A recent decision by the Austrian Supervisory Authority (SA) has found a website operator to have violated its post-Schrems II data transfer obligations, and potentially marks the beginning of similar enforcement action across Europe.  

In December 2021, the Austrian SA found that a website which used the free version of Google Analytics was in breach of the GDPR's data transfer rules. Specifically, it found that Google's use of Standard Contractual Clauses and supplementary measures did not ensure that personal data transferred from Europe to the US was provided with an adequate level of protection. Consequently, the website operator, as data exporter, was found to have violated its data transfer obligations under the GDPR. 

This decision was followed by similar actions in Brussels and in the Netherlands. Earlier this month, the EDPS issued a reprimand to the European Parliament regarding the illegal transfer of data stemming from their use of cookies (including Google Analytics), and the Dutch SA announced that the use of Google Analytics may soon be illegal, pending the outcome of a current investigation due to be announced early this year. Other SAs across Europe have not (yet) commented on the matter. In the UK, the ICO has not formally announced where they stand on this issue, although notably the ICO website itself utilises Google Analytic cookies.

This has potentially significant implications for organisations. According to the Austrian decision, the website owner, as data exporter, remains responsible for complying with data transfer obligations. Such obligations present a potentially high bar for compliance.

In this case, the website operator had used a service that implemented numerous supplementary measures (including encryption, anonymisation and pseudonymisation, and "careful examination(s) of every data access request" received by the US authorities) and was still found to have provided an insufficient level of protection over personal data.

The question remains as to what measures will then be deemed to be adequate to close the gap between the website operator and Schrems II compliance.