(01.02.2022)
Unfortunately, using services from US providers is still complicated in Europe. Particularly, if you operate a website with the Google Analytics tracking service you could be facing new trouble.
In Austria, the data protection supervisory authority has ruled that Google Analytics does not comply with data protection regulations and that its use is therefore illegal.
This decision only applies to one specific, individual Austrian case and has not yet been confirmed by a court ruling. But it is possible that German supervisory authorities make a similar decision (a corresponding case is pending; fox-on will inform you if there is news).
The reason is that Google processes personal data in the USA. This includes not only unique online identifiers and IP addresses, but also information about the computer used and other data. This means that even if the IP address is anonymised, the reference to the device and thus a person can be established.
Google justifies the data transfer with the new EU Standard Contractual Clauses. However, these alone are no longer sufficient (we reported on the so-called Schrems II ruling in July 2021). Since then, in addition to the standard contractual clauses, “additional measures” must be taken to protect personal data outside the EU. By the way, this applies to transfers to all third countries, not only to the USA.
You should therefore be aware of this:
In the case of data transfers to the USA and other third countries, one must check and document with which additional protective measures the data is protected.
In this specific case, Google agreed to a number of protective measures (for example, to carefully examine every request from US security authorities, to inform the EU citizens affected by it, and to encrypt data). However, the Austrian supervisory authority stated: in its view, this is not sufficient. U.S. authorities would still have the right to access the data and could demand a breach of encryption.
If other supervisory authorities and, in particular, courts follow this line of argument, legal data transfer to the U.S. would hardly be possible anymore. In this respect, this topic unfortunately remains exciting.
Summary:
Additional safeguards must be reviewed and documented for data transfers out of the EU. If you use Google Analytics: Be prepared to possibly discontinue its use or replace it with another service. fox-on is keeping an eye on the issue and will provide information on any new framework conditions.