Book Consultation
Pricing
Cases
Videos
About us
Webinars
Book Consultation
Pricing
Cases
Videos
About us
Webinars
Case Study

Austrian DPA Rules Google Analytics Illegal Under GDPR

by Berner Setterwall
January 13, 2022
The Austrian Data Protection Authority (DSB) has ruled that the use of Google Analytics violates the GDPR due to inadequate protection of personal data transferred to the US, setting a precedent for similar decisions across the EU.

Background

On January 13, 2022, the Austrian Data Protection Authority (Datenschutzbehörde or DSB) published a groundbreaking decision ruling that the continuous use of Google Analytics violates the GDPR. This landmark case was part of 101 model complaints filed by noyb, the privacy advocacy organization founded by Max Schrems, following the "Schrems II" judgment by the Court of Justice of the European Union (CJEU) in July 2020.

The Complaint and Decision

The case was initiated after a data subject visited a health website that used Google Analytics while logged into their Google account. A complaint was filed with the DSB, arguing that both the website operator (as data exporter) and Google LLC (as data importer) violated the GDPR by transferring personal data to the US.

The DSB's decision, officially dated December 22, 2021 (case number 2021-0.586.257), concluded that:

  1. Personal Data Classification: Cookie identifiers and IP addresses constitute personal data under the GDPR, even with IP address anonymization enabled.
  2. Transfer to US Jurisdiction: Data was transferred to Google LLC in the US, where it could potentially be accessed by US intelligence services under laws like FISA 702.
  3. Insufficient Safeguards: The Standard Contractual Clauses (SCCs) and additional measures implemented by Google were deemed insufficient to protect EU citizens' data from US surveillance.

Technical Issues Identified

The DSB's analysis raised several technical concerns about Google Analytics implementation:

  1. Ineffective IP Anonymization: The anonymization function offered by Google Analytics was considered inadequate because full IP addresses are initially processed on Google's servers before being truncated.
  2. Persistent Identifiers: The "_ga" and "cid" (Client ID) cookies create unique identifiers that, combined with other data, could allow for user identification.
  3. Data Combination Risk: Data collected through Google Analytics could potentially be combined with other Google services when users are logged into Google accounts.

Legal Framework and Implications

This decision directly built upon the Schrems II judgment, which had invalidated the EU-US Privacy Shield framework. Key legal implications include:

  1. No Valid Transfer Mechanism: With Privacy Shield invalidated, and SCCs alone deemed insufficient without additional safeguards, there was no valid legal basis for the data transfers.
  2. Supplementary Measures Required: The decision emphasized that contractual measures alone cannot protect against access by governmental authorities; technical measures are necessary.
  3. EU-Wide Impact: This decision was the first of its kind but was quickly followed by similar rulings from other EU data protection authorities, including France's CNIL and Italy's GPDP.

Server-Side Tracking with EU Hosting as a Solution

In light of this decision, server-side tracking with specific technical safeguards emerges as a compelling solution for organizations that need analytics while maintaining GDPR compliance:

  1. EU-Based Server Infrastructure:

    • Processing data exclusively on servers physically located within the EU
    • Ensuring that all data collection, processing, and storage remains under EU jurisdiction
    • Eliminating the need for transatlantic data transfers entirely

  2. Advanced Data Anonymization Techniques:

    • Implementing one-way hashing of IP addresses before any processing occurs
    • Using cryptographic salt techniques unique to each organization to prevent cross-site tracking
    • Rotating hash keys periodically to prevent long-term data correlation

  3. Data Minimization and Filtering:

    • Stripping personally identifiable information (PII) at the server level before any analytics processing
    • Configuring granular filtering rules to remove sensitive data elements
    • Implementing aggregate-only reporting for certain data categories

  4. Data Sovereignty Controls:

    • Creating explicit contractual guarantees with EU-based providers
    • Implementing technical measures to prevent unauthorized data access or transfers
    • Establishing audit trails for all data processing activities

Implementation Guidelines for Compliant Analytics

Organizations seeking to implement compliant analytics solutions should consider these specific approaches:

  1. Full EU-Based Analytics Stack:

    • Self-host analytics platforms on EU servers or use EU-based analytics providers
    • Implement server-side container solutions that keep all data processing within EU boundaries
    • Create technical barriers that prevent even accidental data transfers outside the EU

  2. Technical Anonymization Protocol:

    • Implement immediate IP address hashing upon data receipt
    • Apply truncation to any geographical data to reduce precision
    • Create technical separation between analytics systems and user identification systems

  3. Comprehensive Consent Management:

    • Implement server-side verification of consent status before any processing
    • Maintain complete audit trails of consent changes and corresponding processing decisions
    • Provide transparent options for users to view and manage what data is being collected

Conclusion

The Austrian DSB's ruling represents a pivotal moment in data protection enforcement, with far-reaching implications for how organizations approach analytics. The decision makes clear that merely relying on contractual measures like SCCs is insufficient for GDPR compliance when transferring data to the US.

Server-side tracking with EU hosting, combined with advanced data anonymization and filtering techniques, offers a viable path forward. By keeping data within EU jurisdiction and implementing technical measures to protect personal information, organizations can continue to gain valuable insights while respecting users' privacy rights and complying with increasingly stringent regulatory requirements.

As Max Schrems noted following the decision: "Companies can't use US cloud services in Europe anymore" without significant changes to their approach. This case demonstrates that proper implementation of EU-hosted server-side tracking is no longer just a best practice—it's becoming a legal necessity for organizations that want to continue using web analytics while maintaining GDPR compliance.