Austria: Ruling refuting IP anonymisation as safeguard for and "risk based approach" to data transfers

On 2 May 2022, the Austrian Data Protection Authority issued a ruling refuting IP anonymisation as a safeguard for data transfers from the EU to the United States. The authority rejected arguments by Google that websites using its tools, such as Google Analytics, could activate IP anonymisation as a protection measure for data transfers. The authority argued that the anonymisation occurs after Google receives the data and that other identifiers, such as cookies, are not anonymised. In addition, the authority rejected the "risk-based approach" to data transfers. The approach aimed to argue that additional safeguards should only be necessary for data transfers including substantial risk to data subject rights, while standard contractual clauses should be sufficient for other data transfers, e.g. those concerning IP addresses. The authority rejected this approach.