A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.
The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.
In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.
Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.
“US intelligence services use certain online identifiers (such as the IP address or unique identification numbers) as a starting point for the surveillance of individuals,” the regulator notes in the decision [via a machine translation of the German language text], adding: “In particular, it cannot be excluded that these intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
In reaching its conclusion, the regulator assessed…