+49 228 2861 140 60 info@sicoda.de

Google Analytics violates the GDPR (in Austria)

Google Analytics violates the GDPR (in Austria)

We would like to inform you about current media reports (e.g. Heise) on the possibility of using Google Analytics:

According to the Data Protection Authority of the Republic of Austria, the use of Google Analytics violates the GDPR.

Although the Austrian authority considers the use of Google Analytics to be illegal, no German authority has adopted this view yet.

Even if this view should also become firmly established in Germany, Google Analytics would still be possible with legally compliant user consent.

Our evaluation of the news:

According to the currently published decision of the Data Protection Authority of the Republic of Austria, the use of Google Analytics on websites violates Article 44 of the GDPR.

One of the reasons given for this decision is that the personal data processed by Google Analytics (e.g. unique user identification numbers, IP address and browser parameters) are processed in the USA and are therefore subject to monitoring by US intelligence services.

In its further justification for its decision, the Austrian authority argues that monitoring by U.S. intelligence agencies cannot be ruled out by contractual arrangements between a website operator and Google Therefore, the level of protection required by Article 44 of the GDPR cannot be maintained in the case of processing outside the EU, meaning that the processing of personal data by Google Analytics violates the GDPR.

In addition to the data protection authority of the Republic of Austria, a decision concerning the permissibility of using Google Analytics for personal data on websites or apps is also expected from the Dutch authority.

In Germany, the Bavarian State Commissioner for Data Protection is currently dealing with an identical examination of the compatibility of the use of Google Analytics. A decision on this is not yet available.

Without statement by a German authority or court, the Austrian decision has no legal effect for data processing in Germany.

Following the previous statements of the German supervisory authorities on the processing of personal data outside the EU and in particular in the USA, it must be expected that the German supervisory authorities will also speak out against the permissibility of using Google Analytics without the consent of the users.

Outlook: :  should such a decision be made in Germany in the future, the use of Google Analytics will still permissible with the consent of the website visitors. .  You would then only have to expand the Google Analytics notice in the privacy policy to include a passage on the possible processing of this data in the USA by secret services. There are no binding requirements or guidance on this from the German supervisory authorities. If you already want to take precautionary measures, you can of course contact us at any time for text and implementation suggestions.

We keep a close eye on developments and will inform you immediately in the event of new German statements or rulings.

Managing directors are personally liable for damages resulting from data protection violations (OLG Dresden)

Managing directors are personally liable for damages resulting from data protection violations (OLG Dresden)

Managing Director's liability

Managing directors are “responsible people” in the sense of the GDPR and are personally liable for data protection violations towards the injured parties.

In a rather unremarkable ruling, the Dresden Higher Regional Court (OLG) made an extremely relevant and disturbing decision for managing directors of corporations. The ruling involved the CEO of a hospital who instructed unlawful data processing. The plaintiff patient directed the action against both the hospital company (defendant 1)) and the management (defendant 2)).

The reasons for the verdict were as follows:

Both the defendant to 1) as the defendedant to 2) are responsible within the context of Art. 4 No. 7 of the GDPR, because of being the starting point for a claim arising from Art. 82 par. 1 GDPR is first of all “responsibility”, which is to be affirmed whenever a natural or legal person alone or jointly with others can and does decide on the purposes and means of the processing of personal data (Gola, ed. Gola, DS-GVO-Kommentar, 2nd ed. 2018, Art. 4 para. 48; Ambrock ZD 2020, p. 429 – according to beck-online). This means that, as a rule, employees who are bound by instructions or other employees are no longer responsible, but this does not apply to the managing director, as it was the case with the second defendant at the time the intervener was commissioned.

OLG Dresden, Urteil vom 30.11.2021 - 4 U 1158/21 Abs. II Nr. 1


Instruction-bound employees

According to the clarification of the ruling, employees bound by instructions are generally not liable for data protection violations under Art. 82 of the GDPR.

The OLG Dresden derives the liability of the management from the fact that the management can can decide on the processing of data. Up to now, the legal literature has assumed that managing directors are liable for legal violations against the company within the scope of their tax group status. In this case, however, the scope of liability is extended in such a way that the managing director can be held personally liable for infringements of the law by the injured parties. An “exemption” by the shareholders, the management board or the supervisory board is thus no longer possible in the future, at least for claims for compensation by injured parties.

Privacy Shield successor in sight

Privacy Shield successor in sight

The successor to the EU-US Privacy Shield agreement seems to be within reach. In a corresponding declaration, the EU Commission and the U.S. government have set out the cornerstones for international data exchange in a Trans-Atlantic Data Privacy Framework.

Background history:

In the past, both partners had already tried to reach an agreement under the terms of “Safe Harbor Agreement” and “Privacy Shield”. An agreement, that would enable European citizens to handle personal data fairly and in compliance with the law. Both agreements were declared illegal by the ECJ and were therefore invalid.

One of the key points that the ECJ criticized about the agreements was that the access to personal data of European citizens by U.S. security agencies, especially on the basis of FISA Sec. 702, was nearly unrestricted and without significant legal recourse.

In future:

Access should now only be possible within fixed limits.

EU citizens will have the opportunity to file complaints with a “Data Protection Review Court,” a kind of arbitration body, which would then be neutrally reviewed.

The already from the two previous attempts known certification mechanisms for companies, that have to adapt their own internal data protection principles to the European level, have been retained.

Current state:

Currently, all European companies that use U.S. cloud providers find themselves in a legal uncertainty. Increasingly, regulators are reviewing and sanctioning the use of such services. The Gaia X project, which seeks to provide an open European alternative, can not yet offer companies the same service as the one of established U.S. providers.

The Federal Commissioner for Data Protection and Freedom of Information provides a detailed description of the effects and necessary measures: LINK

When using U.S. cloud providers, a transfer impact assessment must always be conducted to evaluate the risks for those affected.

Transfer Impact Assessment

We have ready-to-use TIAs for the well-known American cloud providers such as Atlassian, Microsoft, AWS, Salesforce and others, which only need to be slightly adapted to the specific company use.

Outlook for the economy

The announcement creates the hope that legal certainty will emerge in the data transfer with the USA and the still unrivaled American cloud providers.