Austria: Website in breach of GDPR by transferring Google Analytics data to the US
The clash between EU GDPR rights and US surveillance law has culminated in a series of complaints, of which the first decision comes from Austria. By Laura Linkomies.
Austria’s Data Protection Authority has decided that an Austrian website using the free version of Google Analytics is in breach of the GDPR data transfer rules and Schrems II, as personal data may become exposed to US intelligence agencies.
The decision by Austria’s DPA(1) on 22 December 2021 says the dilemma lies with Google Analytics data transfers to the US, and whether the efforts made with using Standard Contractual Clauses and the Supplementary Measures are sufficient.
This case, brought by the campaigning group nyob against an Austrian website netdoktor.at involved Google Analytics as it provided the statistical analysis of visitors to the website. The regulator said that the IP anonymization function was not properly implemented thus allowing analytics data, sent to the US, to be personally identified. The DPA therefore found that the website operator was in breach of GDPR A 44 which prohibits the transfer of personal data beyond EU/EEA, unless the recipient country has adequate protection.
International Report subscribers please login to access the full article.
If you wish to subscribe please see our subscription information.