Europe’s tough General Data Protection Regulation (GDPR) has mainly been seen as a problem for Big Tech, over the nearly four years in which it has been in effect. Now it’s becoming a real problem for European customers of U.S. cloud services, from retailers to governments.
On Thursday, European privacy campaigners claimed partial victory in an Austrian case involving someone who visited a health-related website that uses Google Analytics, the world’s most widely deployed toolkit for website owners to track how people use their site.
According to the Austrian Data Protection Authority, the website’s operators violated the GDPR by transferring the user’s personal data to Google in the U.S. As established in a bombshell 2020 ruling by the EU’s top court, sending personal data to a company in the U.S. is illegal if that company can’t guarantee the data’s safety from U.S. intelligence services. And thanks to the U.S.’s Foreign Intelligence Surveillance Act (FISA), no American company can provide that guarantee.
The implications could prove wide-reaching. While this complaint involved one website publisher, it was one of 101 complaints lodged at the same time, a year and a half ago, by Big Tech gadfly Max Schrems and his NOYB (“None of your business”) privacy-advocacy group. That mass offensive prompted the EU’s data protection authorities to coordinate their responses, so there is a strong likelihood that as many as 100 similar decisions are incoming.
If so, the upshot would be that websites operating in Europe have a strong disincentive to stop using Google Analytics and other U.S.-based cloud services.
“We have filed 101 complaints in basically every [EU] member state,” Schrems told Fortune on Thursday. “They formed a task force, so we expect the other [data protection authorities] to now come forward with similar decisions. This may be dominoes falling country by country now.”
The ruling did not go entirely in NOYB’s favor, because while the Austrian regulator decided against the unnamed website publisher—which Fortune understands is now owned by a German media house—it dismissed the part of the complaint targeting Google itself, reasoning that the relevant part of the GDPR placed legal obligations only on the company exporting the data.
It is also still unclear whether the website publisher received a fine or any other sanctions; the full decision has not yet been published.
While the Austrian decision is the first to address one of those 101 complaints, it follows a similar decision released earlier this week by the European Data Protection Supervisor (EDPS), which specifically has jurisdiction over top EU institutions. The watchdog sanctioned the European Parliament for using Google Analytics and the payments service Stripe on an internal website for arranging COVID-19 PCR tests.
Google said in a statement that the companies and organizations using Google Analytics “control what data is collected with these tools, and how it is used.”
“Google helps by providing a range of safeguards, controls and resources for compliance,” it said, adding that the toolkit does not identify individuals or track them across the web.
As for what European companies and organizations should do now, there are a few potential solutions. One is to stop using U.S. cloud services. Another would be for the U.S. to pass meaningful surveillance reforms that allow American cloud providers to guarantee the safety of foreigners’ personal data—there is little sign of this happening anytime soon.
The other option would be for U.S. cloud providers to set up ring-fenced European data centers in partnership with local companies that then control access to the personal data held on the servers. As it happens, Google recently announced such a service for enterprise customers in Germany, with local IT giant T-Systems as its partner.
Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.