The Austrian Data Protection Authority (DPA) has issued a detailed Partial decision from 22 December 2021 concerning a complaint by (more precisely: represented by) NOYB, the NGO of Max Schrems. The complaint was directed against a publisher and against Google LLC (USA).
NYOB had argued that the Use of Google Analytics on the publisher’s website violates the GDPRbecause this would result in the disclosure of personal data to Google in the USA without the requirements of the GDPR for the disclosure of personal data in third countries being met.
Google saw itself as a result of the decision to Explanation of Google Analytics (January 22, 2022). The decision could be appealed with a notice period of four weeks; whether it is legally binding in the meantime is not known (to us).
The obvious point: transmission to the USA
The use of Google Analytics results in the transfer of personal data from Austria to the USA. Although the standard contractual clauses were concluded with Google (still the old clauses), as is well known, these are not tel quel sufficient.
Here, at Google, it is now clear that Google is a “Provider of electronic communication services” within the meaning of FISA 702 and is subject to this law. The transfer to Google could be made in accordance with the Schrems II judgment therefore not solely on the standard clauses be supported.
It was open whether “additional protective measures” in the sense of the Guidelines of the EDSA remedy. From the DSB’s point of view, this was – not surprisingly – not the case:
- A Transparency Report about requests from authorities is not an effective measure.
- The Communication protection between Google services, protection of data in transit between data centers, protection of communications between users and websites, or “on-site security” also do not prevent or limit the ability of U.S. intelligence agencies to access data based on U.S. law.
- The Data at rest” encryption in the data centers is also not enough: if the data importer is subject to FISA 702, it may have to grant access to data, and possibly also to the key;
- also that the data in question pseudonymized are not enough. The DPO refers here to the “Guidance from the supervisory authorities for telemedia providers“of the German Data Protection Conference. According to this, the identification of users by means of an ID is not a pseudonymization measure within the meaning of the GDPR because IDs are used “to make the individual distinguishable and addressable. Consequently, a protective effect does not arise.” The DPA is content with this reference without commenting on this issue itself, in particular on the question of why pseudonymization should fail as long as individuals are still “distinguishable”. In substance, this corresponds to the approach of the Singularization, which equates the DPO to identification; see below.
The DPO is probably correct in classifying Google as an “electronic communication services provider” within the meaning of FISA 702 (although one may wonder whether this is also the case in connection with Google Analytics). The question would be, however, whether the publisher a reason to believe has that “the […] laws and practices in the third country of destination, including requirements to disclose personal data or measures allowing public authorities access to such data, prevent the data importer from fulfilling its obligations under these clauses” (clause 14(a) of the new standard contractual clauses; similarly, though less clearly, the Guidelines of the EDSA “on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”.).
However, the DSB does not examine this question, but proceeds directly from the case law of the ECJ (Schrems II). Therefore, the probability ofthat a theoretical possibility of access by American authorities manifests itself. This absolute approachwhich can still be seen in the Schrems II ruling, should be consistent with the guidelines of the EDSA and especially the new standard contractual clauses actually be overcome. At the same time, it would be presumptuous to hope that other European supervisory authorities will endorse a probability-based approach across the board.
In addition, Art. 44 GDPR (General Principles of Data Transfer) grants the data subjects a subjective right:
Against the background of the wording of Art. 77 (1) GDPR as well as the cited case law of the ECJ and the Administrative Court, it can be stated as an interim result that the provisions in Chapter V and, in particular, the obligation for controllers and processors to ensure the level of protection for natural persons guaranteed by the Regulation as standardized in Art. 44 GDPR, conversely also as a subjective right before the competent supervisory authority can be asserted pursuant to Art. 77 (1) DSGVO.
Perhaps the more sensitive issue in the long term: the notion of personal data
The DPO concludes that personal data is processed when Google Analytics is used. It thus makes a number of sensitive findings:
Maybe: Singularization
When Google Analytics is used, unique online identifiers (“unique identifiers”) are transmitted that identify both the complainant’s browser or device and the publisher (through the Google Analytics account ID of the publisher as website operator); furthermore, information on the website visited, information on the browser and operating system, etc. and IP address of the complainant’s device.
In qualifying these data, the DSB tends to proceed – but not unambiguously – from the notion of the Singularization out. It is sufficient if measures are taken, such as the assignment of identification numbers in this case, to identify website visitors in such a way. individualize:
A standard of “identifiability” to the effect that it must be immediately possible to associate such identification numbers with a particular “face” of a natural person – i.e. in particular with the name of the complainant – to be connected, is not required […].
The DSB justifies this with the view of the then Article 29 Group, which had indeed mentioned the concept of singularization (Opinion 4/2007 on the concept of personal data, June 20, 2007.):
At this point, it should be noted that, while identification through the name is the most common occurrence in practice, a name may itself not be necessary in all cases to identify an individual. This may happen when other “identifiers” are used to single someone out. Indeed, computerised files registering personal data usually assign a unique identifier to the persons registered, in order to avoid confusion between two persons in the file. Also on the Web, web traffic surveillance tools make it easy to identify the behavior of a machine and, behind the machine, that of its user. Thus, the individual’s personality is pieced together in order to attribute certain decisions to him or her. Without even enquiring about the name and address of the individual it is possible to categorise this person on the basis of socio-economic, psychological, philosophical or other criteria and attribute certain decisions to him or her since the individual’s contact point (a computer) no longer necessarily requires the disclosure of his or her identity in the narrow sense. In other words, the possibility of identifying an individual no longer necessarily means the ability to find out his or her name. The definition of personal data reflects this fact.
The DPO also refers to Recital 26 of the GDPR:
Such an interpretation is supported by Recital 26 of the GDPR, according to which the question of whether a natural person is identifiable “[…] shall take account of any means reasonably likely to be used by the controller or by any other person to identify the natural person, directly or indirectly, such as the Sort out” (English language version of the regulation: “singling out”). Under the term “weeding out” is the “Picking out from a set” (cf. https://www.duden.de/rechtschreibung/aussondern, retrieved December 22, 2021), which is in line with the above considerations regarding the individualization of website visitors.
One cannot therefore accuse the DPO of having drawn its conclusions out of thin air. At the same time, it remains open whether the DPO intended the concept of personal data to be interpreted so broadly in general, or whether her considerations on online identifier or even be limited to the case that – as here – a combination with further elements is possible in addition to segregation, which is supported by the following statement:
In the literature it is likewise expressly represented that already a “digital footprint”, which allows devices – and subsequently the concrete user – to be clearly individualized, constitutes a personal data […]. This consideration can be transferred to the present case due to the uniqueness of the identification numbersespecially since – as will be discussed in more detail below – these identification numbers can also be combined with other elements.
Whether the concept of singularization has thus already been kissed out of its slumber cannot therefore be conclusively determined. However, the decision of the DSB has the potential to steer in this direction in the longer term and perhaps as part of a development. If this were the case, i.e. if singularization were to prevail, this would also have to lead to the fact that a Disclosure of pseudonyms to third parties without the possibility of attribution would be considered disclosure of personal data, which is not the case today.
After all, the DSB explicitly leaves open whether
- the “Anonymization function the IP address” (IP Anonymization) would lead to a different result, because this function was not implemented correctly;
- whether a IP address considered in isolation is a personal data, because these are combined here with further elements (in particular the Google
Analytics identification number) was combined.
Not: objective approach to the determination of the reference to the person
The DPO further states that the complainant in the specific case was even identifiable by name. Their remarks here first appear to the objective approach to personal reference the word:
Indeed, it is not necessary that the respondents can in each case alone establish a personal reference, i.e. that all the information required for identification is with them […]. Rather, it is sufficient that anyone – with legally permissible means and reasonable effort – can establish this personal reference […].
The objective approach is not to set the filter of identification lower (i.e., not to seriously consider the required possibilities of identification), but to draw the circle of relevant persons with the corresponding possibilities wide; in extreme cases, it would be sufficient if anyone can conclude the identity of the person concerned.
However, the DPO does not say that here, on the contrary:
It is not overlooked that, according to Recital 26 of the GDPR, it is also necessary to take into account, with what “probability” anyone uses meansto identify natural persons directly or indirectly. In fact, according to the data protection authority, the term “anyone” – and thus the scope of application of Art. 4(1) GDPR – is not to be interpreted so broadly that any unknown actor could theoretically have specialized knowledge to establish a personal reference; this would in fact lead to almost any information falling within the scope of the GDPR and differentiation from non-personal data becomes difficult or even impossible. Rather, the decisive factor is whether justifiable and reasonable effort an identifiability can be established […]. In the present case However, there are now certain players who have a special knowledgewhich makes it possible to establish a reference to the complainant in the sense of the above statements and therefore to identify him.
Google was in a position to identify the user: The complainant was logged into his Google account when he visited the website. Google therefore at least knew that the user of the relevant Google account had visited the website. In this case, the settings in the Google account were important. However, if the identifiability depends only on this, then from a technical point of view all Possibilities for identifiability are available – that is enough.
Finally, the DSB also represents in the result a Reversal of burden of proof:
Likewise, explicit reference must be made to the provisions of the GDPR. Accountability the first respondent – as controller, see below – to implement appropriate technical and organizational measures in accordance with Article 5(2) in conjunction with Article 24(1) in conjunction with Article 28(1) of the GDPR in order to ensure and provide evidence that the processing (with the help of a processor) is carried out in accordance with the Regulation. It is therefore a matter of a debt to be discharged. This also includes the proof that a processing operation is not subject to the Regulation.. Despite several opportunities to do so, this was not provided.
Moreover, even U.S. intelligence agencies might be able to make an identification:
As the complainant has also correctly pointed out, intelligence services in the U.S. take certain online identifiers (such as the IP address or unique identification numbers) as a starting point for monitoring individuals. In particular, it cannot be ruled out that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.
Assessment
Here, the DSB tends to talk back to the concept of the Singularization the word. From the point of view of discrimination law, this is understandable prima vista, because an individualization of persons not known by name can be sufficient to treat this person differently from others. However, unequal treatment in this case is not based on information that is actually personal, because the identifiers used to differentiate would only be personal in the proper sense if they were general - also by third parties – used for identification (like especially the name of a person); in addition already Rosenthal.
If, on the other hand, they serve only a If the data of a third party is used as an identifier, it cannot be linked to data of third parties or by third parties, and in this case one cannot speak of “identification”. The scope of protection of data protection law does not go so far that it can become a general right to protect against discrimination, especially not in Switzerland with a merely indirect protective effect of fundamental rights between private individuals. For this reason, even fundamental rights-based European regulations not taken over unquestioningly be
In any case, one has to ask why the DPO makes these remarks at all. It would have been sufficient to establish the clear identification by Google – here via the login in the Google account of the complainant. Ultimately, the statements on singularization are thus obiter dicta. At the same time, it must not be assumed that the DPO has overlooked the implications of its statements; its statement cannot be dismissed as an operational accident, but must be read as a deliberate positioning.
Distribution of roles
When examining the allocation of roles under data protection law, the DPO initially assumes that the publisher is the controller because it uses Google Analytics. Google, on the other hand, is a data controller for Google Analytics. Order processorwhich is surprising, but basically correct – depending on the configuration of Google Analytics – and also the Google attitude corresponds:
What now the Data processing in connection with the Google Analytics tool it should be noted that [Google] merely provides this and also has no influence on whether and to what extent the first respondent makes use of the tool functions and which specific settings it selects. Insofar as [Google] therefore only provides Google Analytics (as a service), it has no influence on the “purposes and means” of the data processing and is therefore, in accordance with Article 4(8) of the GDPR, considered to be a case-specific data controller. Processor to qualify.
This applies without prejudice to Google’s role under data protection law with regard to possible further data processing.