The Austrian Data Protection Authority issued a second ruling, finding that Google’s IP anonymization is insufficient for data transfers between the EU and the US.
Background
Following the Schrems II decision, The European Center for Digital Rights (NOYB) filed complaints in the European Economic Area over corporations allegedly transferring personal data to Google and Facebook in violation of the GDPR.
The Austrian Data Protection Authority initiated a cross-border inquiry into Google and Facebook’s data transfer procedures in response to these allegations.
The Austrian DPA published its decision based on one of those complaints on January 13, 2022. The complaint was aimed at an operator of an Austrian website (Website Operator) which used the Google Analytics tracking and analytics tool on its website and google LLC as the provider of this tool in the U.S., to whom data was transferred through the tool. The Austrian DPA stated that the Website Operator had neither; properly activated the option to “anonymize” website users’ IP Addresses, which is normally accessible for Google Analytics; or requested consent from its website users for data transfers to Google LLC.
Austrian DPAs second ruling
The two reasons for this second ruling from the Austrian DPA are as follows:
- Google’s IP anonymization only applies to IP addresses, whilst other data such as online IDs set for cookies or device data are transferred unencrypted. Also, IP anonymization occurs only after the data has been transferred to Google.
- The Authority also rejected Google’s argument in the proceedings on a “risk-based strategy.” The Authority emphasized that the GDPR does not recognize a risk-based approach for data transfers to unsafe third countries, such as the United States.
On the other hand, both the Spanish and Luxembourg DPAs have closed their case because the website provider uninstalled Google Analytics from the site following NOYB complaint, without commenting on the improper usage of Google Analytics.
