There are Many Reasons to Worry About Data Transfers, but the Austrian DPA Second Google Analytics Decision Should not be one of Them

noyb’s posting that the “risk-based approach” to data transfers has been rejected is disingenuous.  Moreover, the Austrian Data Protection Authority’s second Google Analytics decision is poorly reasoned and is based on two outdated “facts.”  For these three reasons, the decision should not apply more broadly to today’s transfers of personal data:

(1) The Austrian DPA’s conclusion that the risk-based approach is provided for in Article 24(1) and other enumerated provisions of the GDPR but not in Article 44 (or other articles in Chapter V) and therefore that “Chapter V of the GDPR does not recognise a risk-based approach” is flawed reasoning.  Article 44, which sets forth the general principles for transfers, does not stand alone; rather, Article 44 expressly says that it is “subject to the other provisions” of the GDPR.  Therefore, Article 44 is subject to Article 24(1) which requires the controller to identify the risks to the rights and freedoms of natural persons and to take into account the likelihood and severity of those risks in relation to the nature, scope, circumstances and purposes of the processing for each data processing operation.  Thus, Article 24(1) sets forth the fundamental obligations of the controller and makes assessing risk part of the accountability principle set forth in Article 5(2).  Since, pursuant to Article 24(1), the controller must assess the risk to natural persons of any data transfer, it is incorrect for the Austrian DPA to have concluded that Chapter V is not risk-based.           

(2) The Austrian DPA found that the standard contractual clauses (SCCs) used by Google at the time of the 2020 transfer were the 2010 Standard Contractual Clauses (2010 SCCs).  This is significant because Clause 14 of the 2021 Standard Contractual Clauses (2021 SCCs) requires the parties to take into account “the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards.”  Footnote 12 to this provision requires the transfer impact assessment which assesses the risk of such a transfer.  Footnote 12 provides in part: “As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment.  Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame.”

Thus, the 2021 SCCs require that the parties conduct a type of risk-based analysis.  Furthermore, on 18 June 2021, the EDPB published the Final Recommendations on Supplementary Measures for International Transfers (EDPB’s Final Recommendations) which also allow the transfer of data to proceed if there is no reason to believe the legislation will be interpreted and/or applied in practice so as to cover the transferred data and importer.  In order to make this determination, a form of risk-based analysis must be conducted.

The Austrian DPA found that the words “risk-based” were not used in Article V of the GDPR. In addition to the faulty legal reasoning discussed above, the facts and the law have changed since the 2020 data transfer.  Since the 2021 SCCs and the EDPB’s Final Recommendations were not at issue in the Austrian DPA’s second Google Analytics decision, that decision should be limited strictly to its facts and should not be read to apply to today’s data transfers more broadly.     

(3) The DPA also found that Google could be required by U.S. Intelligence services to hand over complete IP addresses.  This conclusion was based on a review of Google documents online and entered into between Google and the user of Google Analytics.  In particular, the DPA focused on the two-steps of the IP address anonymization function: the full address of a website visitor initially is transmitted to Google and the IP address is masked in a second step after it has been received by the Analytics data collection network.  In so finding, the DPA quoted a query of the Google German website done on 18 March 2022. 

An English translation of the German query also states: “IPs are anonymized or masked as soon as the data is received by Google Analytics and before it is stored or processed.”  Google’s U.S. website on 3 May 2022 described IP Anonymization as follows:

              A technical explanation of how Universal Analytics anonymizes IP addresses in Google Analytics 4, IP anonymization is not necessary since IP addresses are not logged or stored.

             At a glance

             When a customer of Universal Analytics requests IP-address anonymization, Analytics anonymizes the address as soon as technically feasible.  The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly before being sent to Google Analytics.  The full IP address is never written to disk in this case.

Since Google Analytics does not store full IP addresses, today it cannot be required to hand them over to U.S. intelligence services.  Additionally, this IP Anonymization process demonstrates that under the assessment required by Footnote 12 of the 2021 SCCs, Google would not be prevented from complying with the SCCs and under the assessment required by the third step of the EDPB’s Final Recommendations, there is no reason to believe legislation will be interpreted and/or applied in practice so as to cover Google (because it does not have the IP addresses to transfer).  Again, the Austrian DPA’s second Google Analytics decision should be limited to its facts and should not be read to apply to today’s data transfers more broadly.

Every time data is processed, much less transferred, there is some level of risk to one or more stakeholders.  That is why organizations do risk assessments.  Organizational risk assessments define the likelihood of varying risks and the magnitude of the impact of those risks.  By its very nature, the entire GDPR is risk-based, not just certain articles.  If the warranties made by the parties to the 2021 SCCs are fulfilled and the assessments required by 2021 SCCs are conducted with competency and integrity, the Austrian DPA’s second Google Analytics decision should not hinder today’s data transfers.