Two of the decisions referred to herein were issued by the Austrian Data Protection Authority (“DSB”) and the French Data Protection Authority (“CNIL”).
Both decisions come following complaints submitted by noyb, a non-governmental organization that filed 101 complaints with various data protection authorities within the EEA concerning companies that incorporated services such as Google Analytics or Facebook Connect into their websites. We will see what the future holds for the rest of the complaints although similar decisions should not come as a surprise.
Ultimately, the decisions tackle the transfer of personal data to the USA (US), which has been for most of the time a sensitive topic. The recent rather political statements concerning mutually agreed solutions are just that, political statements. In the meanwhile, the lessons learned from the above decisions and the Schrems case law will have to be observed.
The above referred decisions were issued after the “Schrems II” decision of the European Court of Justice (Case C-311/18). For the record, the ECJ decision
- invalidated the “Privacy Shield” adequacy decision and
- held that (our emphasis) “Article 46(1) and Article 46(2)(c) of the GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.” thus, imposing the obligation to perform a so-called transfer impact assessment (“TIA”).
We also recall that, following the “Schrems II” decision, the European Data Protection Board issued Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, version 2.0 confirming the TIA obligation and addressing how to perform such analysis and what measures may be suited to ensure/enhance “the level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter”.
2. DSB and CNIL decisions
DSB issued its decision on December 22, 2021, while CNIL issued its decision on February 10, 2022. In both cases, the analysis assessed the conditions under which personal data collected through the use of Google Analytics on certain websites were transferred to the US based on standard contractual clauses (SCC) and the consequential risks incurred by data subjects (basically, the servers where the data are stored were located in the US and the SCC were concluded with the US-based entity). Both website owners and Google argued that certain technical and organizational measures have been adopted in order to safeguard the transfer of personal data. However, DSB and CNIL held that such measures were not sufficient.
The measures implemented by data exporters (website owners) included inter alia:
- notification of data subjects about data processing (e., transfer)
- publication of a transparency report or of a “guideline for handling government inquiries”
- “careful examination of every data access request”
- encryption of “data at rest” in the data centres
DSB held that it was not proven that the protection of communication between Google services, the protection of data in transit between data centres, the protection of communication between users and websites and the “on-site security” actually prevents or restrict access by US intelligence services based on US law. Therefore, the “additional measures” in question are not effective, as they do not close the legal protection gaps identified in the “Schrems II” decision - i.e., the access and monitoring options of US intelligence services.
In particular, with respect to encryption of “data at rest” in data centres, the authority maintained that the obligation to pass to the US intelligence services imported data that is in the data importer’s possession, custody or control also apply to the cryptographic key.
The CNIL decision follows a similar line of argumentation. In addition, CNIL stated that the „Optional Technical Measure” feature offered by Google Analytics as a means of IP address anonymization function is first of all optional (as the name indicates) and does not apply to all transfers. CNIL did not clearly understand from Google's response if the anonymisation takes place before the transfer or if the entire IP address is transmitted to the US and only shortened after the transfer. Therefore, CNIL held that, from a technical point of view, there is a potential access to the entire IP address before it is shortened.
3. EDPS Decision
As mentioned above, there is another decision which, although not issued in response to a complaint by nyob, reveals in itself the same line of argumentation. The EDPS decision was issued on January 5, 2022, being made available by noyb, which filed the complaint along several EP members.
4. Conclusions and developments
Other DPAs have also expressed opinions on the use of Google Analytics and transfers of personal data to the US; they seem to share the opinions of the DSB, the CNIL and the EDPS.
Apparently, mindful Google/ Alphabet recently announced the release of Google Analytics 4 that is mentioned to have several advantages compared to Universal Analytics, such as being “Privacy-focused and durable for the future; Intelligent, using machine learning to unearth insights about the customer journey across platforms and devices; Enhanced, seamless integrations with Google's advertising platforms to optimize campaign performance and drive greater marketing ROI”.
Interesting enough, the Google products were questioned in other circumstances as well. In that respect, we note a court decision issued by the Regional Court of Munich. The decision does not focus on the transfer of personal data outside the EAA but on the lawfulness of the legal grounds for processing the personal data of a website users following the use of Google Fonts. The court ruled that a website (owner) using Google Fonts violated the General Data Protection Regulation by allowing personally identifiable information (e.g., IP address) to be processed by a third-party without consent or a legitimate interest in doing so. Moreover, website owners can host the Google Fonts that they use locally on their website, or they can have them hosted externally on a Google server, where they will be (automatically) remotely accessed by the browser of their website visitors when first landing on their web pages – by means of that request, the IP address of the web visitor is also transferred to Google (as in this case). Hence, the court considered that such transfer of personal data was also unnecessary and all the more breached the General Data Protection Regulation.
Also, the CNIL decision of January 6, 2022, is of notoriety. CNIL imposed fines of EUR 150 million on Google (EUR 90 million on Google LLC and EUR 60 million on Google Ireland Ltd) and EUR 60 million on Facebook Ireland Limited for breaches on cookies rules. In the 3 proceedings, CNIL disapproved of the complicated manner of rejecting cookies compared to the one-click system for allowing them. Thus, CNIL analysed the extent to which the requirement under Article 7 para. (3) of the GDPR, which imposes that the rejection of cookies must be as easy for users as their acceptance is, was observed. More specifically, the CNIL’s investigation revealed that the companies used a button allowing users to immediately accept cookies, but do not provide an equivalent option to allow users to easily refuse the cookies through a single click – instead, several clicks were necessary to reject all cookies (3 for Facebook and 5 for Google).
CNIL also sanctioned the “nudge” effect that such practices have on users; that is, in Google’s case, the refusal mechanism encourages acceptance of cookies, while in Facebook’s case, the information presented to users via the cookies banner is inconsistent.
Further on, on February 2, 2022, the Belgian DPA fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework (TCF). Among others, the DPA found that
- TCF fails to secure a lawful legal basis for data processing, g. for the purpose of behavioural marketing.
The DPA concluded that for receiving cookies consent and cookies preferences, the relevant controller could not rely on its legitimate interest (i.e. the interest to remember users’ cookies preferences to comply with their accountability obligations); while the purpose of the processing was legitimate and the processing was necessary, the DPA argued that the rights and freedoms of data subjects still outweighed those of the data controller.
- the information provided by the TCF to users/ data subjects is not transparent enough as regards the purposes of the processing and the recipients of personal data;
- IAB Europe had not carried out a data processing impact assessment with respect to the TCF. The DPA considered that such an analysis was necessary since the TCF was developed for RTB, which is used to systematically and automatically monitor, record and influence user behaviour, including for advertising purposes.
We also note that the Belgian DPA recently released another decision on cookies, primarily dealing with the consent for cookies and cookies wall. Some of the shortcomings identified by the DPA referred to
On a separate note, we should mention the DPA’s reasoning according to which a “cookie wall” policy for cookies that are essential/ strictly necessary is valid.
Finally, mention should be made that on January 28, 2022, the French Council of State upheld the fine of EUR 100 million issued by the CNIL against Google LLC and Google Ireland Limited in December 2020.
We recall that in December 2020, CNIL sanctioned Google LLC and Google Ireland Limited, in particular for
- automatically placing advertising cookies on users of the google.fr search engine’ computers (hence, before the consent was provided by the users);
By Monica Iancu, Partner, and Alexandru Daniliuc, Associate, Bondoc si Asociatii