Austrian DPA: EU-US data transfers to Google Analytics are illegal
Enforcement of Schrems II
It was recently announced that the Austrian Data Protection Authority (DSB) has enforced “Schrems II”, the CJEU legislation ruling that cloud services hosted in the US cannot comply with EU data laws. This is because no guarantees can be made about how and where data would be used, as US authorities – such as the NSA – technically have unrestricted access. The enforcement entails a fine for companies failing to protect the data of EU citizens by storing it in the United States.
As part of this ruling, it was decided that:
- IP addresses are classed as personal data so their transfer falls under EU data protection law.
- US intelligence services use IP addresses as a starting point for the surveillance of individuals and Google Analytics, and by extension other US analytics providers, has not done enough to block US intelligence services from accessing the data.
- Because EU citizen data is therefore not protected (according to GDPR) when it is stored in the US, it should remain in the EU.
- In this event, the party penalized for breaking EU data law is primarily the customer of the analytics provider, or ‘data controller’. As a ‘data processor’ Google Analytics, and similar analytics companies, hold less liability.
Why does this matter?
Essentially, there’s now a fundamental mismatch between EU data privacy law and US surveillance law, which is unlikely to be resolved anytime soon. To comply with GDPR, Austrian companies must ensure that the data they collect remains in the EU. In effect, this means that Austrian companies using Google Analytics or any other analytics provider that stores data in the US, must ensure that all IP addresses held by the platform are anonymized or obfuscated in some way.
Many Austrian organizations are now rapidly assessing GDPR-compliant alternatives to Google Analytics, and other public SaaS solutions, as there is no grace period for this ruling to apply to other companies.
This being just the first enforcement of an EU-wide ruling, every company storing EU data in the US must now be prepared to take action and consider the switch to data collection entirely hosted in their own private cloud.
How to learn more
With Snowplow BDP, all your data is processed and stored in your private cloud account. Our technology gives you complete ownership over your data, from what you collect to who has access to it and what they can do with it. No third-party, including Snowplow, has access to the data you collect, helping you to future-proof compliance with data privacy regulations.
If you’d like to learn more about Snowplow and how we can help you navigate this situation, please book in a slot with a member of our team.