Austria: Ruling on the illegality of data transfers through Google Analytics

The Austrian Data Protection Authority (DSB) has ruled that the transfer of personal data by the EU to the US through the implementation of the "Google Analytics" service by an Austrian health topics website is unlawful. In particular, the DSB held that: the website had transferred data that can be considered personal because various data points can be combined to identify a data subject; the Standard Contract Clauses stipulated between the website and Google, containing "Technical and Organizational Measures", have no effect in limiting access to the personal data by U.S. intelligence agencies. Therefore, in this case, Standard Contract Clauses and Technical and Organizational Measures are not judged to provide adequate protection for the EU personal data transferred to the US. Finally, the DSB ruled that the GPPR only imposes legal duties on the data exporter (the website) but not on the data recipient (Google). Therefore, the DSB dismisses the complaint against Google but will conduct a separate investigation to assess whether Google violated the GDPR for providing personal data to the US authorities without receiving an explicit order from the Austrian website (the EU data exporter).