Recent decisions by the European Union (EU) have focused on the use of common cookies used on e-commerce and other websites used by consumers and employees and on transfers of personal data collected through cookies to the United States. EU Data Protection Authorities (DPAs) have found that the use of widely used website technologies (i.e. cookies and java script) to automatically collect user device identifiers or through their use of internet protocols (e.g. IP addresses) resulted in the collection of personal data. Data protection authorities further found that the onward transfer of this data to Google servers located in the United States violated EU requirements for cross-border data transfer, as there was no adequate safeguards under the Schrem II decision invalidating the EU-US Privacy Shield. A notable impact of the decisions is to reject the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and may be compelled to surrender it in order for the data to be decrypted and read by security authorities. American surveillance. . Consideration of the impact of these decisions is of crucial importance for e-commerce and other websites operating in the EU, as well as more generally for organizations that transfer the personal data of consumers and employees to United States.
In other decision as of December 22, 2021, the Austrian Data Protection Authority has also concluded that Google Analytics cookies transmit personal data as defined by the General Data Protection Regulation. The Austrian DPA explained that cookies, which collect unique user identification numbers, IP address and browser settings, contain information to differentiate visitors to the website and to draw conclusions about the browser used, browser settings, language selection, website visited, screen resolution and other information about the website visitor. The Austrian DPA concluded that this “digital fingerprint” meets the definition of personal data, which under Article 4 of the GDPR includes “any information relating to an identified or identifiable natural person”. The DPA further concluded that the standard contractual clauses offered an insufficient level of protection here because the data stored by Google was subject to surveillance by US intelligence agencies. The DPA found that the encryption technologies controlled by Google are insufficient because Google “is subject to 50 USC § 1881a (“FISA 702) [and] has a direct obligation with respect to the imported data which [its] possession, custody or control to permit access or release. This obligation may expressly also apply to the cryptographic key without which the data cannot be read. The DPA concluded: “In the opinion of the data protection authority, the Google Analytics tool (at least in the version dated August 14, 2020) cannot be used with the requirement of Chapter V of the GDPR “.
Shortly after the decisions of the EDPS and the Austrian DPA, the French Data Protection Authority, the CNIL, followed suit on February 10, 2022 by issuing a declaration warning that transfers to the United States of unique identifiers collected via Google Analytics cookies are not sufficiently supervised, and indicated that the CNIL was initiating formal notice procedures for site managers using Google Analytics. The CNIL has indicated that it considers these transfers to be illegal because there are not sufficient measures to exclude the possibility of access by the American intelligence services to this data. The CNIL declaration requires the manager of a French website to comply with the GDPR, and, if necessary, to no longer use this tool under current conditions.
 Discussions of the Austrian DPA decision and CNIL statement are based on machine translations of these documents.
©2022 Epstein Becker & Green, PC All rights reserved.National Law Review, Volume XII, Number 59