After Austria, the French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has now also passed judgement against Google Analytics. The transfer of personal data to the USA is currently not sufficiently regulated. In the absence of an adequacy decision for transfers to the USA, the transfer of data can only take place if adequate safeguards are provided, in particular for this data flow.
According to the CNIL, the measures taken by Google Analytics are not sufficient to protect personal data from the US intelligence services.
The Austrian and Facebook user Mr Schrems was of the opinion, due to the revelations of Edward Snowden at the time, that the USA did not offer sufficient protection of his transmitted personal data from surveillance activities of the authorities there. Facebook’s Irish subsidiary transferred the personal data collected in the EU countries to servers in the USA and processed it there. Mr Schrems filed a complaint with the Irish supervisory authority on the basis of his concerns, which it rejected on the basis of the European Commission’s “Safe Harbour Regulation” of 26 July 2000. This contained a set of principles on the protection of personal data to which American companies could voluntarily submit.
The European Court of Justice (ECJ) declared the “safe harbour rule” invalid in the Schrems – I ruling. It only applies to American companies, but not to the authorities of the United States. The requirements of national security, public interest and the implementation of United States laws take precedence over the safe harbour rule. The US authorities can access the personal data and process them in a way that is incompatible with the purposes of their transfer. Furthermore, it would be impossible for data subjects to access their transferred data, i.e. to question the lawfulness for legitimate processing or to obtain its deletion.
The ECJ invalidates the European Commission’s Privacy Shield Decision 2016/1250 of 12 July 2016.
The access by US authorities to personal data transferred from the EU does not comply with the requirements of Union law, as the US law-based surveillance programmes are not limited to what is strictly necessary. The access is not equivalent to the principle of proportionality applicable in the Union.
Furthermore, according to the ECJ ruling, the ombudsman mechanism set out in the Privacy Shield does not provide data subjects with the possibilities envisaged by Union law, i.e. the independence of the ombudsman and the power of the ombudsman to issue binding decisions vis-à-vis the US intelligence services.
Many companies in the EU use software from US providers. The decisions concern those software that process personal data. We recommend keeping cool and waiting to see what agreements are reached on this.
