GDPR & transfers / Google Analytics enforcement - purpose of this webpage

My paper of 24 Jan 2022, summarising post-Schrems II enforcement of the GDPR "transfers" restriction, covered the Austrian supervisory authority DSB's enforcement decision on using Google Analytics, the Google Fonts decision, the Cookiebot decision and the EDPS decision against the European Parliament on Analytics and Stripe, among others. But there's been a flood of other EU data protection authority decisions, court rulings or announcements on Google Analytics or other transfers issues since then.

As I haven't had time to update my paper yet, on 1 Mar 2022 I created the list below of  key links to such decisions etc. that I found out about after my paper was uploaded (in reverse chronological order). Some pre-dated 24 Jan, but I hadn't picked them up at the date of uploading. I will aim to keep this webpage updated. Please let me know of any other links to add? NB. I'm only covering transfers and data localization issues, not other aspects of GDPR.

- more links reflecting the trend towards data localization and "data sovereignty" (an emotive and political phrase with no clear legal meaning, in my view!).

Links - GDPR & transfers/Google Analytics enforcement

(All translations to English were made using... 🥁Google's free online translation service! Emphasis added to some of the statements below.)
  • 25 May 2022 - European Commission's FAQs / Q&A on the 2021 SCCs published. No time for comments yet, but many of the issues raised in my article on practical problems with the 2021 EU SCCs don't seem to have been addressed...
  • 15 May 2022 - UK Information Commissioner John Edwards' speech mentioned international data flows as a key area for "collective application":
    • "This is an area crowded with expensive proxies, which impose significant cost on industry and governments, but which provide dubious benefits to those they are intended to protect. By proxies, I mean standard contractual clauses, binding corporate rules, individualised adequacy determinations, accreditation programmes like APEC’s CBPRs.
      They are proxies for the recognition of some of the most fundamental duties any state owes its citizens, the duty to protect them. And a recognition that in order to discharge that duty, organs of the state, being its security and intelligence arms from time to time need lawful, proportionate access to personal information... Until then [international progress] we need to keep working on the least bad options, and to that end I welcome the work of the DCMS International Data Transfer Expert Council" - of which I'm fortunate enough to be a member.
    • I hope this means he read my 2017 book on transfers and data localization particularly in cloud, where I that argued that countries' data transfers restrictions were proxies for control of access to intelligible personal data! (or at least read Chris Reed's seminal book Making Laws for Cyberspace, which introduced the notion of certain laws being proxies for the real legislative objectives, notably copyright laws regulating acts of copying as proxies for the true underlying concern, use).
  • 18 May 2022 - blog by Microsoft's Brad Smith, "Microsoft responds to European Cloud Provider feedback with new programs and principles", including more data localisation and deglobalisation:
    • "We have completed or are now constructing 17 datacenter regions in Europe and are rapidly expanding our footprint across the continent"
      • But what about remote support or software maintenance from outside the EEA, will all that be localised too?
    • For EEA government/public sector bodies' "sovereign needs", partnerships with "trusted local cloud technology company" in Italy (Leonardo), France (Capgemini & Orange), Spain (Telefónica Tech), Germany (SAP & Arvato Systems)
      • Details of the model are not clear, but could it include some licensing of Microsoft software as suggested by CNIL in France? (see my GDPR transfers enforcement post-Schrems paper on CNIL's suggestion, and also on Microsoft's previous partnership with Deutsche Telekom after Schrems I, which model was terminated in mid-2018).
      • It seems some of these partnerships will extend to cloud services like Azure PaaS/IaaS and SaaS like Office365.
      • Again, what about remote support/maintenance from outside the EEA?
  • 16 May 2022 - EU Data Governance Act approved by Council, to enter into force 20 days after publication in the Official Journal, with a 15-month grace period before the new rules apply - not GDPR, but extending restrictions on transfers of non-personal data:
    • "The DGA creates safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data. For personal data, the EU already has similar safeguards under the GDPR.
      In particular, the Commission – through secondary legislation – may adopt adequacy decisions declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU. These decisions would be similar to adequacy decisions relating to personal data under the GDPR. Such safeguards should be considered to exist when the country in question has equivalent measures in place that ensure a level of protection similar to that provided by EU or member state law.
      The Commission may also adopt model contractual clauses to support public-sector bodies and re-users in the case of transfers of non-personal data covered by the DGA to third countries."
  • 16 May 2022 - EDPB news on Icelandic SA's fine (about €36k) imposed in early May 2022 on Reykjavķk municipality for using the Seesaw educational system, including (but not only) for transfers to the USA without appropriate safeguards
    • The actual decision mentioned a "high risk" of transfer to the United States without appropriate safeguards, even though SCCs had been signed. "In this respect, appropriate protection measures would need to include the encryption of the data or something similar to ensure adequate protection of the information."
    • It does not appear that a transfer impact assessment was conducted.
  • 22 Apr 2022 - via NOYB 2 May 2022, a further Austrian SA decision (English translation), rejecting any risk-based approach to transfers and noting that IP address anonymisation only occurred after Google LLC had received the address, even if the anonymisation was conducted in the EEA.
  • 9 Mar 2022 - France's computer security agency ANSSI updated its cloud certification framework SecNumCloud (English translation)
    • The press release stated that this update is Schrems II compliant:
      “The "Schrems II" judgment of the Court of Justice of the European Union recalled the requirement to guarantee protection equivalent to that offered by the General Data Protection Regulation (GDPR) when personal data of European citizens are transferred outside the European Union (EU). Furthermore, and independently of the existence of transfers, certain extraterritorial legislations which do not offer a level of protection substantially equivalent to that guaranteed by the GDPR may apply to data stored by cloud providers within the territory of the EU. In this respect, SecNumCloud 3.2 provides strong guarantees in terms of protection against non-European legislation with extraterritorial scope.
      “While the CJEU's decision calls for a case-by-case analysis which can be complex, the SecNumCloud 3.2 repository provides an answer which is compliant by design with the Court's requirements for data protection in the cloud. The CNIL recommends the use of this standard for data controllers who want to guarantee a high level of protection of personal data” indicates Marie-Laure Denis, President of the National Commission for Computing and Liberties (CNIL). 
    • Key changes in SecNumCloud v3.2 relevant to transfers / data localisation (toned down a little from the 2021 draft that was more drastic regarding data localization, e.g. in effectively requiring support (9.7.d) and maintenance (12.13.a) only from EU-located persons):
      • Provider TIA 5.3:
        • "d) The service provider must list, in a specific document, the residual risks linked to the existence of extra-European laws aimed at collecting data or metadata from sponsors without their prior consent. e) The service provider must make available to the commissioning entity, at the request of the latter, the risk assessment elements related to the submission of the data of the sponsor to the law of a state that is not a member of the European Union."
      • Remote suppport 9.7.d: "In the context of technical support, if the actions necessary for the diagnosis and resolution of a problem encountered by a sponsor require access to the sponsor's data,then the service provider must:... in the case of an intervention carried out remotely by a person located outside the European Union, implement a secure gateway (bounce station) through which the person must connect and allowing supervision (authorization or prohibition of actions, requests for explanations, etc.) in real time, by a person who has himself satisfied the verifications of requirement 7.1.b [stronger background checks for those with admin rights]. The secure gateway must meet the security objectives2 specified in [G_EXT] adapted to the context of the technical support actions;"
      • Roots of trust 10.6.1: "On the technical infrastructure, the service provider must exclusively use key certificates issued by a certification authority of a Member State of the European Union (the master key generation ceremonies must take place in a member country of the European Union and in the presence of the service provider).
      • Data localization 19.2.d: "The service provider must store and process technical data (identities of technical infrastructure beneficiaries and administrators, data handled by Software Defined Network, technical infrastructure logs, directory, certificates, access configuration,etc.) within the European Union".
      • Protection against extra-European law 19.6: "a) The registered office, central administration and [or?] main establishment of the service provider must be established within a Member State of the European Union" (19.6.a, which doesn't seem to preclude using an EU-established subsidiary of a US provider)." I won't quote the rest of 19.6 here, which is long - see 19.6 translation, but there are new requirements regarding non-EU entities' control of shares/voting rights in the provider, any non-EU subproviders used can't have technical access to data, non-EU subproviders must "guarantee" certain service assurances, the provider's service must comply with legislation on fundamental rights and values (consider if it has links with a foreign government/public body), and the provider must give notice within 1 month of changes that may affect its compliance with 19.6.
      • Not new
        • The service agreement must specify the "location of the service" [whatever that means?], and (when from outside the EU) the location of support (19.1.b), and the provider must offer a service agreement specifying the law of an EU Member State (19.1.c);
        • Data localization 19.2: "a) The service provider must document and communicate to the commissioning entity the location of the storage and of the latter's data processing. b) The service provider must store and process the data of the sponsor within the European Union. c) The administration and supervision of the service must be carried out from the European Union. d) The service provider must store and process technical data (identities of beneficiaries and technical infrastructure administrators, data handled by Software Defined Network, technical infrastructure logs, directory, certificates, access configuration,etc.) within the European Union. e) The service provider may carry out support operations for sponsors from a State outsidethe European Union. He must document the list of operations that can be performed by the support to the sponsor from a State outside the European Union, and the mechanismsensuring access control and supervision from the European Union."
      • (See also 12.10 on updates and code audits, new 19.1.b: "The service agreement must indicate that the collection, handling, storage, and more generally the processing of data made in the context of pre-sales, implementation, maintenance and termination of the service are carried out in accordance with the requirements laid down by the legislation in force", and 19.4.a provider must give 21 days' notice of deletion post-termination)
  • 9 Mar 2022 - Denmark's SA Datatilsynet - news item on cloud generally (rather than analytics specifically): Guidance on the use of cloud, in English, with Q&A (Danish). Comments are welcomed. Some translated extracts from the Q&A (emphasis added):
    • "Should I comply with the rules on third country transfers if a cloud provider offers a solution where the information is only stored in the EU and by IP filtering is cut off from being accessed from third countries?
      Maybe. If the cloud provider - either through additional services or as a service or support of its own infrastructure - can access the information from a third country, you must continue to observe the rules on third country transfers."
    • "Can I legally transfer personal information in clear text to the United States?
      If your data importer and / or the information you wish to transfer is covered by e.g. FISA 702, it is very difficult to transfer information in plain text to the United States, ie. without taking additional measures. If you can objectively prove that the problematic legislation, including eg FISA 702, will not be applied in practice to the information to be transferred, it may be possible. In addition, in certain cases and in special situations you can make exceptions to the rules on third country transfers."
    • "If the information is not transferred to the US, can one use a US cloud provider?
      Yes, you can. Even if a provider is covered by US law that may result in disclosure of information (eg US CLOUD Act), you can - if it is agreed and you are assured that the provider will comply with applicable EU law - make good use of the person in question. supplier."
  • 3 Mar 2022 - Liechtenstein's SA DSS - current topics: "...[especially post-Schrems II] the DSS no longer saw any legal basis to justify the personal data transfer to the USA associated with Google Analytics. Even if the often cited anonymization of the IP addresses is implemented by the website operator, further personal data is transmitted to Google... The findings of this [EDPB 101 taskforce] task force now serve as the basis for the judgments of the data protection authorities...
    Further decisions on the 101 complaints are expected from other European data protection authorities in the near future. Due to the coordinated approach, it can be assumed that the decisions will also be against the use of Google Analytics. So far, the data protection authorities have refrained from fines. However, this could change rapidly in the future.
    The DSS therefore calls on those responsible to design websites in compliance with data protection and to use alternative, data protection-compliant solutions instead of Google Analytics. Even if the DSS is not currently conducting official investigations in relation to Google Analytics, there have already been a number of complaints in Liechtenstein that could be resolved amicably by the website operators immediately deactivating Google Analytics."
      • Note on 101 taskforce: the EDPB decided in its 37th meeting, 2 Sept 2020, to create a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement - 101 identical complaints lodged with EEA SAs against several EEA controllers regarding their use of Google / Facebook services which involve the transfer of personal data. This task force held its first meeting before the EDPB's 38th meeting, 14 Sept 2020, aiming to achieve a consistent approach to the complaints. MEPs' complaints with NOYB were noted in the 45th meeting, 2 Feb 2021 (presumably the complaint against the European Parliament covered in my SSRN paper). In the 57th meeting, 18 Nov 2021, the outcome of the 101 taskforce's work was noted: "The outcome of the work will be used as a resource on which SAs can rely when making their own assessment in the context of the national procedures. The importance of the work carried out by the 101 Taskforce to promote consistency was highlighted." Hence the increasing number of SA decisions being issued on these complaints since Nov 2021.
  • 23 Feb 2022 - European Commission's news item about the proposed EU Data Act which includes Art.27, International access and transfer:
    • "1.  Providers of data processing services shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3 [court judgments, administrative decisions etc - if MLATs or no MLATs] ...", plus notice of administrative requests (see also Recital 77).
  • 10 Feb 2022 - France's SA CNIL - news item, and full text of decision (translation) taking a similar approach to Austria's SA on transfers to the US of website visitors' IP addresses, online identifiers, browser data etc. through the website's use of Google Analytics and Google's SCCs, and rejecting the sufficiency of Google's supplementary measures. The draft decision went through the Art.60 cooperation procedure in Jan 2022 without any objections, no doubt because of the 101 task force's work.
    • This decision was anonymised but no doubt the company was one of the six with .fr domains that were named in NOYB's 101 list.
  • 2 Feb 2022 - Belgian's SA APD - decision on IAB's TCF, including on transfers (see IAB Europe's statement 2 Feb, and its intention to appeal 11 Feb; on what are TC Strings and CMPs, see IAB Europe's FAQs):
    "386. Finally, when the CMPs determine the list of recipients in accordance with the publishers' instructions, the Litigation Chamber finds that the publishers bear the main responsibility for the transfer of personal data to adtech vendors, without prejudice to IAB Europe’s responsibility, without which the global list of participating adtech vendors would not exist in the first place...
    ...490.With regard to the allegation by the plaintiffs that IAB Europe also violates Articles 44 to 49 GDPR, the Litigation Chamber acknowledges, in view of the scope of the Framework — which involves a large number of participating organisations — that it is evident that personal data captured in the TC Strings will be transferred outside the EEA at some point by CMPs, and that the defendant is acting as data controller in this regard (see para. 356-357). However, the Litigation Chamber notes that the Inspection Service did not include an assessment of a concrete international data transfer in its report. For this reason, the Litigation Chamber concludes that there is an infringement of the GDPR, but in view of the lacking evidence of a systematic international transfer, as well as the scope and nature thereof, the Litigation Chamber finds it is not in a position to sanction the defendant for a violation of articles 44 to 49 GDPR. Notwithstanding the previous, the Litigation Chamber also finds that these international transfers of personal data, where applicable, must be assessed primarily by the publishers and CMPs implementing the TCF. The Litigation Chamber finds that the publishers are responsible and accountable for taking the necessary measures to prevent personal data collected through their website and/or application from being transferred outside the EEA without adequate international transfer mechanisms.
    491. This being said, the Litigation Chamber also finds that the defendant should facilitate the due diligence incumbent on the publishers and CMPs, e.g. by requiring adtech vendors to indicate clearly whether they are located outside the EEA or whether they intend to transfer personal data outside the EEA through their data processors. Furthermore, the Litigation Chamber notes that, contrary to its obligation under the principles of accountability and of data protection by design and by default, IAB Europe did not foresee any mechanism to ensure that participating publishers and CMPs have put in place adequate mechanisms for potential international transfers of the TC String, as foreseen under Articles to 44 to 49 GDPR, both at the time of its creation and when transmitting the TC String to participating adtech vendors. The preamble of the TCF Policies merely indicates that the TCF “is not intended nor has it been designed to facilitate […] more strictly regulated processing activities, such as transferring personal data outside of the EU”. The Litigation Chamberfinds that this does not meet the requirements of Articles 24 and 25 GDPR..."
    • Note: the IAB's initial response stated that "it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin." While the IAB didn't indicate any intention to adapt TCF as a GDPR code of conduct for transfers, on 22 Feb 2022 the EDPB finalised its guidelines 04/2021 on codes of conduct as tools for transfers, so it would no doubt behove the IAB to consider those guidelines too.
  • 26 Jan 2022 - Norway's SA - news item: "The Norwegian Data Protection Authority (EDPS) has also made a similar decision. The Norwegian Data Protection Authority is also currently dealing with one case concerning the use of Google Analytics.
    - Although we have not concluded in these cases, we will look at European practice in case processing, Judin says.
    We know that there will also be more decisions about Google Analytics from other European data regulators. Therefore, we now recommend everyone to explore alternatives to Google Analytics."
  • 21 Jan 2022 - Guernsey's data protection authority, ODPA - news item (not EEA, but...): "Because we were using it [Google Analytics] in such a limited way, and in light of the January 2022 judgment by the Austrian Data Protection Authority on its use within the EU, we decided to remove it from our website."
  • 20 Jan 2022 - Germany, LG Munich court decision, awarded a website user €100 because the website used Google Fonts, thus transmitting the user's dynamic IP address to Google in the US: "It must also be taken into account that the IP address was undisputedly transmitted to a Google server in the USA, although an appropriate level of data protection is not guaranteed there (cf. ECJ, judgment of 16.7.2020 - C-311/18 (Facebook Ireland and . Schrems), NJW 2020, 2613) and the liability from Art. 82 Para. 1 DS-GVO is intended to prevent further violations and to create an incentive for security measures."
  • 19 Jan 2022 - Google's blog - emphasising that "...Google has offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received the type of demand the [Austrian] DPA speculated about. And we don't expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law. (pre-24 Jan, but I didn't specifically note that point in my paper).
  • 19 Jan 2022 - Denmark's SA, Datatilsynet - news item: "In Denmark, the Danish Data Protection Agency will read the decision closely and - on the basis of several forthcoming decisions from other countries - provide further guidance on this to Danish companies and authorities."
  • (date unclear but after 7 and on or before 13 Jan 2022, based on the Internet Archive) - Netherland's SA, AP - cookies webpage (under Questions, Show more Q&A):
    "Please note: use of Google Analytics may soon not be allowed
    The Austrian privacy regulator completed an investigation into the use of Google Analytics by an Austrian website in January 2022. According to the Austrian supervisory authority, Google Analytics does not appear to comply with the GDPR in this investigated case.
    The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to say whether Google Analytics is now allowed or not."


Further links to relevant matters not mentioned in my paper:

  • 17 Nov 2021 - Denmark's SA, Datatilsynet - news item: "in this connection, Nęstved Municipality has supplemented by the fact that Amazon Web Service (AWS) Frankfurt is the sub-processor for Siteimprove, which is also stated in the data processor agreement between Nęstved Municipality and Siteimprove. The agreement ensures that personal data is only stored in the EU. In this connection, AWS Frankfurt has in the agreements and publicly given guarantees that this restriction will be maintained and that there will be no transfer to countries outside the EU - including the USA. It is Nęstved Municipality's opinion that there is no real risk that information will be transferred to the USA in violation of these guarantees in connection with online support or the like...
    Finally, the Danish Data Protection Agency has emphasized that AWS, which is used as a sub-data processor for the processing of personal data for statistical purposes, has by agreement and publicly guaranteed that there is no transfer of data to countries outside the EU, and that the processing therefore takes place under Siteimprove's controlled framework.
    Against this background, the Danish Data Protection Agency assesses that Nęstved Municipality's processing of personal data about website visitors on www.naestved.dk has taken place as part of the municipality's exercise of authority and thus within the framework of the Data Protection Ordinance, Article 6 (1). 1, letter e."
  • 28 Sept 2021 - Microsoft's first post in a four-part series on the NOBELIUM nation-state cyberattack including SolarWinds.
  • 31 Aug 2021 - the European Data Protection Supervisor (EDPS) temporarily authorised the use of ad hoc clauses for transfers through using Cisco Webex.
  • 14 Apr 2021 - University of Surrey - news item on academic study showing 100 per cent rise in nation-state attacks in the last three years: summary; report.