Proofpoint uses Google Analytics for its public-facing website in encrypted form and with other privacy controls in place. Google Analytics is neither relevant to Proofpoint products nor the platform on which such products reside. Despite some uncertainty globally, recent decisions from Austria and France have addressed the legality of Google Analytics given the invalidation of Privacy Shield and the European Court of Justice’s Schrems II ruling regarding personal data transfers to the United States. Based on these decisions, the transfer of European Internet Protocol (IP) addresses processed by Google Analytics to the United States is not illegal in absolute terms; however, these decisions reinforce the need for adequate protections.
The Austrian and French decisions are the first decisions released following a total of 101 complaints filed by Max Schrems, an Austrian attorney who founded the privacy community called “NOYB” (my privacy is “None of Your Business”). The complaints were filed in all 30 European Union (EU) and European Economic Area (EEA) member states against 101 European companies that forward data about each visitor to Google and Facebook.1
In the first Austrian decision, an Austrian company was using Google Analytics on its website and a user visited the company’s website while being logged into his Google account which then resulted in user identification numbers (user IDs, IP address and browser parameters) passing through Google’s servers and transferring to Google in the United States. The transfer was deemed in breach of the General Data Protection Regulation (“GDPR”) because the Austrian company did not have proper protections in place, especially against U.S. intelligence agencies. Google is classified as an electronic communication service (“ECS”) whereas Proofpoint is a remote computing service. This distinction is important because under the CLOUD Act2 , U.S. authorities can demand personal data from ECS’s even when they are operating outside of the U.S. The Austrian Data Protection Authority has since released a second decision in which it stated Google’s IP anonymization function is an insufficient protection. In the French decision, the CNIL (the French data protection watchdog) ruled that an unnamed website should not be allowed to use Google Analytics without appropriate guarantees being in place. In other news, jurisdictions such as Spain and Germany have closed the complaints without rendering a decision on the legality of Google Analytics.
The Austrian and French decisions do not ban the use of Google Analytics but reinforce the strong need for adequate protections to be in effect to ensure compliance with the GDPR. Additionally, these decisions highlight the need for an appropriate framework for data processing and the transmission of data between the U.S. and the EU. Proofpoint and other U.S. companies will be eagerly awaiting as the transAtlantic data privacy framework, agreed to in principle and announced on March 25, 2022, is translated into legal documents.
© 2022. All rights reserved. The content on this site is intended for informational purposes only.
Last updated May 31, 2022.