GDPR & transfers / Google Analytics enforcement - purpose of this webpage

My paper of 24 Jan 2022, summarising post-Schrems II enforcement of the GDPR "transfers" restriction, covered the Austrian supervisory authority DSB's enforcement decision on using Google Analytics, the Google Fonts decision, the Cookiebot decision and the EDPS decision against the European Parliament on Analytics and Stripe, among others. But there's been a flood of other EU data protection authority decisions, court rulings or announcements on Google Analytics or other transfers issues since then.

As I haven't had time to update my paper yet, on 1 Mar 2022 I created the list below of key links to such decisions etc. that I found out about after my paper was uploaded (in reverse chronological order). Some pre-dated 24 Jan, but I hadn't picked them up at the date of uploading. I will aim to keep this webpage updated (with developments on items just under the original items themselves rather than separately flagged). I also reorganised this on 22 July 2022 to add a new section for non-enforcement or non-UK/EU related matters:

This webpage was last updated on: 25 Sept 2022 - Added: Danish SA's news release against use of Google Analytics, and detailed FAQs

Please let me know of any other links to add? NB. I'm only covering transfers and data localization issues, not other aspects of GDPR. If you find this list of links/summaries useful, please credit me by linking to this webpage. I only ask for attribution not even coffee! 😊

(All translations to English were made using... 🥁Google's free online translation service! Emphasis added to some of the statements below.)
  • 21 Sept 2022 - Denmark, news release: Danish SA Datatilsynet says that, after investigating Google Analytics, its settings and tools, Google Analytics can't be used legally without implementing a number of additional measures beyond the settings provided by Google, reiterating that this is the pan-European view of SAs. This despite Google having made additional settings available in relation to what information can be collected via GA, since the Austrian decision. The SA's detailed FAQs on Google Analytics are worth a read, here's my summary:
    1. Can transfers to the US be prevented? The SA thinks GA can't be configured to avoid transfers to the US, but says to check with Google whether GA can be used without any transfers of personal data to the USA!
    2. Can GA be set up to not collect personal data? GA assigns visitors unique identifiers, collecting info about website interactions, time, approx. location, browser, operating system etc. It's possible to disable/not activate sharing data with Google for product development or Google Signals targeted marketing, and from Jan 2022 GA can be configured, at least GA4, to avoid collecting much more info e.g. browser, OS. But even with the lowest sharing/collection settings, identifiers, website interactions and time/location are still collected and are still personal data
    3. Is use of GA banned? No. But controllers must be able to demonstrate compliance with data protection rules. If you believe your setup and use of GA differs from the conditions the SA reviewed, document this and be able to demonstrate how the issues the SA identified aren't relevant to your use of GA. If your setup is the same, you're taking legal risk. However, ultimately the legal decision is for the courts.
    4. Isn't GA data pseudonymised? 
      • IP address can be associated with individuals. Google said IP addresses aren't written to disk but hasn't clarified whether its zeroing of the address's last octet (80 bits for IPv6) occurs before transfer to the US; seemingly this occurs in the nearest regional data center, which probably means European servers for those visiting a Danish organisation's website - however, visitors from e.g. Asia are connected directly to US servers if closest, so their IP addresses can be transferred to the US before anonymization.
      • GA4 uses IP address to determine approx. location, then discards the address. But, as with the current Universal Analytics, this could happen on US servers.
      • What's the problem with US servers? Google's firewall logs record incoming traffic; Google could link log info with GA info to derive IP addresses etc. Third country authorities could obtain info about the individuals linked to those IP addresses through legal channels such as agreements on mutual legal assistance (MLATs). So, the information isn't pseudonymized, as third country authorities could obtain additional information to attribute GA information to individuals.
    5. What about technical measures? 
      • Encryption is effective here only if the  keys are controlled exclusively by the data exporter or a third party within the EU/EEA or in a secure third country. Google's encryption isn't good enough as it can access plaintext data.
    6. Pseudonymisation? Datatilsynet follows CNIL: a reverse proxy server for Internet traffic from website visitors could enable organizations to control which information is collected and which information is then sent to  servers used to deliver the web analytics tool, e.g. Google's servers, but the proxy must be configured to meet the conditions for effective pseudonymisation, i.e. public authorities in the importing country must not be able to attribute the pseudonymised information to an identifiable person  alone or in combination with additional information. See CNIL's reverse proxy guidance.
    7. What about a risk-based approach to  the likelihood of authorities' requests for access? No. If it's possible (not just probable) that third country authorities can access personal data under laws/practices that can't ensure essentially equivalent protection to European standards, technical measures are necessary to make access impossible or ineffective.
    8. What about consent? Derogations like consent must be understood narrowly so as not to become the rule. Therefore consent isn't compatible with the usual use of GA involving general transfers to the US.
    9. But Google says it's never received US authority access requests for GA info in 15 years? The assessment of whether "problematic" legislation in a third country actually applies to the specific information concerned can't be based solely on the importer's statements, they must be supported by objective, reliable and accessible information.
    10. Any grace period? No. On the contrary, CJEU judgments are retroactive (!). But the SA will take account of the extent to which an organisation actively takes steps to bring its processing into compliance, whether the transfers were previously based on Privacy Shield, and how soon after Schrems II the process to legalise the position began. So organisations must assess their continued use of GA and legalise their use or stop using it - see CNIL's overview of other analytics tools. And it's organisations' own responsibility to demonstrate compliant use of GA.
    11. What about the new EU-US Trans-Atlantic Data Privacy Framework? It's not in place yet. Datatilsynet and the EDPB are ready to help assess its sufficiency. But the precise timing remains unknown.
  • 7 Sept 2022 - Germany, news report: the Karlsruhe Higher Regional Court (news release) ruling Az. overturned the 13 Jul 2022 Baden-Württemberg Public Procurement Chamber decision (judgment text):
    • The court held that German public authorities, in this case two municipally-owned hospitals companies, could use EU subsidiaries of US cloud providers relying on the provider’s contractual commitments that data will be processed only in Germany and not transferred to any third country, and the authority had to gather further information and verify if the contractual assurances could be met only if specific factual indications raised doubts (Az.: 15 Verg 8/22).
    • Note: as the judgment referred to a Luxembourg subsidiary, the cloud company concerned must be Amazon Web Services, because of the main US cloud companies only AWS uses a Luxembourg subsidiary for contracting with European customers.
  • 5 Sept 2022 - Germany, news report: Freie Universität (FU) Berlin the Free University of Berlin has reportedly been ordered by Berlin's SA to stop using Cisco Webex video conferencing (Webex Events, Webex Training and Webex Teams) by the end of Sept 2022, but is resisting
    • Students had previously complained about its use, including transfers to the US
    • The EDPS had previously temporarily authorised contractual clauses for the use of Webex by the Court of Justice of the EU in Aug 2021, see Further links below
  • 29 Aug 2022 - Austria, news report: Austrian lawyer Marcus Hohenecker sent website operators letters claiming data protection violations and demanding €190 compensation, because they were said to use Google Fonts (see 20 Jan 2022 case in Germany). Apparently over 10,000 such letters were sent. Another lawyer Peter Harlander who represents over 100 affected organisations has reported him to the Lower Austrian Bar for disciplinary proceedings and made a fraud/extortion complaint to the public prosecutor's office as it seems the websites might have been targeted by automated means without human access.
    • Shades of copyright infringement claim letters that have been sent out in the UK for years, including allegedly for pornographic videos, with accusations of copyright trolling scamming and extortion against the law firms involved.
    • Light relief : one such letter was apparently addressed to 12th century abbess, composer and poet Hildegard von Bingen, as there's a website dedicated to her - which seemingly uses Google Fonts!
  • As at 23 July 2022 -  Netherland's SA, AP - cookies webpage (under Questions, Show more Q&A) now states:
    "In 2022, several European privacy regulators completed investigations into the use of Google Analytics by websites in various EU Member States. The AP has now completed the investigation into two such websites of Dutch providers. A report has been drawn up of the findings. A legal procedure still has to be completed by the Enforcement Department of the AP. The AP expects to be able to say in the course of 2022 whether the use of Google Analytics is allowed or not."
  • 14 July 2022 - Denmark's SA Datatilsynet press release and decision (in Danish) & EDPB's 19 Jul 2022 news item (called Elsinore in translation) on Helsingør Municipality's use of Google's Chromebooks and Google Workspace (formerly G-Suite for Education) for schools (i.e. including children's data), criticising the Municipality's previously-ordered risk assessment and ordering it to suspend transfers to the USA (and delete already-transferred data) and stop using Workspace until an adequate impact assessment had been conducted and the processing was brought into compliance with GDPR. In short: another decision effectively ignoring the likelihood of actual access; even the theoretical risk of US government access again seemed enough, and possible access to personal data purely for support purposes constituted a transfer. Again, encryption is not a sufficient technical measure if the importer can access  intelligible data.
    • Google Cloud EMEA Ltd (incorporated in Ireland) was the Municipality's contracted processor.
    • Via Google Workspace for Education settings, the Municipality ensured  personal data was only stored in data centers located within the EU/EEA.
    • The Municipality had conducted a TIA, concluding that the probability of the risk eventuating was low.
    • However, personal data could be transferred to third countries under the SCCs for support purposes, available to Google LLC in plain text.
    • The SA considered that Google LLC - when providing the service (support etc.) that gives rise to the transfer of personal data to it - must be considered an "electronic communications service provider" and thus may be subject to directives from law enforcement authorities under FISA 702. It also noted that contractual and organizational supplementary measures will generally not address access to or collection of personal data by US law enforcement authorities for surveillance purposes. It will therefore be necessary to take additional technical measures.
    • Encryption can be an effective supplementary measure that is suitable to supplement the EU Commission's standard contract and, overall, bring the level of protection in a third country up to the required European level. However, despite the personal data being encrypted in transit and at rest, Google LLC had access to the plaintext, so the SA found that here encryption was not suitable to address the conditions in the USA preventing the SCCs from being a sufficient means of ensuring effective protection of transferred personal data. EU/EEA, and that the Municipality of Helsingør has not taken the necessary supplementary measures to bring the level of protection up to the required level.
    • So the transfer of personal data that Helsingør Municipality had instructed Google Cloud EMEA Limited to carry out did not comply with the GDPR's transfers restrictions.
    • Note: since upheld in a full decision of 18 Aug 2022 (press release, including ""the Data Protection Authority encourages other municipalities with similar circumstances to look at the same areas as in this case - especially in relation to unauthorized disclosure and transfer to unsafe third countries"), selected quotes:
      • ...In this context, the Data Protection Authority has in particular emphasized that the Helsingør Municipality's instructions to Google to only process "Customer Personal Data" for the municipality's purposes do not include all the personal data that is processed when the municipality's students use Google Chromebooks and Workspace, and that there are a number of personal data in the form of "Service Data", which is collected and passed on to Google for use for Google's own purposes.
      • ...It is thus not sufficient that Helsingør Municipality has only dealt with the risks to the rights and freedoms of the data subjects in Google Workspace – and not in the entire technology stack, including e.g. The Chrome browser and Google OS...
      • ..In addition, the data controller must assess whether there are risk scenarios that could imply illegal processing of personal data. In such risk scenarios, the Danish Data Protection Authority understands possible situations that may arise unintentionally and which involve a deviation from the intended, legal processing activity. It may, for example, be unintentional processing of personal data that the data controller is not authorized to process. It can also be an accidental collection of more information than is necessary in light of the purpose or an accidental failure to delete information when the data controller no longer needs the information. Likewise, it may be unintentional transfers to third countries or the use of data processors who cannot provide the necessary guarantees for compliance with the data protection regulation...
      • ...The previously announced ban of 14 July 2022 is therefore maintained, but amended so that the Data Protection Authority notifies Helsingør Municipality of a ban on processing personal data using Google Chromebooks and Workspace for Education. The ban applies until Helsingør Municipality has brought the processing activity in line with the data protection regulation as stated in the decision of 14 July 2022 and has complied with the regulation's article 35, subsection 1 piece. 7 and Article 36, subsection 1...[DPIA]
  • 13 July 2022 - Germany, Baden-Württemberg Public Procurement Chamber decision Az. 1 VK 23/22. Complaints were raised on several grounds, but only the transfers issues are covered below.
    • A public procurement chamber/tribunal ruled on the applicant's claims contesting a public authority's award under an open tender to a company whose subcontractor X (for server/hosting services) was based in an EU country and had servers physically located in Germany - but X was a subsidiary of a US company.
    • The court said use of X for hosting services was a "transfer". The personal data can be accessed from a third country, regardless of actual access, and the server's EU location is irrelevant. There is a latent risk of illegal transfers.
    • So, using  X, a European company whose parent company is US-based X. Inc., is an inadmissible data transfer to a third country.
    • X's Data Processing Addendum allows transfers from the selected region where necessary to provide the service or to comply with a legal or valid order of a governmental authority. X also undertakes contractually to challenge any excessive or unreasonable request from a state authority, including such requests that conflict with to the law of the EU or the applicable law of the member states. But the latent risk of access by public authorities under these clauses is sufficient for the transfer to be inadmissible under data protection law; the obligation to challenge excessive requests does not eliminate this latent risk.
      • Note: this seems to follow the increasingly-taken approach that even a theoretical risk of third contry public authority access is enough - i.e. no transfers are permissible unless there is a zero risk of access. Zero risk of access is impossible in real life even with personal data hosted in the EEA by all-EEA-only companies, as that data could theoretically be accessed by hackers. Zero risk of access doesn't exist even in that situation, so are they saying that personal data can never be stored electronically anywhere unless air gapped?! Indeed, even air-gapped systems aren't 100% secure, think Stuxnet and malware-infected USB drives.Or should personal data never be stored at all even in paper form, because the risk of theft of paper files is non-zero? I say again, there really needs to be greater emphasis on data security (wherever data is hosted,  whoever hosts it), rather than on theoretical risks under transfers.
      • Note: overturned by Karlsruhe court on 7 Sept 2022, see above.
    • Standard data protection clauses cannot legitimise transfers per se; rather, a case-by-case examination is required. As explained above, this leads to the assumption of inadmissibility under data protection law. There is also no derogation under Art. 49 GDPR here.
      • Note: it seems no transfer impact assessment was conducted here ("case by case examination"), which however is not surprising given the subcontractor was an EU company hosting the data in Germany. So the "no risk-based" approach is now being extended even to EU subsidiaries of US companies - contrary to the French decision discussed in my Jan 22 paper on transfers enforcement which noted that the CJEU did not discuss such subsidiaries in its ruling.
    • Note: This decision is being reviewed by the Karlsruhe Higher Regional Court so is not yet final. On 15 Aug 2022 the Baden-Württemberg SA criticised the decision (can any German speaker shed further light?):
      • It seems the chamber had not successfully accessed the relevant contractual clauses, the term prohibiting tranfers was not sufficiently examined, but most of all the chamber's equating of access risk and transfer (as processing) was legally questionable. Completingly rejecting a risk-based approach is unconvincing and ignores technical-organisational measures to address and possibly exclude the access risk. But the chamber did not consider the encryption tech used here for reasons of public procurement law. The best way to implement GDPR is still individual case by case examinations, not blanket transfer bans.
  • 12 July 2022 - EDPB's statement on transfers to the Russian Federation
    • This statement seems very bland and non-committal, particularly in light of an EDPB-commissioned report on government access to data in third countries (specifically China, India & Russia), Nov 2021, concluding that:
      "Russian data protection law is a complex matter. Although the formal legislative framework seems comprehensive, the enforcement and the application of the legislation has serious drawbacks. In addition, Russia has a striking record of violating the European Convention of Human Rights (ECHR) related to other related rights and freedoms, such as the freedom of expression. Especially in relation to the interests of national security, the right to data protection and privacy is limited. This was also stated by the European Court of Human Rights (ECtHR) in the Roman Zakharov v. Russia case. Considering the close correlation between the ECHR and the EU-Charter, careful consideration should be given to personal data transfers to Russia. Further, when it comes to state surveillance and data protection, some scholars argue, that digitalisation has led to new types of surveillance and possibilities of censorship and information controls. This reflects one of the major findings of this report, that authorities tend to use data protection laws as a means of enforcing political aspirations, maintaining control of the internet, and protecting the interests of the government. Finally, compared to the EU, Russian authorities take a significantly more negative approach to balancing fundamental rights in the digital sphere, putting protection of the State ahead of the interests and rights of data subjects."
  • 23 June 2022 - Italy's SA Garante press release and decision (in Italian), prohibiting websites' use of Google Analytics, with reprimand for one website and 90 days to comply
    • From the same hymnsheet as previous decisions in France, Austria - i.e., Google's measures aren't considered enough
    • EDPB summary 30 June 2022
  • 7 June 2022 - France's SA CNIL's Q&A on its notices (see item dated 10 Feb 2022, below) to several organisations re use of Google Analytics (notice text)
    • Google Analytics use (which Google confirmed always involves transfer to/hosting in the USA) is illegal
    • CNIL's view reflects SAs' coordinated position, e.g. Austria (see my Jan 2022 paper)
    • SCCs with Google aren't enough to legitimise its use; Google's additional legal, organisational and technical measures aren't enough to protect personal data against US intelligence services' access
    • Third country authorities may oblige companies subject to non-European jurisdiction to disclose personal data hosted on EU-located servers - but we knew that! (My data localization book argues that the focus of transfers restrictions should not be  physical data hosting location, but on effective jurisdiction over those who can access intelligible data.) Art.48 only helps when there's an appropriate international agreement with the requesting third country
    • Google's anonymisation function doesn't apply to all transfers and it's unclear if anonymisation happens before or after transfers to the US. It pseudonymises, but unique identifiers allow tracking, sometimes cross-device;  pseudonymisation is an acceptable supplementary measure only if the transferred data doesn't allow reidentification even with authorities' substantial resources. Tracking risk can be amplified when using Analytics with other Google services, allowing browsing history tracking via IP address.
    • Encryption by Google LLC is insufficient, because  it has the keys and can access intelligible data. Encryption is an acceptable supplementary measures only if keys are exclusively controlled by the data exporter/others established in "adequate" countries
    • How to lawfully use Google Analytics/other audience measurement tools? 
      • Use a proxy server to avoid any direct contact between the Internet user's terminal and the servers of Google/other measurement tool (and transfer only pseudonymised data outside the EU), provided the proxy server meets the criteria under the EDPB's supplementary measures recommendations (but, the recommendations don't actually cover configuration of proxy servers as such!)
      • Or, correctly configure and use analytics tools previously approved by CNIL - but, if the tool involves transfers, you must conduct a Schrems II assessment (transfer impact assessment) or proxify as above
    • Explicit consent under Art.49 can legitimise transfers, but only for non-systematic transfers, so not a long-term solution (EDPB guidelines on derogations)
    • A risk-based approach, taking into account the likelihood of data access, is not possible (& see the 22 Apr 2022 Austrian decision below). If public authorities' acces,s going beyond what's necessary and proportionate in a democratic society, is possible (not just is probable) and the rules on data access requests do not make it possible to guarantee a level of data protection essentially equivalent to that in the EU, additional "technical measures" must be taken to make this access impossible or ineffective.
  • 16 May 2022 - EDPB news on Icelandic SA's fine (about €36k) imposed in early May 2022 on Reykjavík municipality for using the Seesaw educational system, including (but not only) for transfers to the USA without appropriate safeguards
    • The actual decision mentioned a "high risk" of transfer to the United States without appropriate safeguards, even though SCCs had been signed. "In this respect, appropriate protection measures would need to include the encryption of the data or something similar to ensure adequate protection of the information."
    • It does not appear that a transfer impact assessment was conducted.
  • 22 Apr 2022 - via NOYB 2 May 2022, a further Austrian SA decision (English translation), rejecting any risk-based approach to transfers and noting that IP address anonymisation only occurred after Google LLC had received the address, even if the anonymisation was conducted in the EEA.
  • 3 Mar 2022 - Liechtenstein's SA DSS - current topics: "...[especially post-Schrems II] the DSS no longer saw any legal basis to justify the personal data transfer to the USA associated with Google Analytics. Even if the often cited anonymization of the IP addresses is implemented by the website operator, further personal data is transmitted to Google... The findings of this [EDPB 101 taskforce] task force now serve as the basis for the judgments of the data protection authorities...
    Further decisions on the 101 complaints are expected from other European data protection authorities in the near future. Due to the coordinated approach, it can be assumed that the decisions will also be against the use of Google Analytics. So far, the data protection authorities have refrained from fines. However, this could change rapidly in the future.
    The DSS therefore calls on those responsible to design websites in compliance with data protection and to use alternative, data protection-compliant solutions instead of Google Analytics. Even if the DSS is not currently conducting official investigations in relation to Google Analytics, there have already been a number of complaints in Liechtenstein that could be resolved amicably by the website operators immediately deactivating Google Analytics."
      • Note on 101 taskforce: the EDPB decided in its 37th meeting, 2 Sept 2020, to create a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement - 101 identical complaints lodged with EEA SAs against several EEA controllers regarding their use of Google / Facebook services which involve the transfer of personal data. This task force held its first meeting before the EDPB's 38th meeting, 14 Sept 2020, aiming to achieve a consistent approach to the complaints. MEPs' complaints with NOYB were noted in the 45th meeting, 2 Feb 2021 (presumably the complaint against the European Parliament covered in my SSRN paper). In the 57th meeting, 18 Nov 2021, the outcome of the 101 taskforce's work was noted: "The outcome of the work will be used as a resource on which SAs can rely when making their own assessment in the context of the national procedures. The importance of the work carried out by the 101 Taskforce to promote consistency was highlighted." Hence the increasing number of SA decisions being issued on these complaints since Nov 2021.
  • 10 Feb 2022 - France's SA CNIL - news item, and full text of decision (translation) taking a similar approach to Austria's SA on transfers to the US of website visitors' IP addresses, online identifiers, browser data etc. through the website's use of Google Analytics and Google's SCCs, and rejecting the sufficiency of Google's supplementary measures. The draft decision went through the Art.60 cooperation procedure in Jan 2022 without any objections, no doubt because of the 101 task force's work.
    • This decision was anonymised but no doubt the company was one of the six with .fr domains that were named in NOYB's 101 list.
    • Added 19 Aug 2022: in English, from the EDPB's website, related Art.60 OSS decision on a distance selling company, summary;  a similar Art.60 decision of 2 Mar 2022 regarding a retailer of perfumery and beauty products in specialized stores, and another similar 2 Mar 2022 decision on a retailer of sports articles in specialised stores.
  • 2 Feb 2022 - Belgian's SA APD - decision on IAB's TCF, including on transfers (see IAB Europe's statement 2 Feb, and its intention to appeal 11 Feb; on what are TC Strings and CMPs, see IAB Europe's FAQs):
    "386. Finally, when the CMPs determine the list of recipients in accordance with the publishers' instructions, the Litigation Chamber finds that the publishers bear the main responsibility for the transfer of personal data to adtech vendors, without prejudice to IAB Europe’s responsibility, without which the global list of participating adtech vendors would not exist in the first place...
    ...490.With regard to the allegation by the plaintiffs that IAB Europe also violates Articles 44 to 49 GDPR, the Litigation Chamber acknowledges, in view of the scope of the Framework — which involves a large number of participating organisations — that it is evident that personal data captured in the TC Strings will be transferred outside the EEA at some point by CMPs, and that the defendant is acting as data controller in this regard (see para. 356-357). However, the Litigation Chamber notes that the Inspection Service did not include an assessment of a concrete international data transfer in its report. For this reason, the Litigation Chamber concludes that there is an infringement of the GDPR, but in view of the lacking evidence of a systematic international transfer, as well as the scope and nature thereof, the Litigation Chamber finds it is not in a position to sanction the defendant for a violation of articles 44 to 49 GDPR. Notwithstanding the previous, the Litigation Chamber also finds that these international transfers of personal data, where applicable, must be assessed primarily by the publishers and CMPs implementing the TCF. The Litigation Chamber finds that the publishers are responsible and accountable for taking the necessary measures to prevent personal data collected through their website and/or application from being transferred outside the EEA without adequate international transfer mechanisms.
    491. This being said, the Litigation Chamber also finds that the defendant should facilitate the due diligence incumbent on the publishers and CMPs, e.g. by requiring adtech vendors to indicate clearly whether they are located outside the EEA or whether they intend to transfer personal data outside the EEA through their data processors. Furthermore, the Litigation Chamber notes that, contrary to its obligation under the principles of accountability and of data protection by design and by default, IAB Europe did not foresee any mechanism to ensure that participating publishers and CMPs have put in place adequate mechanisms for potential international transfers of the TC String, as foreseen under Articles to 44 to 49 GDPR, both at the time of its creation and when transmitting the TC String to participating adtech vendors. The preamble of the TCF Policies merely indicates that the TCF “is not intended nor has it been designed to facilitate […] more strictly regulated processing activities, such as transferring personal data outside of the EU”. The Litigation Chamberfinds that this does not meet the requirements of Articles 24 and 25 GDPR..."
    • Note: the IAB's initial response stated that "it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin." While the IAB didn't indicate any intention to adapt TCF as a GDPR code of conduct for transfers, on 22 Feb 2022 the EDPB finalised its guidelines 04/2021 on codes of conduct as tools for transfers, so it would no doubt behove the IAB to consider those guidelines too.
  • 26 Jan 2022 - Norway's SA - news item: "The Norwegian Data Protection Authority (EDPS) has also made a similar decision. The Norwegian Data Protection Authority is also currently dealing with one case concerning the use of Google Analytics.
    - Although we have not concluded in these cases, we will look at European practice in case processing, Judin says.
    We know that there will also be more decisions about Google Analytics from other European data regulators. Therefore, we now recommend everyone to explore alternatives to Google Analytics."
  • 20 Jan 2022 - Germany, LG Munich court decision, awarded a website user €100 because the website used Google Fonts, thus transmitting the user's dynamic IP address to Google in the US: "It must also be taken into account that the IP address was undisputedly transmitted to a Google server in the USA, although an appropriate level of data protection is not guaranteed there (cf. ECJ, judgment of 16.7.2020 - C-311/18 (Facebook Ireland and . Schrems), NJW 2020, 2613) and the liability from Art. 82 Para. 1 DS-GVO is intended to prevent further violations and to create an incentive for security measures."
  • 19 Jan 2022 - Denmark's SA, Datatilsynet - news item: "In Denmark, the Danish Data Protection Agency will read the decision closely and - on the basis of several forthcoming decisions from other countries - provide further guidance on this to Danish companies and authorities."
  • (date unclear but after 7 and on or before 13 Jan 2022, based on the Internet Archive) - Netherland's SA, AP - cookies webpage (under Questions, Show more Q&A):
    "Please note: use of Google Analytics may soon not be allowed
    The Austrian privacy regulator completed an investigation into the use of Google Analytics by an Austrian website in January 2022. According to the Austrian supervisory authority, Google Analytics does not appear to comply with the GDPR in this investigated case.
    The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to say whether Google Analytics is now allowed or not."

Other 2022 transfers-related matters (e.g. transfers enforcement/guidance/issues but not UK/EU, or UK/EU-related transfers issues other than GDPR enforcement)

  • 10 Aug 2-22 - TheCityUK's press release and report on Digital trade: a commercially viable approach
  • 18 July 2022 - Google's blog post on the Global Cross Border Privacy Rules Forum (FAQ), to establish an international certification system based on the APEC CBPR and PRP Systems, but  independently administered and separate from the APEC Systems
  • 12 July 2022 - Russia's regulator Roskomnadzor - news item: fines for data localization law infringement - Apple Inc. 2m rubles, Zoom Video Communications Inc. 1m rubles, Ookla LLC 1m rubles
  • 28 June 2022 - Russia's regulator Roskomnadzor - news item: fines for data localization law infringement - Twitch Interactive, Inc., Pinterest, Inc. and Airbnb Inc. each fined 2m rubles, United Parcel Service, Inc. (UPS) fined 1m rubles
  • 23 June 2022 - Google calls for more transparency around government data access demands, no doubt influenced by Schrems II and the increasing enforcement action against transfers & Google Analytics
  • 21 June 2022 - Guernsey's regulator ODPA - news item: guidance on data transfers: Guidance on international transfers, Guidance and self-assessment tool for Transfer Impact Assessments, The Bailiwick of Guernsey Addendum for the EU Commission's Standard Contractual Clauses (SCCs)
  • 16 June 2022 - Russia's regulator Roskomnadzor - news item: fines for data localization law infringement - Google LLC 15m rubles, Likeme Pte. Ltd 1.5m rubles
  • 13 June 2022 - Swiss regulator FDPIC's press release. It's Switzerland not EEA/UK, but I've added it anyway
    • FDPIC advised Suva to reconsider its outsourcing of personal data processing to a cloud service of US company Microsoft, albeit using "a data centre operated on Swiss territory". FDPIC reserved the right to take supervisory action. The detailed documents are in German and scanned so no Google Translate - can anyone shed any further light, is this definitely transfers-related?
  • 13 June 2022 - the Datasphere Initiative's paper Sandboxes for data: creating spaces for agile solutions across borders (press release) mentions that privacy enhancing technologies (PETs) "can be used to change the traditional model of cross-border transfers which assumes data leaving one jurisdiction where it has certain protections and requirements, and entering another where these are lessened", mentioning homomorphic encryption (but unfortunately not my pet subject of confidentialiy computing/TEEs/enclaves).
  • 8 June 2022 - Denmark's SA Datatilsynet's press release and guidance on the concept of data exporter (nothing on analytics, but added for completeness)
    • EEA controller -> EEA processor -> non-EEA subprocessor: both controller and processor are responsible for compliance re transfers, security; the processor can use SCCs P2P module. No surprises there.
    • The SA also updated its general transfers guidance to v4. I believe this guidance already stated that, with cloud servics, "transfer" includes perosnal data physically leaving the EU/EEA i.e. hosted outside; cloud provider access to personal data from outside the EU/EEA for maintenance or debugging/error correction purposes; also chats/customer service comms for support purposes where the comms are hosted outside the EU/EEA.
  • 27 May 2022 - Russia's regulator Roskomnadzor - news item: preliminary action on data localization law infringements against Airbnb, Pinterest, Likeme, Twitch, Apple, United Parcel Service, Google
  • 25 May 2022 - European Commission's FAQs / Q&A on the 2021 SCCs published. No time for comments yet, but many of the issues raised in my article on practical problems with the 2021 EU SCCs don't seem to have been addressed...
  • 18 May 2022 - blog by Microsoft's Brad Smith, "Microsoft responds to European Cloud Provider feedback with new programs and principles", including more data localisation and deglobalisation:
    • "We have completed or are now constructing 17 datacenter regions in Europe and are rapidly expanding our footprint across the continent"
      • But what about remote support or software maintenance from outside the EEA, will all that be localised too?
    • For EEA government/public sector bodies' "sovereign needs", partnerships with "trusted local cloud technology company" in Italy (Leonardo), France (Capgemini & Orange), Spain (Telefónica Tech), Germany (SAP & Arvato Systems)
      • Details of the model are not clear, but could it include some licensing of Microsoft software as suggested by CNIL in France? (see my GDPR transfers enforcement post-Schrems paper on CNIL's suggestion, and also on Microsoft's previous partnership with Deutsche Telekom after Schrems I, which model was terminated in mid-2018).
      • It seems some of these partnerships will extend to cloud services like Azure PaaS/IaaS and SaaS like Office365.
      • Again, what about remote support/maintenance from outside the EEA?
  • 16 May 2022 - EU Data Governance Act approved by Council, to enter into force 20 days after publication in the Official Journal, with a 15-month grace period before the new rules apply - not GDPR, but extending restrictions on transfers of non-personal data:
    • "The DGA creates safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data. For personal data, the EU already has similar safeguards under the GDPR.
      In particular, the Commission – through secondary legislation – may adopt adequacy decisions declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU. These decisions would be similar to adequacy decisions relating to personal data under the GDPR. Such safeguards should be considered to exist when the country in question has equivalent measures in place that ensure a level of protection similar to that provided by EU or member state law.
      The Commission may also adopt model contractual clauses to support public-sector bodies and re-users in the case of transfers of non-personal data covered by the DGA to third countries."
  • 15 May 2022 - UK Information Commissioner John Edwards' speech mentioned international data flows as a key area for "collective application":
    • "This is an area crowded with expensive proxies, which impose significant cost on industry and governments, but which provide dubious benefits to those they are intended to protect. By proxies, I mean standard contractual clauses, binding corporate rules, individualised adequacy determinations, accreditation programmes like APEC’s CBPRs.
      They are proxies for the recognition of some of the most fundamental duties any state owes its citizens, the duty to protect them. And a recognition that in order to discharge that duty, organs of the state, being its security and intelligence arms from time to time need lawful, proportionate access to personal information... Until then [international progress] we need to keep working on the least bad options, and to that end I welcome the work of the DCMS International Data Transfer Expert Council" - of which I'm fortunate enough to be a member.
    • I hope this means he read my 2017 book on transfers and data localization particularly in cloud, where I that argued that countries' data transfers restrictions were proxies for control of access to intelligible personal data! (or at least read Chris Reed's seminal book Making Laws for Cyberspace, which introduced the notion of certain laws being proxies for the real legislative objectives, notably copyright laws regulating acts of copying as proxies for the true underlying concern, use).
  • 25 Mar 2022 - the UK's International data transfer addendum to the European Commission’s standard contractual clauses (Addendum) and International data transfer agreement (IDTA) became effective, having been laid before Parliament on 2 Feb 2022. Guidance on these was due to be published "soon" but as at 25 July 2022 is still not available.
  • 9 Mar 2022 - Denmark's SA Datatilsynet - news item on cloud generally (rather than analytics specifically): Guidance on the use of cloud, in English, with Q&A (Danish). Comments are welcomed. Some translated extracts from the Q&A (emphasis added):
    • "Should I comply with the rules on third country transfers if a cloud provider offers a solution where the information is only stored in the EU and by IP filtering is cut off from being accessed from third countries?
      Maybe. If the cloud provider - either through additional services or as a service or support of its own infrastructure - can access the information from a third country, you must continue to observe the rules on third country transfers."
    • "Can I legally transfer personal information in clear text to the United States?
      If your data importer and / or the information you wish to transfer is covered by e.g. FISA 702, it is very difficult to transfer information in plain text to the United States, ie. without taking additional measures. If you can objectively prove that the problematic legislation, including eg FISA 702, will not be applied in practice to the information to be transferred, it may be possible. In addition, in certain cases and in special situations you can make exceptions to the rules on third country transfers."
    • "If the information is not transferred to the US, can one use a US cloud provider?
      Yes, you can. Even if a provider is covered by US law that may result in disclosure of information (eg US CLOUD Act), you can - if it is agreed and you are assured that the provider will comply with applicable EU law - make good use of the person in question. supplier."
  • 9 Mar 2022 - France's computer security agency ANSSI updated its cloud certification framework SecNumCloud (English translation)
    • The press release stated that this update is Schrems II compliant:
      “The "Schrems II" judgment of the Court of Justice of the European Union recalled the requirement to guarantee protection equivalent to that offered by the General Data Protection Regulation (GDPR) when personal data of European citizens are transferred outside the European Union (EU). Furthermore, and independently of the existence of transfers, certain extraterritorial legislations which do not offer a level of protection substantially equivalent to that guaranteed by the GDPR may apply to data stored by cloud providers within the territory of the EU. In this respect, SecNumCloud 3.2 provides strong guarantees in terms of protection against non-European legislation with extraterritorial scope.
      “While the CJEU's decision calls for a case-by-case analysis which can be complex, the SecNumCloud 3.2 repository provides an answer which is compliant by design with the Court's requirements for data protection in the cloud. The CNIL recommends the use of this standard for data controllers who want to guarantee a high level of protection of personal data” indicates Marie-Laure Denis, President of the National Commission for Computing and Liberties (CNIL). 
    • Key changes in SecNumCloud v3.2 relevant to transfers / data localisation (toned down a little from the 2021 draft that was more drastic regarding data localization, e.g. in effectively requiring support (9.7.d) and maintenance (12.13.a) only from EU-located persons):
      • Provider TIA 5.3:
        • "d) The service provider must list, in a specific document, the residual risks linked to the existence of extra-European laws aimed at collecting data or metadata from sponsors without their prior consent. e) The service provider must make available to the commissioning entity, at the request of the latter, the risk assessment elements related to the submission of the data of the sponsor to the law of a state that is not a member of the European Union."
      • Remote suppport 9.7.d: "In the context of technical support, if the actions necessary for the diagnosis and resolution of a problem encountered by a sponsor require access to the sponsor's data,then the service provider must:... in the case of an intervention carried out remotely by a person located outside the European Union, implement a secure gateway (bounce station) through which the person must connect and allowing supervision (authorization or prohibition of actions, requests for explanations, etc.) in real time, by a person who has himself satisfied the verifications of requirement 7.1.b [stronger background checks for those with admin rights]. The secure gateway must meet the security objectives2 specified in [G_EXT] adapted to the context of the technical support actions;"
      • Roots of trust 10.6.1: "On the technical infrastructure, the service provider must exclusively use key certificates issued by a certification authority of a Member State of the European Union (the master key generation ceremonies must take place in a member country of the European Union and in the presence of the service provider).
      • Data localization 19.2.d: "The service provider must store and process technical data (identities of technical infrastructure beneficiaries and administrators, data handled by Software Defined Network, technical infrastructure logs, directory, certificates, access configuration,etc.) within the European Union".
      • Protection against extra-European law 19.6: "a) The registered office, central administration and [or?] main establishment of the service provider must be established within a Member State of the European Union" (19.6.a, which doesn't seem to preclude using an EU-established subsidiary of a US provider)." I won't quote the rest of 19.6 here, which is long - see 19.6 translation, but there are new requirements regarding non-EU entities' control of shares/voting rights in the provider, any non-EU subproviders used can't have technical access to data, non-EU subproviders must "guarantee" certain service assurances, the provider's service must comply with legislation on fundamental rights and values (consider if it has links with a foreign government/public body), and the provider must give notice within 1 month of changes that may affect its compliance with 19.6.
      • Not new
        • The service agreement must specify the "location of the service" [whatever that means?], and (when from outside the EU) the location of support (19.1.b), and the provider must offer a service agreement specifying the law of an EU Member State (19.1.c);
        • Data localization 19.2: "a) The service provider must document and communicate to the commissioning entity the location of the storage and of the latter's data processing. b) The service provider must store and process the data of the sponsor within the European Union. c) The administration and supervision of the service must be carried out from the European Union. d) The service provider must store and process technical data (identities of beneficiaries and technical infrastructure administrators, data handled by Software Defined Network, technical infrastructure logs, directory, certificates, access configuration,etc.) within the European Union. e) The service provider may carry out support operations for sponsors from a State outsidethe European Union. He must document the list of operations that can be performed by the support to the sponsor from a State outside the European Union, and the mechanismsensuring access control and supervision from the European Union."
      • (See also 12.10 on updates and code audits, new 19.1.b: "The service agreement must indicate that the collection, handling, storage, and more generally the processing of data made in the context of pre-sales, implementation, maintenance and termination of the service are carried out in accordance with the requirements laid down by the legislation in force", and 19.4.a provider must give 21 days' notice of deletion post-termination)
  • 23 Feb 2022 - European Commission's news item about the proposed EU Data Act which includes Art.27, International access and transfer:
    • "1.  Providers of data processing services shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3 [court judgments, administrative decisions etc - if MLATs or no MLATs] ...", plus notice of administrative requests (see also Recital 77).
  • 21 Jan 2022 - Guernsey's data protection authority, ODPA - news item (not EEA, but...): "Because we were using it [Google Analytics] in such a limited way, and in light of the January 2022 judgment by the Austrian Data Protection Authority on its use within the EU, we decided to remove it from our website."
  • 19 Jan 2022 - Google's blog - emphasising that "...Google has offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received the type of demand the [Austrian] DPA speculated about. And we don't expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law. (pre-24 Jan, but I didn't specifically note that point in my paper).

Further links to relevant matters not mentioned in my Jan 2022 paper although pre-dating it:

  • 17 Nov 2021 - Denmark's SA, Datatilsynet - news item: "in this connection, Næstved Municipality has supplemented by the fact that Amazon Web Service (AWS) Frankfurt is the sub-processor for Siteimprove, which is also stated in the data processor agreement between Næstved Municipality and Siteimprove. The agreement ensures that personal data is only stored in the EU. In this connection, AWS Frankfurt has in the agreements and publicly given guarantees that this restriction will be maintained and that there will be no transfer to countries outside the EU - including the USA. It is Næstved Municipality's opinion that there is no real risk that information will be transferred to the USA in violation of these guarantees in connection with online support or the like...
    Finally, the Danish Data Protection Agency has emphasized that AWS, which is used as a sub-data processor for the processing of personal data for statistical purposes, has by agreement and publicly guaranteed that there is no transfer of data to countries outside the EU, and that the processing therefore takes place under Siteimprove's controlled framework.
    Against this background, the Danish Data Protection Agency assesses that Næstved Municipality's processing of personal data about website visitors on has taken place as part of the municipality's exercise of authority and thus within the framework of the Data Protection Ordinance, Article 6 (1). 1, letter e."
  • 28 Sept 2021 - Microsoft's first post in a four-part series on the NOBELIUM nation-state cyberattack including SolarWinds.
  • 31 Aug 2021 - the European Data Protection Supervisor (EDPS) temporarily authorised the use of ad hoc clauses for transfers through using Cisco Webex, between the Court of Justice of the EU and Cisco.
  • 14 Apr 2021 - University of Surrey - news item on academic study showing 100 per cent rise in nation-state attacks in the last three years: summary; report.