By David Deusner and Matt L. Rotert
Propriety of New Standard Contractual Clauses Are Put In Jeopardy
Following the Schrems II ruling in July 2020, Standard Contractual Clauses (“SCCs”) were cautiously heralded as one of the few remaining mechanisms to transfer personal data from the European Union (“EU”) to third countries without an adequacy decision (including the United States). Doing so, however, required parties to enter into a contract supported by SCCs and adopt supplemental measures that adequately addressed the additional privacy risks created by transferring personal data to that third country. In the aftermath of the Schrems II ruling, the EU Data Protection Commission noted that, while the Court of Justice of the European Union (the “CJEU”) “ruled that the SCCs transfer mechanism used to transfer data to countries worldwide is, in principle, valid, [] it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”[1]
RECENT DEVELOPMENTS
In a decision regarding the use of Google Analytics by an EU-based website operator, the Austrian Data Protection Authority (the “DSB”) confirmed this suspicion. Specifically, the DSB found that the website operator’s transfer of personal data to Google – pursuant to an SCC – constituted an unlawful transfer because the SCC did not account for the U.S. government’s ability to access the data.
While the DSB did not close the door to all transfer of personal data based on SCCs, the decision made it clear the standard for doing so is extremely high. First, while the website operator handled healthcare information, the type of “personal” information in question did not include health related information, financial information, or other sensitive information. Rather, the transfer was limited to IP addresses, the creation of unique identifiers, and other metrics related to the user’s browser (i.e., language, screen size/resolution). Second, the parties had SCCs in place. Third, Google identified supplemental measures intended to provide the requisite level of data protection, including encryption and pseudonymization.
The DSB found, however, that these supplemental measures could not account for the U.S. Government’s ability to access the data – even encrypted data. As a result, the DSB determined that adequate steps were not taken to provide the level of data protection required for transfers of personal data to a third country – even though SCCs were in place and supplemental measures were taken.
Google was, of course, quick to respond to the decision.[2] On its blog, Google In Europe, Russell Ketchum, Director of Product Management for Google Analytics, used the response as an opportunity to educate organizations facing “questions about whether an analytics service can be compatible with user privacy and the rules for international transfers of personal data.” Google’s position is summarized in six statements:
- Google Analytics is a service used by organizations to understand how their sites and apps are used, so that they can make them work better. It does not track people or profile people across the internet.
- Organizations control the data they collect using Google Analytics.
- Google Analytics helps customers with compliance by providing them with a range of controls and resources.
- Google Analytics helps put users in control of their data.
- Google Analytics cannot be used to show advertisements to people based on sensitive information like health, ethnicity, sexual orientation, etc.
- An organization’s Google Analytics data can only be transferred when specific and rigorous privacy conditions are met.
FUTURE IMPLICATIONS
It should be noted that the DSB’s decision currently has limited reach because it is not yet considered final (responses and appeals are still pending), and the scope is limited to transfers originating in Austria. Even so, it is likely the small window of using SCCs as a valid mechanism to support the transfer of personal data to the U.S. may soon be closed.
[1] Jul. 16, 2022, DPC State on CJEU decision (https://www.dataprotection.ie/en/news-media/press-releases/dpc-statement-cjeu-decision-0)
[2] Google Analytics Blog Post, Jan. 13, 2022 (https://blog.google/around-the-globe/google-europe/google-analytics-facts/)