Is Google Analytics Illegal in the EU?
NOYB’s latest Google complaint is a true test of the Schrems II data transfer principles
Max Schrems and Co. (NOYB) have brought a complaint against Google to the Austrian DPA. This case is a seriously big deal.
If Schrems wins, Google’s transfers of personal data will be deemed unlawful and the company could face a large fine (up to €6 billion).
More importantly, the complaint will tell us a lot about cross-border data transfers — and whether a company like Google can actually lawfully operate at all in the post-Schrems II EU.
What is Google allegedly doing wrong?
The complaint alleges that Google is transferring personal data to the U.S. without adequately protecting it from access by the authorities.
Google relies on Standard Contractual Clauses (SCCs) for its data transfers. According to the CJEU’s decision in Schrems II, transfers made via SCCs must only take place following the implementation of any necessary “supplementary measures” to protect personal data.
So does Google not take any supplementary measures?
Google argues, at length, that it does take supplementary measures to protect EU data subjects’ personal data from interference.
Google’s measures mostly involve encryption of the data.
NOYB counters that Google “has probably at no point seriously attempted to evaluate the actual protective effect” of these supposed supplementary measures.
Isn’t encryption enough?
Encryption can be a sufficient data transfer safeguard in some circumstances.
However, according to the European Data Protection Board (EDPB)’s recommendations on data transfers, published last November in the wake of Schrems II, encryption will not be sufficient where personal data is transferred to a processor:
- That requires access to data “in the clear” (unencrypted)
- That is legally obliged to grant access to personal data beyond what is necessary in a democratic society
Both of these conditions apply to Google, which is a communications service provider under U.S. law, and which needs to be able to unencrypt personal data to carry out its analytics services.
So, what supplementary measures could Google take?
The answer appears to be “none”.
If Google has encrypted data and it has the encryption keys, it can be compelled under U.S. law to provide the intelligence services access to such data.
Indeed, NOYB points out that Google complied with more than 201,000 access requests under the U.S. surveillance law “FISA 702” in 2019 alone.
There’s no way to protect Europeans’ personal data from such requests. The EDPB says it is “incapable of envisioning an effective technical measure” that would provide an adequate safeguard in this situation.
What about data localisation? Moving Google data centres to the EU?
I’m not sure data localisation would cut it, either.
In the Doctolib decision, France’s Conseil d’Etat considered whether it would be possible to safeguard personal data from access by US authorities when using AWS Sarl, an Amazon subsidiary based in Luxembourg.
While the Conseil d’Etat decided that Doctolib’s use of AWS was lawful, much of the decision hinged on the supplementary measures taken to protect the personal data.
So in the Doctolib case, the encryption of data was deemed sufficient — but mostly because the keys were kept with a third party. AWS did not have access to the keys and so could not comply with any access request even if compelled to do so.
This wouldn’t work with Google Analytics, as Google requires access to the unencrypted data in order to carry out its analytics services.
So… No more Google Analytics in the EU?
If the Austrian DPA finds that Google’s transfers of personal data do not comply with EU law, and it suspends transfers of personal data to Google LLC’s U.S. servers, that would indeed mean that use of Google Analytics was no longer lawful in the EU.
This would affect… a lot of businesses. And it would set a very significant precedent for other U.S. tech companies operating in the EU.
Is that very likely?
It’s difficult to envision the EU actually declaring Google Analytics unlawful.
But this case isn’t that different from recent complaints involving Mailchimp and Cloudfare.
In both of those cases, data transfers to the U.S. were not protected by supplementary measures. In both cases, transfers to these companies were suspended by the DPA.
It could happen to Google, too…
Get my newsletter at data-protection.news
