This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Search our site


| 1 minute read

Is the Austrian DPA's latest Google Analytics decision a cause for pause on international data transfers?

Lynn Goldstein, Senior Foundation Strategist at the Information Accountability Foundation, thinks not.

Max Schrems' "None Of Your Business" organisation (NOYB) recently reported on the Austrian DPA's second ruling on the legality of Google Analytics' data transfers to third countries. This comes as part of 101 claims brought by NOYB in respect of Google's collection of individuals' data in the course of their internet browsing on websites utilising Google Analytics' services (IP address and cookies at a minimum), which could be linked back to that individual through their Google accounts. 

Data protection authorities across the EU have been considering the legality of transfers of such personal data to the US, and it's safe to say that Google has been taking a hit with the decisions generally finding against them. However, there has been some speculation amongst data privacy lawyers that a risk-based approach to international data transfers may be the antidote to the potential that these rulings have to grind international business's data sharing practices to a complete halt - particularly in the context of Schrems II invalidating the EU-US's privacy shield (which was arguably NOYB's most impactful achievement to date).    

The Austrian DPA's ruling considers whether the EU GDPR allows for a risk-based approach to international data transfers (i.e. under Article 44), whereby a Controller might balance the risk to the rights and freedoms of the individuals against the likelihood and severity of those risks and the nature and purpose of the processing taking place. It has found that Article 44 does not allow for this, but Lynn Goldstein considers this to be an erroneous decision and her reasoning is compelling. 

It will be interesting to see how other data protection authorities tackle this question, and the approach the UK decides to take as its own data privacy regime starts to diverge from the EU model.

By its very nature, the entire GDPR is risk-based, not just certain articles. If the warranties made by the parties to the 2021 SCCs are fulfilled and the assessments required by 2021 SCCs are conducted with competency and integrity, the Austrian DPA’s second Google Analytics decision should not hinder today’s data transfers.


data protection, technology