On December 22, 2021, the Austrian Data Protection Authority (DSB) found that medical news company, NetDoktor, violated Europe’s General Data Protection Regulation (GDPR) by using Google LLC’s popular data analytics platform, Google Analytics (GA), on its website, which resulted in the transfer of personal information from Europe to Google’s servers located in the United States (U.S.).1 Such transfers are generally prohibited unless an adequate level of data protection exists pursuant to Article 44 of the GDPR, including through European Commission-approved standard contractual clauses (SCCs).

The case was brought by an individual who visited NetDoktor’s website while logged into his Google account. Like countless other websites, NetDoktor allowed GA to place a cookie on the complainant’s device to track his activity. GA then assigned a unique identification number to his browser in order to keep track of what data belonged to the complainant. Google argued that this entire process is anonymous. GA employs IP masking technology and only generates aggregated, anonymous reports for its users. The DSB found, however, that the IP anonymization feature was not properly implemented, and GA’s unique identification numbers could be used to identify specific users. It was irrelevant that additional information may be required by Google to do so.

Further, NetDoktor’s reliance on outdated SCCs2 and supplementary data protection measures ― including further contractual, organizational and technical measures ― were deemed inadequate protections against possible U.S. government surveillance. This decision highlights the importance of making sure that there is adequate protection for cross-border data transfers, including against possible government access. It also emphasizes that organizations should understand what data they are collecting, whether directly or through vendors, where that data is being stored (particularly if cloud services are used), and whether measures to protect and anonymize data are effective. Notably, the dismissal of the complaint against Google as the processor of the data also provides guidance on the limitations of service provider or recipient liability for violations of the GDPR.

Other European privacy authorities are taking a closer look at GA as well. On January 26, 2022, the Norwegian Data Protection Authority (Datatilsynet) announced its support of the DSB’s decision and noted that the Datatilsynet was currently assessing the legality of GA in one of its own cases. The Danish Data Protection Agency has also announced that it would issue guidance based on the DSB’s ruling, emphasizing the need for uniform application of the GDPR across the European Economic Area (EEA). Finally, on February 10, 2022, the French data protection authority, Commission Nationale de l’Informatique et des Libertés, reached a similar decision when it ruled that GA data transfers to the U.S. “are illegal” under the GDPR.

Please check out our recent client alert for a more detailed analysis of the DSB’s decision and GDPR compliance insights.

  1. DSB (Austria) – 2021-0.586.257 (D155.027).
  2. These legacy SCCs were adopted by the European Commission in 2010, but have since been replaced by the current SCCs effective June 27, 2021. Companies who entered into data processing agreements before the latest SCCs came into effect have until December 27, 2022 to transition to the new SCCs.