The Austrian website of medical news company NetDoktor works like millions of others. Load it up and a cookie from Google Analytics is placed on your device and tracks what you do during your visit. This tracking can include the pages you read, how long you are on the website, and information about your device—with Google also assigning an identification number to your browser that can be linked to other data.
NetDoktor can use this analytics data to see how many readers it has and what they’re interested in—the website picks what it collects. But by using Google Analytics, the tech giant’s traffic monitoring service, all this data passes through Google’s servers and ends up in the United States. For data regulators in Europe, the shipping of personal data across the Atlantic remains problematic. And now a small Austrian medical website finds itself at the center of an almighty tussle between US laws and Europe’s powerful privacy regulations.
On December 22, the Austrian data regulator, Datenschutzbehörde, said the use of Google Analytics on NetDoktor breached the European Union’s General Data Protection Regulation (GDPR). The data being sent to the US wasn’t being properly protected against potential access by US intelligence agencies, the regulator said in a decision that was published last week. Days earlier it was revealed that European Parliament’s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe, according to a decision from the European Data Protection Supervisor (EDPS).
The two cases are the first decisions following a July 2020 ruling that Privacy Shield, the mechanism used by thousands of companies to move data from the EU to the US, was illegal. These landmark cases will likely pile pressure on negotiators in the US and Europe who are trying to replace Privacy Shield with a new way for data to flow between the two. If an agreement takes too long, then similar cases across Europe could have a domino effect, with cloud services from Amazon, Facebook, Google, and Microsoft all potentially being ruled incompatible, one country at a time. “This is an issue that touches all aspects of the economy, all aspects of social life,” says Gabriela Zanfir-Fortuna, vice president of global privacy at Future of Privacy Forum, a nonprofit think tank.
NetDoktor isn’t unique—but it is the clearest hint yet that European regulators still don’t like the way US tech companies send data across the Atlantic. Current US surveillance laws, including Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, don’t protect data held on people living outside the US as well as they do those living inside it. In short: It’s theoretically possible for US surveillance agencies to collect huge amounts of data that’s moved to the country.
“What they do right now would be a violation of the Fourth Amendment if it's for US citizens,” claims Max Schrems, honorary chair of legal nonprofit organization noyb, who launched the legal cases that brought down Privacy Shield in 2020 and its predecessor Safe Harbor in October 2015. “Just because people are foreigners it's not a violation of the US Constitution.” One outcome of the 2020 Privacy Shield ruling is that companies moving data from the EU to the US must make sure there are extra measures in place to protect that information. Now the Austrian Data Protection Authority has determined that the technical measures put in place by Google Analytics—including limiting access to data centers and encrypting data as it moves around the world—don’t do enough to stop it potentially being scooped up by US intelligence agencies.
Because Google could access data in plain text, the data wasn’t protected from potential surveillance, the body’s decision says. “This transfer was found to be unlawful because there was no adequate level of protection for the personal data transferred,” says Matthias Schmidl, the deputy head of the Austrian data regulator. He adds that website operators cannot use Google Analytics and be in line with GDPR.
At the moment, the decision applies only in Austria and isn’t final. Websites across Europe aren’t suddenly going to stop using Google Analytics. NetDoktor didn’t respond to a request for comment. “While this decision directly affects only one particular publisher and its specific circumstances, it may portend broader challenges,” says Kent Walker, Google’s senior vice president for global affairs and chief legal officer. In a blog post published on January 19, Walker says that the company believes the technical measures it has put in place protect people’s data, and that this kind of decision could impact how data flows across the “entire European and American business ecosystem.”
And this is just the beginning. When noyb filed the complaint against NetDoktor in August 2020, it also filed 100 other cases with other data protection authorities across Europe. “It's not specific to Google Analytics. It's basically about outsourcing to US providers in general,” Schrems says.
Regulators in 30 European countries are currently investigating the other cases, which cover both the use of Google Analytics and Facebook Connect, the company’s tool to link your account to other sites. Country-specific websites belonging to Airbnb, Sky, Ikea, and The Huffington Post are also subject to complaints. “The majority of these decisions will have the same or similar outcomes,” says Zanfir-Fortuna. This is likely, she says, as noyb used the same legal arguments for all of its cases, and in response data protection regulators formed a task force to discuss the legal issues. “We expect that this is going to mobilize country by country, wherever it drops,” Schrems says.
The Dutch data protection authority, Autoriteit Persoonsgegevens, says it is finalizing its investigation and hasn’t ruled out the possibility that the use of Google Analytics in its current form will be banned. In Germany, where data issues are regulated by region, Hamburg’s data protection authority received two complaints from noyb and says in one case the website has removed Google Analytics, so it “does not plan to issue any orders or a fine” in this case. It is still investigating the other case.
Despite coordination by data regulators, there may be some differences of opinion, says Simon McGarr, director of data compliance for Europe at McGarr Solicitors. “The Austrian position is probably at one end of a spectrum of opinion—and it would probably represent the most radical end,” he says, adding that other data bodies will either endorse, amend, or reject that line of reasoning. Disagreement across the EU’s 27 GDPR enforcers is not uncommon: Last year an Irish Data Protection Authority fine against WhatsApp was increased by €175 million after other regulators disagreed with the decision. McGarr says it’s possible other EU regulators looking at the noyb cases may come to different conclusions based on the facts of each case.
A spokesperson for the EDPS says its view is that personal data moving to the US needs to be protected by “effective supplementary measures.” The body is also currently investigating how official EU organizations use Amazon Web Services and Microsoft Office 365.
So what happens next? The Austrian decision—and other similar cases currently being considered—highlight the tensions between Europe’s strong privacy laws and what happens to data once it leaves the bloc. Some are optimistic that it could reduce Europe’s reliance on major US technology companies, while others say it highlights the importance of making sure negotiators from both sides strike a new deal that allows data sharing before data flows and economies are disrupted.
Companies are likely to look at the decision by the Austrian authority and potentially consider alternatives while they wait for further rulings from other national data bodies, says Guillaume Champeau, director of public affairs at cloud architecture platform Clever Cloud. “It could really help change the business landscape to make competition fairer in Europe,” he adds. Champeau argues there are plenty of European cloud-based analytics businesses that don’t get as much attention as Google Analytics, which is estimated to be used by 28 million websites worldwide.
Schrems says that if similar decisions keep dropping in the next year, he expects that some large companies, such as banks, may start to question who should be responsible for their GDPR problems. “If people invest millions of euros into some cloud solution that then turns out to be illegal, there's going to be huge questions about who pays the bills in the end,” he says. The Austrian regulator did not say if it had fined NetDoktor, but the case is yet to be fully finalized.
Wider than this, Schrems says he does not expect Silicon Valley companies to change their technology or attitudes yet. “There is simply no willingness by Silicon Valley to adapt to these rules,” he claims. Internal Facebook documents seen by Politico show that the company thinks there aren’t any problems with shipping EU data to the US, and that the company’s lawyers think US laws protect data from the EU as well as if it were staying in the bloc. A Google spokesperson says the company has “no plans to share,” when asked if it intends to change where European data is processed.
It’s more likely that EU and US negotiators will broker a new data sharing deal before major technology firms radically change their approach. The EU and US have been discussing what should replace Privacy Shield since it was struck down in July 2020. But these discussions are yet to result in many concrete proposals. Officials have floated greater oversight of US security agencies, including judges who decide whether the collection of EU data is legal. “The easiest way would be to say there needs to be some judicial approval of surveillance, and so on, as it is for American citizens,” Schrems says.
Negotiations have intensified in recent months and are a priority for both sides, says a European Commission spokesperson. There are red lines though: It is unlikely the commission would want a Privacy Shield successor to be defeated in court again. “Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic,” the commission spokesperson says. US representatives had not replied to a request for comment at the time of publication.
Zanfir-Fortuna says the Austrian decision is likely to put more pressure on negotiators but adds it is unlikely there will be any legislative changes in the US. A federal US privacy law appears to be some way off and there may not be much appetite for entirely reforming surveillance laws. Instead, Zanfir-Fortuna says, changes that allow for Privacy Shield to be replaced may come from executive orders that can be passed with less political debate.
That position is something Google largely agrees with. Minutes of meetings between Google and the European Commission, released under freedom of information laws, show the company hoped any Privacy Shield successor “would not require Congressional action.” In his blog post, Walker urged EU and US negotiators to “quickly finalize” a successor to Privacy Shield. “The stakes are too high—and international trade between Europe and the US too important to the livelihoods of millions of people—to fail at finding a prompt solution to this imminent problem,” he claims.
Ultimately the ongoing legal wranglings and political negotiations may open up Privacy Shield’s replacement to more legal scrutiny—the cycle of agreements being struck down could continue if European organizations don’t consider data moving to the US to be properly protected from surveillance. “It's very possible that we will see a replacement of the Privacy Shield in the next couple of months,” Zanfir-Fortuna says. “The question then is for how long will a new Privacy Shield ensure certainty for transfers in the absence of reforms in the US?”
- 📩 The latest on tech, science, and more: Get our newsletters!
- 4 dead infants, a convicted mother, and a genetic mystery
- Explosives, a robot, and a sled expose a doomsday glacier
- How to delete your Facebook, Twitter, and more
- The best TV shows you missed in 2021
- Public transit systems refocus on their core riders
- 👁️ Explore AI like never before with our new database
- 🎧 Things not sounding right? Check out our favorite wireless headphones, soundbars, and Bluetooth speakers
