Rattled Google urges haste in replacing Privacy Shield

Shipping data to the US is getting harder for companies like Google

Image:
Shipping data to the US is getting harder for companies like Google

Ruling by Austria that Google Analytics breaks GDPR means finding a successor is urgent, company says

Recent moves by two European data protection agencies concerning Google Analytics appear to have rattled the search and adtech giant, which has published a blog urging the US and EU authorities to get a move on in finalising a replacement for Privacy Shield, which was struck down in the July 2020 Schrems II ruling.

The blog, by Kent Walker, president global affairs and chief legal officer at Google and Alphabet, comes after the Austrian DPA judged that Google Analytics, which provides website metrics for millions of sites around the world, contravenes GDPR because the information transferred to the US by Google could be used by the country's intelligence agencies to identify individuals.

Following that ruling, the Dutch DPA Autoriteit Persoonsgegevens (AP) said it is also investigating Google Analytics for possible breaches of the rules.

"According to the Austrian regulator, in this investigated case Google Analytics was found not to comply with the General Data Protection Regulation," it said (PDF, translation). "The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to say whether Google Analytics is now permitted or not."

In his blog post, Google's Walker says the Austrian ruling "may portend broader challenges".

"If a theoretical risk of data access were enough to block data flows, that would pose a risk for many publishers and small businesses who use the web, and highlight the lack of legal stability for international data flows facing the entire European and American business ecosystem," he writes, urging the two camps to come to a workable agreement on data transfer rules.

"Businesses in both Europe and the US are looking to the European Commission and the US Department of Commerce to quickly finalise a successor agreement to the Privacy Shield that will resolve these issues."

Negotiations between the EU and US on replacing Privacy Shield have been going on for the last 18 months.

Walker says that both companies and civil society are looking for "evidence-based" reforms, and adds: "The stakes are too high — and international trade between Europe and the US too important to the livelihoods of millions of people — to fail at finding a prompt solution to this imminent problem."

So far, the warnings about Analytics come from DPAs in just two countries, rather than the EU as a whole, but there's no doubting the direction of travel given other noises from the bloc.

Sebastian Kaus, data governance lead at European energy company Vattenfall, told Computing that regulations are top of mind when it comes to picking tech partners: "I think most of Europe will follow [the Austrian lead]. Google Analytics is having a hard time," he said.

2021 saw record GDPR fines levied against tech companies, including Amazon and WhatsApp (now Meta). Overall, the fines (totalling nearly £1 billion), were seven times those imposed in 2020.