No Risk Base for you; No Google Analytics for you; No transfers for you: DSB Austria on GA

New Google Analytics decision from DSB Austria sends us to #cryandpray and throw the keyboard away.

TL:DR:

• Information collected by GA is personal data and it is transferred to or accessible by the NSA.
• The GDPR does not know of any "risk based approach" in Chapter V. This can only be found in certain articles of the GDPR, such as Art. 32.
• That US intelligence services have no interest in the data processed in this case - for example, by stating that the information on the "screen resolution is an industry standard" - it must be countered that it is not a question of a possible interest of US intelligence services, but of their access possibilities. And also there is the issue that it could be combined with other data.
• The Google Analytics tool (at least in the version of 14 August 2020) can therefore not be used in accordance with the provisions of Chapter V of the GDPR

Deeper Dive:

Personal Data:

• Unique GA identifiers are personal data because the controller and Google can use them to distinguish among website visitors.
• To be identifiable - you don't need to be able to associate an identification number with a specific face. Singling out - i.e. picking out from a crowd, is sufficient.
• "Digital footprint", which makes it possible to clearly individualize devices - and subsequently the specific user - constitutes personal data
• "segregation" by marking a terminal device is to be considered personal data (quoting the EDPS case on GA).
• When you combine unique identification numbers and the other information listed above, such as browser data or IP address - it is all the more likely that the complainant can be identified.
• Google has not proven that IP is anonymized before the transfer to the US, and even if it were - under FISA the NSA can access personal data residing in the EU as well.
• The Anonymize IP function doesn't help because since the complete IP address is processed for a certain - albeit very short - period of time on the Google LLC server. This short data processing period is sufficient for the facts of Article 4(2) of the GDPR to be fulfilled. This complete IP address can be accessed by US intelligence services - even if it was processed on Google's European servers.
• According to the case law of the ECJ, IP address can constitute personal data and it does not lose its characteristic as a personal data merely because the means of identification lie with a third party.
• For identifiability - the decisive factor is whether an identifiability can be established with a justifiable and reasonable effort according to which personal data are not - or no longer - available if the controller or a third party can only establish a personal reference with a disproportionate effort). In the present case, however, both Google US and US authorities possess special knowledge which makes it possible to establish a connection to the complainant in the sense of the above and therefore to identify him.

1. For Google: To the extent that the Google Analytics tool is implemented on a website, Google has the technical possibility to obtain the information that a certain Google Account user has visited this website (on which Google Analytics is implemented), provided that this Google Account user is logged into the Google Account during the visit
2. For the NSA: It cannot be ruled out that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant. the information relevant here constitutes personal data of the person most likely to have used the terminal device.

• The unambiguous wording of Article 4(1) of the GDPR are that it is linked to the ability ("can be identified") and not to whether an identification is ultimately carried out.

Roles :

• The complaint against Google US for a breach of the general principles of data transfers pursuant to Art. 44 GDPR is dismissed and Google US' role is not decided because it is not relevant to the case).
• Executing a DPA with SCCs even though you think this is "belt and suspenders" and there really isn't personal data being transferred - No soup for you. The DSB regards this as evidence of a transfer....

Cross Border:

• A more detailed analysis of the legal situation of the USA (as a third country) can be omitted here, as the ECJ has already dealt with this in the cited judgment of 16 July 2020. In doing so, it came to the conclusion that the EU-US adequacy decision is not justified on the basis of the relevant law of the USA.
• The data protection authority has no doubts that Google US as a provider of electronic communications services is therefore subject to surveillance by U.S. intelligence agencies pursuant to FISA 702.
• The data transfer in question cannot therefore be based solely on the standard data protection clauses concluded between the respondents

Supplemental Measures:

• With regard to the contractual and organizational measures: it is not clear to what extent a notification of the data subject about data requests (should this be permissible at all in individual cases), the publication of a transparency report or a "policy for dealing with government requests" are effective.
• Similarly, it is unclear to what extent the "careful examination of any data access request" is an effective measure.
• As far as the technical measures are concerned, it is also not recognizable - and was also not explained comprehensibly on the part of the respondents - to what extent the protection of communication between Google services, the protection of data in transit between data centres, the protection of communication between users and websites or an "on-site security" actually prevent or restrict the access possibilities of US intelligence services on the basis of US law.
• Pseudonymization: unlike in cases where data is pseudonymized in order to disguise or delete the identifying data so that the data subjects can no longer be addressed, here IDs or identifiers are used to make the individuals distinguishable and addressable. Consequently, there is no protective effect.
• As long as the second respondent himself has the possibility to access data in plain text, the technical measures invoked cannot be considered effective

Risk Based:

• The GDPR does not know of any "risk based approach" in Chapter V. This can only be found in certain articles of the GDPR, such as Art. 32.
• The success of a complaint of a violation of Art. 44 GDPR does not depend on whether a certain "minimum risk" is present or whether US intelligence services have actually accessed data. According to the wording of this provision, a violation of Art. 44 GDPR already exists if personal data are transferred to a third country without an adequate level of protection.
• When Google US complies with an NSA request, it is making a decision to process personal data beyond the specific order of the EU controller and this makes Google US its own controller and therefore required to comply with the provisions of Art. 5 GDPR (echoing Datatilsynet DK cloud guidance on this point). A secret transfer of data to US intelligence services in accordance with US law is undoubtedly not compatible with Art. 5(1)(f) of the GDPR, Art. 5(1)(a) of the GDPR and Art. 6 of the GDPR. [no analysis provided]
• The US intelligence agencies have never issued a FISA 702 order with respect to the type of Google Analytics data at issue doesn't matter. [stated that this is not compatible with Austrian procedural law and no analysis]
• There is no need to rule on the request to impose an immediate ban on the data transfers to the second respondent against the first respondent (as data controller), has removed the Google Analytics tool from its website in the meantime
• In its analysis of the legal situation in the US and the validity of the EU-US adequacy decision, the ECJ did not take a risk-based approach in Chapter V of the GDPR. In fact, such a risk-based approach is not mentioned in the aforementioned judgment
• The ECJ explicitly did not take into account that the obligations to which a Privacy Shield certified company from the US is subject may be appropriate in individual cases (e.g. because the certified company only receives non-sensitive or non-criminal personal data)

Art 49- wasn't argued.