After the Schrems II decision, the non-profit noyb (European Center for Digital Rights), founded by Max Schrems, filed 101 complaints against various companies that transferred the data of EU citizens to US companies. One such complaint was against netdocktor.at, a health website that used Google Analytics to track website visitors.
Like many companies, netdoktor continued to use Google Analytics despite the decision of the European Court of Justice.
Google, as well as other US-based companies (Amazon, Facebook, Microsoft, etc.) have relied on Standard Contract Clauses (SCCs) and Technical and Organizational Measures (TOMs) to help convince EU partners that their physical and digital protection measures (fences around data centers, data encryption, pseudonymous data, etc.) were enough to protect their data.
But in the netdoktor case, the Austrian Data Protection Authority ("Datenschutzbehörde" or "DSB"), has decided that this is not enough. Google Analytics violates the GDPR.They explain:
"With regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measure] are effective in the sense of the above considerations."
"Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law."
Based on this decision, many experts believe that this is just the beginning. There are still many complaints waiting to get their day in court, and it is expected that similar decisions will be made by other EU member countries.
The DSB also stated in their decision that they will further investigate Google in regards to data transfer rules to the US government without the explicit consent of the EU data exporter.
There are no penalties given in this case yet, but if the court does decide to do so, they could be as high as 4% of a company’s global turnover.