split up prematurely in 1970, Paul applied to have the partnership terminated and a receiver appointed.

Read a legal analysis of Paul McCartney’s 1970 lawsuit against John, George and Ringo.

More This Day @ Law...