- The Austrian data protection authority classifies Google Analytics IDs as personal; the singularization alone is sufficient for an infringement of the fundamental right to data protection.
- The DPA rejects a risk-based approach to third country transfers; gaps in the recipient’s legal protection must not be accepted.
- Compliance measures can mitigate sanctions, but do not change the assessment of the permissibility of the specific international transfer.
From Schrems II to Google Analytics I…
On December 22, 2021, the Austrian Data Protection Authority (DPA) had ruled, following a complaint by NOYB, that the use of Google Analytics violates the GDPRbecause personal data is thereby transferred to the USA – according to the DPO – that the standard contractual clauses do not provide adequate protection here and that the measures taken by Google for protection are not sufficient.
The decision has significance far beyond Google Analytics, among other things because it assumes that a personal reference of a data does not require identification, but only a singling out, a Singularization; in addition we have reported. However, some statements were not entirely clear, and one could quietly hope that the DSB did not really mean singularization, and perhaps even for the survival of the “risk-based approach” to the question of whether a deficient foreign legal system precludes a transfer abroad.
… to Google Analytics II
This hope was given only a short life. The DSB has followed up on Google Analytics. In a further decision of April 22, 2022 (available at noyb). in a parallel proceeding to Google Analytics I, it has answered the outstanding questions, in line with the fundamental rights conception of data protection. noyb has issued a Media release on the decision published.
Yes, a singularization is sufficient (at least here)
First, unique Google Analytics identifiers are personal to the DPO because it is possible to use them to distinguish website visitors. What was not completely clear in the Google Analytics I decision, it is now: For the DPOs singularization is sufficient – at least in the online sector.:
In the opinion of the data protection authority, there is an interference with the fundamental right to data protection […] if certain bodies take measures – in this case the Assignment of such identification numbers – to individualize website visitors in this way. A standard of “identifiability” in the sense that it must be immediately possible to identify such identification numbers also with a certain “face” of a natural person – thus in particular with the name of the complainant – to connect is Not offered […].
It is certainly no coincidence that the DPA explicitly refers to the English version of the GDPR, to the phrase “singling out” (recital 26). She obviously wanted to dispel any doubt that singularization is really meant.
As in the Google Analytics I decision, the DPA could have left this question itself open, even if it answered it decisively, because in the present case identification in the proper sense was possible according to the findings of fact.
The “risk-based” approach does not apply to data transfers
The DPA first assumes that the standard contractual clauses do not in themselves support a transfer to the U.S. because the Schrems II case law is relevant (since Google operates as an “electronic communications service provider” within the meaning of U.S. law). What would be required, therefore, would be “additional measures” in the sense of the Schrems II decision and the relevant guidelines of the EDSA.
The DPO does not ask here about the probabilitythat problematic U.S. law actually applies. The fact that local authorities are not bound by the standard contractual clauses and can make use of problematic access rights is sufficient. This makes the DPA reject the so-called “risk-based approach.” This becomes even clearer when examining the additional measures. In the present case, no measures are evident that would
Legal protection gaps – i.e., the access and surveillance capabilities of U.S. intelligence agencies -. close.
For example, it was not evident,
The extent to which protection of communications between Google services, protection of data in transit between data centers, protection of communications between users and websites, or “on-site security” limits the ability of U.S. intelligence agencies to access data based on U.S. law actually prevent or restrict.
And further:
As long as [Google] itself the Possibility has access to data in plain textThe technical measures put forward cannot be regarded as effective in the sense of the above considerations.
For the DSB, this means that the “risk-based approach” for transfers to third countries does not. Gaps in legal protection in local law must therefore not be accepted. It is not enough that the application of such loopholes is sufficiently unlikely or that the risk they pose to the persons concerned is sufficiently low.
More points
It is worth mentioning that the Website language according to the DPO No supply alignment in all states reasons in which this language is spoken. This question played a role in the examination of the competence of the DPO:
The theoretical possibility that German-speaking persons from a Member State other than Austria can access www.___at is not sufficient to justify the “effects on data subjects in more than one Member State” under Article 4(23)(b) of the GDPR.
According to this reasoning, an English-language version of a website accessible under a .ch domain, for example, cannot justify the applicability of the GDPR. This is correct; at most, a general international orientation can be concluded from this, not such an orientation to an EEA state.
Notes
The DSB’s decision is not surprising. It does not only go back to “Google Analytics I”. The then Art. 29 Data Protection Working Party, today’s EDSA, stated in 2014 with regard to the risk-based approach:
It is important to note that – even with the adoption of a risk-based approach – there is no question of the rights of individuals being weakened in respect of their personal data. Those rights must be just as strong even if the processing in question is relatively ‘low risk’. Rather, the scalability of legal obligations based on risk addresses compliance mechanisms. This means that a data controller whose processing is relatively low risk may not have to do as much to comply with its legal obligations as a data controller whose processing is high-risk.
[…]1/ Protection of personal data is a fundamental right […].
2/ Rights granted to the data subject by EU law should be respected regardless of the level of the risks which the latter incur […].
[…] 4/ Fundamental principles applicable to the controllers (i.e. legitimacy, data minimization, purpose limitation, transparency, data integrity, data accuracy) should remain the samewhatever the processing and the risks for the data subjects. […]
This does not mean that the GDPR does not recognize a risk-based approach. However, it only means that Organizational compliance measures must be aligned with the risks for data subjects, which the Article 29 Working Party expresses as follows:
3/ There can be different levels of accountability obligations depending on the risk posed by
the processing in question. However controllers should always be accountable for compliance
with data protection obligations […] whatever […] the risks for data subjects are.
[…] 5/ Implementation of controllers’ obligations through accountability tools and measures (e.g. impact assessment, data protection by design, data breach notification, security measures, certifications) can and should be varied according to the type of processing and the privacy risks for data subjects. There should be recognition that not every accountability obligation is necessary in every case – for example where processing is small-scale, simple and low-risk.
Compliance measures may therefore be aligned with the risks. In the case of concrete data processing, it must nevertheless be ensured that a violation does not occur. To put it another way: If a breach occurs, the company cannot argue that it has taken compliance measures. A breach that has occurred Violation is therefore not cured by the fact that risk-oriented compliance measures have been taken.
This is consistent because the GDPR largely lacks a flexible justification concept; corresponding considerations can only be incorporated into permissive acts. As a result, a risk-based approach thus applies
- in the abstract examination of a company’s compliance,
- but not in the specific examination of a violation.
In connection with the Disclosure abroad this means that for the factual level – the unauthorized transfer – it must be examined whether every contact with problematic law is to be avoided or only an increased corresponding risk. In contrast, it is not decisive whether the company has taken compliance measures prospectively, e.g. an appropriate process for risk assessments for foreign transfers (“TIAs”).
The DPO assumes that the facts of the transfer do not bear any residual risk that problematic law could be applied, which is why it could not come to any other conclusion. One can reject this basic assumption for good reasons. However, it would be better not to speak of the risk-based approach, because it concerns a concrete act and not a compliance measure. More correct would be the expression of the individually and concretely appropriate level of protectionwhich is to be examined with reference to an individual transmission and, where applicable, is conveyed by the standard clauses; this in distinction to the general-abstract appropriate level in the case of a reasonableness decision. This distinction would make it clearer that it is not so much a question of accepting a residual risk out of pure pragmatism, but rather of the concrete very legitimate question of whether the exporter has a serious reason to fear that certain concretely transferred data are exposed to the effect of problematic law.
However, compliance measures remain significant even in the event of a violation, but not at the level of the violation, but rather at that of the Legal consequences. Here you can sanction-reducing have an effect. For example, antitrust law also understands the “Compliance Defense“This can be seen, for example, in the German Cartel Act (Act against Restraints of Competition, GWB), which was not amended until January 2021: Among other things, “reasonable and effective precautions taken prior to the infringement to prevent and detect infringements” are taken into account when assessing sanctions (in Switzerland, a corresponding provision was deliberately omitted).
In Switzerland there is another point to consider. Because the conception of data protection law is primarily one of personal rights, only a illegal Data breach prohibited.
In general personality rights, this is reflected in a double test. On the one hand, the behavior must exceed the threshold of the socially adequate, i.e., reach a certain level of severity, and on the other hand, a violation can be justified. In this respect, data protection law creates Apron protectionIt replaces the first test threshold with the fiction of a violation of personality rights in the event of a violation of an editing principle. In this respect, it is stricter than the general right of personality.
It remains one Justification but is open to it. Accordingly, the violation of a subjective data protection right is not unlawful if it is justified, for example, by overriding interests. In the case of Weighing of interests however, all circumstances must be taken into account and weighted – this includes the effort required to avoid the violation as well as its severity. In this respect, and at least within this framework, Swiss law therefore certainly recognizes a risk-based approach, even at the factual or unlawfulness level.