Österreichischen Datenschutzbehörde (Austrian data protection authority) – Court Ruling (Austria, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
An Austrian court ruled that an Austrian website's use of Google Analytics led to illegal data transfers to the US. The court found that Google's measures weren't enough to protect personal data from US intelligence access. This decision highlights the importance of ensuring data protection when transferring data internationally.
What happened
An Austrian court found that an Austrian website's data transfers to Google in the US were unlawful.
Who was affected
Visitors to the Austrian website whose data was transferred to Google in the US.
What the authority found
The court ruled that the data transfer was unlawful because Google's measures didn't adequately protect personal data from US intelligence access.
Why this matters
This case emphasizes the need for companies to ensure robust data protection measures when transferring data outside the EU. It reinforces the importance of complying with GDPR requirements for international data transfers.
GDPR Articles Cited
This case concerns a judicial review against a 2021 decision of the Austrian DPA (Datenschützbehörde - DSB). The decision originally stemmed from a complaint filed by the NGO noyb, following the CJEU judgement in case [https://curia.europa.eu/juris/liste.jsf?num=C-311/18 C-311/18] ("Schrems II"). The Austrian DPA found that the use of Google Analytics by an Austrian website led to the transfer of personal data to the US in violation of Chapter V of the GDPR. At the same time, the supervisory authority ruled that Chapter V of the GDPR sets out obligation only for the data exporter - in the present case, the Austrian website - and not the data importer - Google LLC. Google LLC appealed the decision. Google stated that transfers were lawful as they relied on Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR. It also claimed to have adopted a "risk-based approach" to the transfers, by implementing technical and organisational measures aiming at mitigating the risks to Europeans' data protection rights. The data subject also appealed the decision, arguing that Chapter V of the GDPR applies to data importers, too. In addressing the controller's appeal, the court confirmed that the data transfer to Google LLC was unlawful. Referring to the CJEU judgement in case [https://curia.europa.eu/juris/liste.jsf?num=C-311/18 C-311/18], the court held that SCCs can be considered effective only as long as - on their own or in combination with additional technical and organisational measures - they are able to compensate for the risks taken by a data exporter when transferring data to third countries. If the data exporter is not able to meet these requirements, data transfers are unlawful and shall not take place. With regard to the present case, the court found that even though Google had implemented certain organisational and technical measures, these were not sufficient to prevent US intelligence agencies from accessing Europeans' personal data. As
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Österreichischen Datenschutzbehörde (Austrian data protection authority) in AT
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Österreichischen Datenschutzbehörde (Austrian data protection authority) - Austria (2023). Retrieved from cookiefines.eu
Last updated: