A portrayal of the consequences that the Austrian & French Data Protection Authorities´ decisions will have on transatlantic data transfers.
Edoardo Picciotto & Matteo Martini*
1. Does Google Analytics violate the GDPR?
About one-and-a-half years after the Schrems II decision, National Data Protection Authorities (henceforth: DPA) are finding themselves in the headlines of newspapers. The Austrian DPA (Datenschutzbehörde) was the first to declare that Google Analytics violates art. 44 of the GDPR as interpreted by the CJEU.[1] The attention became even more significant when the French DPA (CNIL) went one step further recommending to cease the use of Google Analytics if its functions were not altered.[2] Subsequently, many observers proclaimed the end of the Internet as we know it, considering that the NGO NOYB (None Of Your Business), co-founded by Schrems, issued similar complaints in 30 member states of the EEA.[3]
2. Possible Solutions & Challenges
Next, we analyse whether these decisions will really mark the doomsday for entire tech industry. Hence, we would like to depict how companies like Google could comply with the DPAs´ decisions and what challenges they may face in doing so.
2.1 Standard Contractual Clauses (SCC)
In June 2021, the European Commission issued a modernised version of SCCs that, if respected, would make data transfers valid under the GDPR.[4] Could these updated SSCs be an adequate solution for a transatlantic data transfer?
According to art. 46 of the GDPR, this would be the case, provided that the contractual clauses ensure appropriate data protection safeguards.
Still, the contractual nature of SCCs renders them binding only for the private actors involved in the data transfer. On the contrary, public authorities located in third countries would not be affected by them at all.
Therefore, the CJEU stated that a case-by-case assessment must be conducted by the data controller to ensure that the country of destination provides an adequate level of protection.[5]
In the case at hand, it was found that the U.S. legal system, mainly because of section 702 of the FISA, does not provide enough guarantees to the safety of European personal data. According to the CJEU, in fact, the U.S. system allows public authorities to access electronic communications in a generalised disproportionate manner and does not foresee sufficient legal remedies or means of opposition for the individuals involved.[6]
To conclude, even though the updated SCCs are an entirely market based and economically attractive solution, they can only be applied when the transfer is made to third countries that do not foresee disproportionate access to foreign personal data by their public authorities. Unfortunately, as the CJEU stated in Schrems II, this will be the case in the U.S. as long as the current monitoring system of the FISA remains in place[7].
2.2 Anonymisation and pseudonymisation of personal data
Another possible solution to the problems connected to the transfer of personal data to third countries could be the anonymisation of said data. In fact, recital 26 GDPR excludes anonymised data from the GDPR`s scope.
On the contrary, merely pseudonymised data is still subject to the GDPR and its standards on foreign data transfers.
To better understand this, an introductory distinction between proper anonymisation and so-called pseudonymisation of data is indispensable.
Anonymisation, has been defined as a “process by which personal data is altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller alone or in collaboration with any other party”[8].
This implies that the personal data, once altered, cannot be attributed anymore to the individual they belonged to, i.e., a re-identification becomes impossible. According to some scholars[9], anonymisation is hardly feasible. These scholars argue that the steady increase in computing power and the availability of huge amounts of additional data outside the original dataset at issue enabled the re-identification of data subjects even when only little information is provided[10].
But, even in case anonymisation became feasible through innovative technologies, there would still be an issue of economic nature. In the data economy, in fact, the value of data lies in the possibility to profile customers to then target them with personalised advertisement. This is especially true for big tech companies like Google.
But a complete anonymisation would make it impossible to obtain any valuable information from the dataset, making it practically worthless. So, anonymisation seems to be no solution.
On the other hand, pseudonymisation, according to art. 4 (5) of the GDPR consists in a procedure that renders personal data no longer attributable to a specific data subject unless additional information is provided, i.e., a key is needed to re-identify a person. Such pseudonymisation can be carried out through a multitude of encrypting techniques[11] which satisfy the level of protection required by the GDPR.
Still, we must bear in mind that this system is by definition not infallible, as there will always be a key that renders the data re-identifiable.
In the case at hand, the Austrian DPA found that the identifiers collected via Google Analytics like browser data or IP addresses made a re-identification of data subjects probable with reasonable means.[12] Therefore, it held that the pseudonymisation implemented by Google did not comply with the GDPR.[13]
But even if the data were pseudonymised in a way generally compliant with the GDPR, there would still be the insurmountable obstacle represented by Section 702 of the FISA.
In fact, in the U.S., “data importers are under a direct obligation to grant access to or turn over imported personal data that are in their possession, custody or control. This may extend to any cryptographic keys necessary to render the data intelligible”[14].
Therefore, even though pseudonymisation would be a suitable solution, when properly implemented by private actors, it once again risks being rendered ineffective by American law.
2.3 Consent
As a third option to ensure a legal transatlantic data transfer tech companies could rely on the data subject´s expressly articulated consent, as stated by art. 49 (1) (a) GDPR.
However, this solution would entail many obstacles. Besides the unclear legal nature of art. 49 GDPR, it might also be challenging to fulfil the requirements laid out in said article.
Currently it is discussed, whether art. 49 GDPR is subsidiary to art. 45 and 46 GDPR.[15] Furthermore, it is debated if it can only be used in exceptional cases that are limited in number, or whether tech companies could rely on it as a general rule.[16] The EDPD, relying on recital 111 GDPR, interprets art. 49 (1) (a) GDPR in the former way.[17] The Austrian DPA did not comment on this issue as in the case at hand the data subject did not provide consent regarding the transfer of his data.
Consequently, companies that choose to rely on the data subject´s consent risk to suffer from legal uncertainty, which might even be amplified in case the data subject was to withdraw her/his consent after the transfer was exercised.
Furthermore, such companies would face the problem that the law requires the consent to be informed and explicit. Consequently, in practice, the data transfer consent may have to be requested separately from the cookie setting consent. Additionally, to be informative in nature the data transfer notification might be required to contain language declaring that in the U.S. personal data may be accessible under circumstances that would be deemed illegal in Europe.[18] Such (inevitably) strong wording might be unattractive from an economic perspective as it might have a deterrent effect on users of tools like Google Analytics.
In conclusion, neither economic nor legal arguments favour this solution.
2.4 Processing European Data in Europe
Contrary to the before-mentioned solutions a system renouncing to transfer data to the U.S. would avoid all issues discussed, hence being perfectly in line with the GDPR.
For instance, big tech companies like Google could expand their server capacities in Europe processing all European personal data solely within the continent´s borders. The replacement of Google LLC by Google Ireland Ltd as the contractual partner for European users could be interpreted as a first step in this direction. But at second glance section 10.1 of Google´s Ads Data Processing Terms[19] states that Google may choose to process data in every country it operates. Moreover, it does not seem likely that tech companies, in particular start-ups, will shoulder the implementation costs of building up two separate systems for data processing, while simultaneously erasing all positive externalities arising from the connection of European and American data. Hence, although this solution would be perfectly in line with the GDPR it does not seem likely to be carried out.
2.5 Privacy Shield II
The proposed solutions up to this point either are legally not admissible at all, lack legal certainty, or face economical backlashes. So, could a Privacy Shield II, in the end, be the best solution to fix the practical implications arising out of Schrems II?
Statements by Google´s Chief Legal Officer give the impression that the industry would favour such a solution, as it would combine legal certainty with the possibility of benefitting from the already established business infrastructure.[20]
At the same time, legislators also seem to prefer said solution. Talks about a new “enhanced” Privacy Shield already started in August 2020[21] and were “intensified” in March 2021.[22] Nonetheless, the talks seem to progress slowly as almost one year later there is still no proposal on how such an agreement should look like in detail. Despite this, a summit is expected to take place in May this year,[23] and the recent decisions of European DPAs fuel the hopes that the discussion will become more dynamic. The European Parliament also seems to become more interested in the status of the negotiations.[24] And on the other side of the Atlantic, the U.S. indicated its willingness to make concessions, as the U.S. Commerce Secretary Gina Raimondo pointed out that a new Privacy Shield would address EU concerns.[25]
This being said, the hurdles to reach an agreement still seem to be high. Although the Biden administration signalled to adopt new executive and administrative orders, these may not be sufficient to overcome the main concerns raised in Schrems II. [26] In said ruling, the CJEU pointed out that first, section 702 of the FISA would not comply with the requirement of proportionality, as it would fail to effectively limit the authority of the surveillance agencies.[27] Secondly, U.S. law would provide no actionable rights to European data subjects.[28] Unless the new agreement between the U.S. and Europe expressly tackles these issues it might risk being invalidated again by the CJEU.
Recapitulating the before mentioned, a Privacy Shield II would be a solution that could benefit the data-driven industry, while concurrently providing a high level of protection for European personal data. Nonetheless, it is too soon to foresee if or when such an agreement will be finally reached.
3. Concluding remarks
In the light of the above, a system that renounces to transfer data to the U.S would be the safest in terms of respect for the requirements of the GDPR. But this solution would be economically challenging for the American and European data-driven economies.
Consequently, we are convinced that a Privacy Shield II would be the most convenient solution in the long run. However, caution must be taken to draft it in a way that guarantees compliance with the GDPR and the jurisprudence of the CJEU.
* Edoardo Picciotto is a law graduate from Università Commerciale Luigi Bocconi, Milan. Matteo Martini is a law graduate from Rheinische Friedrich-Wilhelms-University Bonn. Both are currently attending the postgraduate LL.M. in Law of Internet Technologies at Università Commerciale Luigi Bocconi.
[1] Austrian Datenschutzbehörde, Teilbescheid, 22.12.2021 – D155.027 GA.
[2] CNIL, Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply, 10.02.2022.
[3] Compare the overview of all complaints published on NOYB´s website.
[4] Compare EU Commission, Standard Contractual Clauses (SCC), 04.06.2021.
[5] C. Gentile, La saga Schrems e la tutela dei diritti fondamentali, Federalismi.it, 13.01.2021, pp. 35-56 (44).
[6] CJEU, Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd/Schrems, 16.07.2020, ECLI:EU:C:2020:559, p. 43.
[7] Gentile Chiara, La saga Schrems e la tutela dei diritti fondamentali, Federalismi.it, 13.01.2021, pp. 35-56 (35ff).
[8] ISO 25237:2017, Health Informatics—Pseudonymisation, ISO, 2017, p. 7.
[9] I. S. Rubinstein, Woodrow Hartzog, Anonymisation and Risk, New York University School of Law, 09.2015.
[10] Compare A. Narayanan, V. Shmatikov, Robust De-anonymisation of Large Sparse Dataset, The University of Texas at Austin, where it was proved that with almost futile information, like lists of anonymous movie ratings made by individuals, it was still possible to re-identify the original data subjects.
[11] Data Protection Working Party, Opinion 05/2014 on Anonymisation Techniques, 04.2014.
[12] Austrian Datenschutzbehörde, Teilbescheid, 22.12.2021 – D155.027 GA, p. 29.
[13] Ibid.
[14] European Data Protection Board, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, version 2.0, 06.2021, p. 29.
[15] S. Kremer – J. Christmann-Thoma – K. Kamm – M. Matejek, Nadine Schneider, Datentransfer nach Art. 49 DSGVO: Was geht, wenn sonst nichts geht?, in Computer und Recht (CR), 12.2021, pp. 784-796 (785).
[16] Ivi, pp. 785-787.
[17] European Data Protection Board, Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, 25.05.2018.
[18] S. Kremer – J. Christmann-Thoma – K. Kamm – M. Matejek, Nadine Schneider, Datentransfer nach Art. 49 DSGVO: Was geht, wenn sonst nichts geht?, cit.
[19] See Google Ads Data Processing Terms, 03.03.2022.
[20] Compare the statement published by Google´s President of Global Affairs and Chief Legal Officer Mr. Kent Walker on 19.01.2022.
[21] European Commission, Joint Press Statement by European Commissioner for Justice Didier Reynders and U.S. Secretary of Commerce Wilbur Ross, 10.08.2020.
[22] European Commission, Intensifying Negotiations on transatlantic Data Privacy Flows: A Joint Press Statement by Didier Reynders and U.S. Secretary of Commerce Gina Raimondo.
[23] T. Kaiser – B. Fuest, Meta threatens EU boycott; The US group fears for its advertising business because of strict EU data protection laws and warns: Facebook and Instagram could soon be shut down in the EU, in Die Welt, No. 27, 08.02.2022, p. 9 (9).
[24] A. Kanko, Question for a written answer to the Commission E-000629/2022, 10.02.2022.
[25] F. Y. Chee, EU aims to tighten curbs on data transfers to non-EU governments – EU documents, in Reuters, 03.03.2022.
[26] Congressional Research Service, U.S.-EU Privacy Shield and Transatlantic Data Flows, 22.09.2022, p. 17.
[27] CJEU, Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd/Schrems, 16.07.2020, ECLI:EU:C:2020:559, recitals 178-180.
[28] CJEU, Case C-311/18, Data Protection Commissioner v Facebook Ireland Ltd/Schrems, 16.07.2020, ECLI:EU:C:2020:559, recital 181.