Earlier this year, Austria handled a compliant filed by the NOYB, which ultimately ended in a adversely verdict against the site in question. Following this, the analytics community engaged in a rather spirited discussion on the verdict, and I took a look at what server side handling may look like in context of the decision, and considered the consent angle.
Now we have more to go on, with a new decision published by the Austrian DPA and made available via NOYB, gives us some more context in things to be aware of. This should settle some debates, and likely cause others.
Let’s look at some of the major points worth calling out.
The DPA does not care about the economic impact
More specifically, they are not allowed to care.
In his last statement of 9 February 2022, the second respondent summarized that a decision granting the appeal would have serious consequences for the economy.
In this regard, it should be noted that the data protection authority is not permitted to take economic or political considerations into account and that these are only to be taken into account selectively within
the framework of the interpretation of the GDPR – for example, within the framework of a balancing of interests pursuant to Art. 6 para. 1 lit. f leg. cit – are to be taken into account.
Rather, the data protection authority has the obligation to take a decision in the context of data protection complaints pursuant to primary law Art. 8(3) EU-GRC and secondary law Art. 58(1)(f) GDPR, taking into account the position of the ECJ in the judgment of 16 July 2020, Case C 311/18, with regard to the legal situation of the USA.
In its ruling of 16 July 2020, the ECJ explicitly stated that the relevant legal situation in the USA – see below – is not compatible with the fundamental right to data protection pursuant to Article 8 of the EU Directive, which is why the EU-US adequacy decision (“Privacy Shield”) was declared invalid.
An economic or political agreement for ensuring data transfers between Europe and the USA are to be achieved by other bodies – but not by supervisory authorities. The arguments of the second respondent regarding the “serious and far-reaching practical significance” of the decision in question as well as the cited economic studies must therefore remain undecided
So Google’s claim that this would be bad for the economy, while potentially valid, isn’t a factor in the DPA’s decision.
Google Analytics identifiers are personal data
Starting on page 24 in the decision is a discussion on the use of identifiers such as the client id or user id, contained inside of the _ga and _gid cookies. In this, the DPA references a quote from the European Data Protection Supervisor, which stated the following:
Tracking cookies such as the Stripe and Google Analytics cookies are considered personal data, even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection. All data sets that contain identifiers that can be used to single out users are considered personal data under the Regulation and must be treated and protected as such”
The DPA believes that the above quote, while used in a different context, can easily be applied to this case, and this – these identification numbers qualify as personal data pursuant to Article 4(1) of the GDPR.
The IP Address issue
Much of the discussion online following the decision centered around the collection of the user’s IP Address and the thoughts around the use of the “Anonymization function of the IP Address” which can be leveraged by Universal Analytics.
The respondents’ arguments about the “anonymisation function of the IP address” can be left aside, since the complete IP address is processed for a certain – albeit very short – period of time on the Google LLC server. This short data processing period is sufficient for the facts of Article 4(2) of the GDPR to be fulfilled. According to the case law of the Federal Administrative Court, it cannot be derived from Article 4(2) in conjunction with Article 6 of the GDPR that a certain “minimum processing period” is to be assumed (cf. the decision of the Federal Administrative Court of 3 September 2019, no. W214 2219944-1).
As will be explained later, this complete IP address can be accessed by US intelligence services – even if in the specific case it was processed on European servers of the second respondent as claimed.
This is important. The DPA does not accept that the anonymization of the IP Address is valid, because Google has to process the full address in order to redact it. It further believes that even if the redaction happens in Europe that this would not address the concern due to Google being subject to Section 702 of FISA, as explained below:
The “anonymisation function of the IP address” is not effective, since the data – as explained in more detail above – is processed by the second respondent for at least a certain period of time. Even assuming that the IP address was only processed in servers in the EEA within the period of time, it should be noted that the second respondent can nevertheless be obliged by US intelligence services to hand over the IP address under the relevant law of the USA (cf. EDPB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection [annex] of 10 July 2019, p. 1 f; cf. the already mentioned legal opinion of 15 November 2021 by Vladeck, question 8 ff, according to which FISA 702 can also be applied extraterritorially).
Apart from that, the IP address is anyway only one of many “puzzle pieces” of the complainant’s digital footprint.
Ultimately, this is bad news, as it would likely mean that the new Google Analytics 4 redaction of IP Address on EU servers, suffers the same flaw. The US Government could demand access to the IP Address prior to processing for redaction due to FISA 702. Thus the automatic anonymization of IP Address is likely insufficient in the context of this decision.
Risk Based Decision Making
Google argues that the risk to the user is low, and that the DPA should use risk based decision assessment when factoring in if something should be declared unlawful.
The DPA counters with the following:
Chapter V GDPR does not recognise a risk-based approach
The second respondent subsequently argues – in summary – that the risk of the data transfer to the USA had to be taken into account and that the prosecuting authority applied too strict a standard. These statements are not to be followed:
Such a “risk-based approach” cannot be derived from the wording of Art. 44 GDPR…
The DPA goes on to explain the decision over the next several pages, but ultimately concludes that using a risk based approach for determining lawfulness of data transfer under Chapter V does not apply to this case, and is not a valid defense for Google.