Melanie Ludolph is an associate at the Hamburg law firm Fieldfisher and focuses on privacy, security and information. In this interview, she talks about what website operators now expect following the Austrian data protection authority’s decision on the use of Google Analytics, and how companies can obtain practicable, legally secure, and sustainable solutions for international data sharing.
What does the decision of the Austrian data protection authority mean for the EU, and how will the other data protection authorities now react?
The decision of the Austrian data protection authority (the “Datenschutzbehörde” or “DSB”) is the first decision issued as a result of the 101 complaints from noyb, the NGO founded by Max Schrems, among others. In August 2020, shortly after the decision to invalidate the EU-US Privacy Shield (“Schrems II”), noyb had filed complaints in 30 EU and EEA Member States against companies who, among other activities, had used the Google Analytics service on their websites. In response, the European Data Protection Board (EDPB) has set up a Task Force to ensure that complaints are dealt with quickly and uniformly throughout Europe.
Further similar decisions can therefore be expected – for example, the Dutch regulator has also announced a decision on two of these complaints for 2022. More developments are also being closely monitored in Norway: The authority intends to look at what trends are emerging in the EU in this regard.
However, for the time being, the DSB’s decision only affects the parties involved in the proceedings and is not generally applicable. This would be different, for example, in the case of a supreme court ruling. Additionally, the decision is not yet legally binding and, since the website in question has since been transferred to a company based in Munich, the DSB no longer has jurisdiction. It has accordingly submitted a request to the Bavarian State Commissioner for Data Protection, who now has to decide whether the disputed website must be shut down. Ultimately, the decision was based on the facts of 2020 – meanwhile, Google has, inter alia, other terms of use, meaning that the contractual partner is no longer Google LLC based in the USA, but Google Ireland Limited. To what extent this circumstance might have changed anything about the authority’s decision is currently not clear.
What must the numerous website operators who use analysis tools now expect?
Due to the shortage of personnel at the supervisory authorities, proactive company inspections are unlikely to be carried out, although this possibility exists in principle. Since the topic is currently very prominent in the media, it could be that website users in particular take a closer look at which tools are used and, if necessary, contact the companies directly. Here, website operators should ensure that they have a process in place for dealing with complaints from affected parties. However, it is also a fact that there is currently no prohibition order for the use of Google Analytics, and no penalty has been imposed on the respondents. In view of the complex and uncertain legal situation, penalties in particular are currently rather unlikely.
A new data protection shield that would allow data sharing between the EU and the US is currently not foreseeable. What measures are companies to take now and how can they obtain practicable, legally secure, and sustainable solutions for international data sharing?
An agreement similar to the Privacy Shield or a “no-spy” agreement would be solutions that would actually provide legal certainty. Otherwise, it remains the case that companies need to check the tools on their websites to see whether their use is really mandatory. If so, attention should be paid to the specific configurations. With Google Analytics, there are several configurations: for example, IP Masking (“anonymizeIP”) through implementing the tracking code provided by Google; restricting the sharing of data with Google (otherwise Google uses the data for the purpose of product improvement); deactivating the transfer of data to Google for advertising purposes; or reducing the storage period of cookies (to a maximum of 14 months). However, if data transfers to the USA cannot be ruled out, risk minimization is strongly recommended. The GDPR (and also the new standard data protection clauses) explicitly allow such a risk-based approach. In this context, it is important for companies to carefully examine each individual case and conduct a proportionality test for this individual case, weighing up the risks and security measures. This assessment has to be documented so that it can also be presented to a supervisory authority in case of doubt. If a company data protection officer has been appointed, he or she must of course be involved in the assessment.