On January 13, 2022, the Austrian data protection authority published its decision on the compliance of the client-side standard implementation of Google Analytics. IP addresses and other personal data were transmitted to Google servers based on Google’s standard SCCs.
Even with the alleged “IP anonymization,” these measures were not sufficient to protect personal data from possible access by U.S. intelligence agencies.
According to the notice, “a violation of the general principles of data transfer pursuant to Art. 44 DSGVO” was upheld. This regulates the transfer of personal data to a third country, or to an international organization. In the specific case, at least “a unique user ID number, IP address and browser parameters” had been transferred to Google. This means that a unique user profile of the user can be created.
The “standard protection clauses” concluded with Google would not provide an “adequate level of protection,” for example, to eliminate “surveillance and access possibilities by U.S. intelligence services,” the authority writes in its justification. Google had previously argued that it had implemented various technical and organizational measures to protect data of European citizens from access by U.S. authorities.