Press "Enter" to skip to content

Austrian Privacy Group Accuses Google of ‘Unlawfully’ Transferring EU Data to US

By Robert Bateman

Austrian authorities are investigating allegations that Google illegally is transferring data from the EU to the U.S. — and some experts told Digital Privacy News that the investigation presented a fundamental problem for the company’s business model.

In a May 5 letter to Austria’s data-protection authority, the European Center for Digital Rights (None of Your Business — NOYB), headed by Austrian lawyer and activist Max Schrems, alleged that Google violated strict EU rules designed to protect Europeans’ data from interference by U.S. intelligence services.

“The Google case is far-reaching,” said Magnus Westerlund, principal lecturer of information technology at Arcada University of Applied Sciences in Finland. 

“If the courts find that Google does not comply with the GDPR (the EU’s General Data Protection Regulation) and the human right to privacy, it essentially defines the end to the platform model as we know it.”

Google did not respond to a request for comment from Digital Privacy News. The company denied the allegations in an April 10 letter responding to questions from the Austrian authority.

“If the courts find that Google does not comply with the GDPR and the human right to privacy, it essentially defines the end to the platform model as we know it.”

Magnus Westerlund, Arcada University of Applied Sciences, Finland.

“Europe must step up the strategic leadership significantly and drive home a digital-sovereignty strategy if we are to have laws that challenge the status quo this clearly,” Westerlund told Digital Privacy News.

Targeting Google Analytics

The complaint takes aim at Google Analytics, a service used by more than 28 million websites according to BuiltWith, which tracks software used on the internet.

NOYB’s claims follow last July’s landmark “Schrems II” decision, in which the Court of Justice of the European Union (CJEU) invalidated “Privacy Shield,” a mechanism enabling Google and other companies to freely transfer personal information from the EU to the U.S. 

The court said the scheme failed to prevent U.S. authorities from snooping on EU citizens under such laws as the Foreign Intelligence Surveillance Act (FISA).

Following the ruling, Google turned to another data-transfer mechanism known as “standard contractual clauses,” which remained lawful — as long as exported data also was protected by any “supplementary measures” necessary to prevent intelligence agencies from accessing it.

‘Technical, Legal’ Measures

In its response to the Austrian complaint, Google says it takes “technical, legal and operational” supplementary measures to protect Google Analytics data.

However, NOYB’s Schrems told Digital Privacy News that, because of Google’s U.S. legal obligations and the nature of its services, no mechanism could enable Google to lawfully transfer personal data from the EU to the U.S.

“In short: We do not know of any ‘supplementary measure’ that would help here,” he said.

Schrems pointed to the European Data Protection Board (EDPB)’s recommendations on data transfers, drawn up last November in the aftermath of the Schrems II judgment. 

“For FISA companies, I do not know of any solution that works for ‘live’ data.”

Max Schrems, NOYB.

The EDPB suggested that certain companies could rely on standard contractual clauses to facilitate data transfers — either because they were not covered by state surveillance laws or because they could take supplementary measures to protect the data.

But the board also noted that no suitable supplementary measures were available for certain non-EU companies whose services involved processing unencrypted data, which Schrems said included Google.

“For FISA companies, I do not know of any solution that works for ‘live’ data,” he told Digital Privacy News. “Supplementary measures are a very exceptional situation.” 

A ruling against Google could result in a fine of up $7.3 billion — 4% of company revenues — and it would have profound implications for many other U.S. companies operating in Europe.

“Consider what this means for mobile phones,” Arcada University’s Westerlund said. “Google’s Android and Apple’s iPhone are based on collecting data about users and storing this as processable data in any of their data centers.” 

Possible Solutions

Ian Brown, visiting professor at FGV Law School in Rio de Janeiro, proffered two potential solutions to the problem of EU-U.S. data transfers.

In the long term, Brown said democracies should agree on human rights compliant standards for access to personal data by intelligence services.

Discussions are underway between the U.S. and EU to find an alternative to the invalidated Privacy Shield framework, according to a joint statement in March from the European Commission.

“I don’t think it’s nearly as difficult as they make out.”

Ian Brown, FGV Law School, Rio de Janeiro.

But the more immediate solution for Google, Brown suggested, could be creating “EU-only data centers” and providing “guarantees that it will not process EU data outside the EU or give access to its American owner.”

Brown called it “ludicrous” to suggest that localizing data-processing operations in Europe would be operationally impossible for Big Tech firms like Google.

“The EU is the richest single market in the world, with some of the world’s most-valuable companies,” he told Digital Privacy News. “I don’t think it’s nearly as difficult as they make out.”

Robert Bateman is a writer in Brighton, U.K.

Sources: