Technical and organizational measures (TOMs), which Google had cited as data protection options, have been classified by the Austrian data protection authority as useless when it comes to the potential access of the US authorities to the personal data records. The notification states accordingly:
If the technical measures are affected, it is also not recognizable – and the respondents did not explain it in a comprehensible manner – to what extent the protection of communication between Google services, the protection of data in transit between data centers, the protection of communication between users and websites or “On-Site-Security” actually prevent or limit the access options of US intelligence services on the basis of US law.
After the announcement of this decision, the integration of Google Analytics, as it has been done almost everywhere so far, could be on the brink. Most companies and the self-employed rely on the statistics program from Google. Noby explains:
Although there are many alternatives that are hosted or can be hosted in Europe, many websites rely on Google and use it to transmit their user data to the US multi. Many other US services that allow access by US intelligence agencies are also used. The fact that the authorities could now gradually declare US services illegal is increasing the pressure on EU companies and US providers to opt for safe and legal options. Processing without actual access by US companies is particularly important here.
If large companies such as Google and Meta, Microsoft and Apple do not adapt their data protection guidelines to EU law, authorities and courts could gradually declare their services in the EU to be illegally usable.
Actually, all US services are affected
Under the leadership of Max Schrems, the Noyb association had submitted numerous complaints to various authorities in the EU in the context of disregard of the Schrems II judgment. Schrems now explains:
We expect that similar decisions will now be made gradually in most of the EU Member States. We filed 101 complaints in almost all Member States and the authorities coordinated the decisions. The European Data Protection Supervisor made a similar decision last week.
In the notification of the Austrian data protection authority, a complaint against Google LLC in the USA was not allowed. Accordingly, the European subsidiaries such as Google Ireland Limited are responsible. However, the DSB also stated that the proceedings against Google LLC with regard to possible violations of Articles 5, 28 and 29 GDPR are ongoing.
What in this specific case, using the example of Google, could lead to major upheavals in the digital industry, will probably not be limited to the Alphabet subsidiary. Because the data protection regulations of the EU apply to all US providers, which is why services from Microsoft, Meta and Co. could lose their legal status when integrated on websites after closer legal consideration and corresponding judgments. In 2022 and in the following years, it will now depend on how the authorities and courts interpret the GDPR and the ePrivacy Regulation and whether they punish the previously neglected treatment of data protection when transferring personal data between the EU and the USA by US companies . Google itself had the current case simply explained compared to the standard:
These organizations, not Google, control which data is collected with our tools and how it is evaluated.
However, this attitude is hardly compatible with current data protection law. The battle of strength between the US mega-corporations and European data protection organizations will therefore continue. However, companies, marketers and co. Should keep an eye on the decisions. The entire decision from Austria you can read it here.