Austria data authority rules, Google Analytics website's use, violates GDPR

Austria data authority rules, Google Analytics website's use, violates GDPR

Austrian authorities ruled Thursday that a website provider's continuous use of Google Analytics and the transfer of personal data by the website provider to Google violated the General Data Protection Regulation (GDPR) of the European Union (EU).

As a response to the Austrian privacy advocacy group noyb's series of representations to the DPA based on the European Court of Justice's (CJEU) Schrems II decision, the DPA made the following decisions. According to the Schemes II ruling, the transfer of personal data to US companies from non-profit organizations falls under 50 USC § 1881a and Executive Order 12333, which violates international data transfer standards prescribed in Chapter V of GDPR.

Noyb's complaint asserted that using the Shrems II decision, both Google (the data importer) and website provider (the data exporter) violated Article 44 of the GDPR by transferring personal data to Google, which is cited as an "electronic communication service provider" under 50 USC § 1881(b)(4), thereby enabling it to participate in intelligence functions on behalf of the US government. In its most recent response to the GDPR, Google asserted that the data transferred did not constitute "personal data" under Article 4(1) and that Chapter V of the Regulation only applied to the data exporter.

All of noyb's arguments were affirmed in the DPA decision, but Google was found to be correct in its allegation that Chapter V of GDPR does not apply to data importers. Consequently, the DPA had determined that sole responsibility for GDPR breaches lay with the data exporter. As a result, it was found that Google's data transfer to the company, as well as user identifiers, IP addresses and browser parameters, constituted personal data under Article 4(1) and thus dismissed Google's claims that the data transfer was non-personal. It was determined that no fine or penalty would be imposed upon Google or the website provider.

As a result of the European Data Protection Supervisor's decision on 11 January in which the European Parliament was sanctioned for violating Schrems II and Chapter V of GDPR by allowing data transfers through Google Analytics and another US-based company called Stripe.