Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Following NOYB's filing of 101 complaints over continuous EU-U.S. data transfers by websites operators in the European Economic Area (EEA) in the post-Schrems II era, the Spanish Data Protection Agency (AEPD) issued its first decision on the subject at the end of 2022 (which we analyzed in a previous entry) without taking a clear stand.
Now, one year later, the AEPD has re-examined the issue in the context of a complaint and sanctioning decision PS/00349/2022 against the online travel brand eDreams (Decision). The Decision addresses various interesting topics: the nature of information as personal data due to its ability to single out individuals, consideration of unique identifiers as personal data and, most importantly, international data transfers to U.S. in the context of Google Analytics before the establishment of the EU-US Data Privacy Framework.
The online travel agency operator eDreams collected personal data through HTML code embedded in its website and transferred the same to the U.S. by using Google Analytics and Google Ads services. According to the complainant, represented by non-governmental organization NOYB, such activity breached international data transfers rules in the post-Schrems II environment.
The Decision examines to what extent the implementation of Google Analytics on a website enables the website administrator and Google to make a data subject (a visitor to the website in question) identifiable. Apart from (re)confirming that IP addresses are personal data, the AEPD clarifies that when several elements are combined (IP addresses plus other unique identifiers created to differentiate between and single out individuals, metadata, time log, etc.), they allow for the individual identification of visitors to the website by singling them out. It is not necessary to know the actual name or physical address of the visitor following recital 26 of the GDPR. The fact that analytic cookie editors have no intention of identifying individuals is not relevant for the determination that the pieces of information are personal data.
By way of introduction, it should be recalled that the NYOB complaint was filed immediately after the Schrems II judgment. The CJEU declared the European Commission's EU-U.S. Privacy Shield Decision invalid, and, while it upheld the use of Standard Contractual Clauses (“SCCs”), it also stated that the agreement of SCCs, alone, is likely not to be enough to enable international data transfers.
In 2020, when the AEPD received the complaint, it analyzed the safeguards adopted by eDreams for the international transfer of data, and found that eDreams subscribed the SCCs (in force at the time) with Google LLC (not Google Ireland). Although such SCCs also included some complementary measures adopted by the U.S. tech company, the AEPD concluded that these were not effective because they did not prevent the potential access by U.S. intelligence services or render such access ineffective.
Although the AEPD recognizes that:
the AEPD appears to conclude that the international transfer of data to the U.S. (even with the SCC and safeguards adopted in 2020 directly with the U.S.-based company) did not comply with the requirements of Chapter V of the GDPR. In particular, the AEPD found that the SCCs were not sufficient to cover the transfer, for the following reasons:
Interestingly, as we further analyze in the following section, the AEPD briefly states (in a short paragraph which responds to a subsidiary argument brought by the defendant) that eDreams remains liable for the breach, even following the implementation of the new SCCs (i.e. where the data exporter would not be eDreams, but Google Ireland).
As mentioned earlier, eDreams asserts the absence of the subjective element in the commission of the infringement. According to eDreams, it transfers data to a processor (Google Ireland) located within the EU (specifically, Ireland), and therefore, it does not engage in international transfers nor hold the status of an exporter. This stance is reinforced by the fact that, subsequent to the adoption of the new Standard Contractual Clauses (SCCs) by the European Commission, Google Ireland and Google LLC entered into Module 3 (processor-to-processor) of the new SCCs in September 2021.
Addressing this argument, the AEPD concludes that, even if the current SCCs contemplate Google Ireland as the data exporter, eDreams, as data controller, assumes, along with the other terms and conditions of the contract with Google LLC, the agreements relating to data processing and the SCCs that allow the data to be transferred to Google LLC, based in the United States. Therefore, eDreams is responsible for the international transfer of data that occurs as a result of the service provided by Google LLC.
In its reasoning, the AEPD relies on the EDPB Guidelines 05/2021 which state that: “Considering that the transfer is a processing activity carried out on behalf of the controller, the controller is also responsible and could be liable under Chapter V, and also has to ensure that the processor provides for sufficient guarantees under Article 28.”
The question is: would the AEPD have understood that eDreams is responsible for the international transfer of data to the U.S. if it had not been an exporter in the first place and reasonably aware of such transfers and the contractual arrangements surrounding them? Or would it simply be liable due to a lack of due diligence? What does the EDPB mean when it uses the term 'could' to imply potential liability instead of assigning it directly? Unfortunately, the decision does not clarify these questions.
Additionally, it is questionable whether the criteria of considering controllers liable for all breaches regarding international transfers by their processors, acting as exporters, is universally shared by all the DPAs in Europe. Interestingly, the British DPA, ICO, in its Guide to international transfers establishes that a data processor making a restricted transfer to a sub-processor located outside of the UK, must comply with the transfer rules and that the data controller is not responsible for complying with the transfer rules (regardless of any other obligations it may have).
While, in our opinion the decision still leaves some interesting questions unanswered, the AEPD concludes that eDreams carried out an international data transfer without implementing the appropriate safeguards and, thus, infringed article 44 of the GDPR. This constitutes a very serious breach under the Spanish Data Protection Act. Surprisingly, the AEPD has not imposed any monetary sanction on the entity (neither did the AEPD impose a sanction in the NOYB vs. RAE case).
Instead, it has instructed the entity to align the data processing activity of the Google Analytics service to the provisions of article 44 of the GDPR, in particular by ceasing the international transfer of data until it is established that the Google Analytics service complies with the aforementioned provisions of the GDPR.
It should be noted that the AEPD has analyzed a data processing carried out in 2020, considering the context prevailing at that time. Today, following the adoption of the EU-U.S. Data Privacy Framework, the classification of the processing of personal data underlying the activity would probably be different. In fact, the AEPD itself clarifies that "(…) although it is true that a new adequacy decision has been adopted by the European Commission, this was not in force on the date of the opening of the present sanctioning procedure". The AEPD also emphasizes that such adequacy decision does not preclude data protection authorities from assessing the existence of an infringement for transfers made to the U.S. prior to the Commission's new decision on 10/07/2023.
Authored by Joanna Rozanska, Santiago de Ampuero and Clara Lázaro.