Security Experts:

Connect with us

Hi, what are you looking for?



Austrian Regulator Says Google Analytics Contravenes GDPR

A new ruling from the Austrian Data Protection Authority (DPA) traps EU/U.S. data transfers between a rock and hard place. The rock is GDPR. The hard place is FISA. And the two are fundamentally incompatible.

A new ruling from the Austrian Data Protection Authority (DPA) traps EU/U.S. data transfers between a rock and hard place. The rock is GDPR. The hard place is FISA. And the two are fundamentally incompatible.

The purpose of GDPR is to protect the personal information of European citizens and residents. The purpose of FISA Section 702 (supported by EO 12333) is to ensure that U.S. intelligence agencies can collect data on foreign citizens for national security and cybersecurity purposes. GDPR is a consequence of the latter – a response to Edward Snowden’s revelations on the NSA’s global surveillance programs. Neither side will easily abandon its current position.

The Schrems II ruling in 2020 annulled the Privacy Shield agreement between the US government and the EC. This had been used to ‘legalize’ data transfers between the two trade blocs. The primary reason for the annulment was FISA 702, a statute that authorizes the collection of communications content stored by U.S. service providers such as Google, Facebook and Microsoft. U.S. telecom providers can be compelled to assist.

The Schrems II ruling effectively declares that so long as FISA 702 exists, EU personal data cannot be sent to the U.S. It does not rule out the use of standard contractual clauses to protect and legalize transfers, but insists that those clauses must solve the 702 issue. This is not possible.

Facebook has been relying on a version of SCCs for its data transfers, and has had some support from the Irish Data Processing Controller (DPC) – but it is thought the Irish ruling will not survive complaints from other European regulators. The result of this is still awaited. 

The latest ruling, from the Austrian regulator, concerns data from a European company transferred to Google in the U.S. via Google Analytics. The decision states the standard clauses used by the EU company to transfer the data are inadequate because Google “is subject to surveillance by U.S. intelligence agencies pursuant to U50.S. Code§1881a (“FISA 702”); and… they do not eliminate the possibilities of surveillance and access by US intelligence services.”

Privacy activist and chairperson of the European None of Your Business (NOYB) organization commented, “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”

Facebook changed its terms of use into a contract for use. That contract allows the company free rein in its use of personal information. Google’s approach has been to use ‘technical and organizational measures’ (TOMs) to claim protection of EU data. These include having ‘fences’ around data centers, reviewing requests and using baseline encryption. The Austrian DPA is not convinced of the “extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law.”

Schrems commented on the ruling, “This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

For the moment, this is a ruling against EU companies that use Google Analytics rather than against Google itself – although that may be considered later. In a blog on the issue, Schrems wrote that it will affect almost all EU websites. “Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US.”

Interestingly, the European data protection supervisor (EDPS) came to a similar conclusion when it reprimanded the European Parliament on January 11, 2022. The Parliament had been using Google Analytics on a COVID-related website. Among its reasons for reprimanding the Parliament, the EDPS wrote that it had infringed, “Article 46 and Article 48(2)(b) of the Regulation, due to its reliance on the Standard Contractual Clauses in the absence of a demonstration that data subjects’ personal data transferred to the US were provided an essential equivalent level of protection.”

Very slowly, Schrems is tightening the noose around the misuse of European data as defined by GDPR. The Austrian decision is just the first ruling in 101 cases his organization has brought across Europe. “In the long run,” he said, “we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”

Related: France Hits Google, Facebook With Huge Fines Over ‘Cookies’

Related: Google to Pay $170 mn Fine for Collecting YouTube Data From Kids

Related: France Hits Google With 50 Million Euro Data Consent Fine

Related: The Implications of China’s New Personal Information Protection Law

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.