The finding by the Austrian Data Protection Agency spells trouble for European websites using services such as Google Analytics.
Austria’s data protection watchdog has upheld a complaint against a website relating to its use of Google Analytics. The decision could have wide ranging ramifications for US cloud services in Europe.
The Austrian DPA’s ruling jeopardizes the use of tools that require transferring Europeans’ personal data to the US for processing. The privacy watchdog determined that IP address and identifiers in cookie data are the personal data of site visitors. This means that those data transfers fall under the purview of EU data protection law.
In this specific case, the website did not properly implement an IP address “anonymization” function. But despite that technicality, the regulator said that IP address data is personal data. This is because it has the potential to combine with other digital data to identify a visitor.
The Austrian DPA found that the website netdoktor.at had violated Chapter V of the EU’s General Data Protection Regulation (GDPR). That is the section that deals with data transfers out of the bloc. The site had been using Google Analytics, and thus was exporting visitors’ data to the US for processing.
The main concern of the DPA is the U.S. intelligence services
“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” the regulator noted. “In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
The Austrian regulator assessed the various measures Google said it had implemented to protect the data in the US. These include encryption at rest in its data centers. They also assessed Google’s claim that the data “must be considered as pseudonymous”.
But the DPA did not find that sufficient safeguards were in place to effectively block US intelligence services from accessing the data. Such safeguarding is a critical requirement to meet the GDPR’s standard.
“As long as the second respondent himself [i.e. Google] has the possibility to access data in plain text, the technical measures invoked cannot be considered effective in the sense of the above considerations,” it said. The regulator thus determined that type of encryption as providing inadequate protection.