Cookies Resulting in Cross Border Transfers of Personal Data to the United States Draw Scrutiny from European Data Privacy Regulators
Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.
In another decision dated December 22, 2021, the Austrian Data Protection Authority similarly concluded that Google Analytics cookies transmit personal data as defined by the General Data Protection Regulation. The Austrian DPA explained that cookies, which collect unique user identification numbers, IP address and browser parameters contain information making it possible to differentiate between website visitors and draw conclusions about the browser used, browser settings, language selection, website visited, screen resolution and other information related to the website visitor. The Austrian DPA concluded that this “digital footprint” satisfied the definition of personal data, which, under Article 4 of the GDPR, includes “any information that relates to an identified or identifiable natural person.” The DPA further concluded that Standard Contract Clauses offered an insufficient level of protection here because the data stored by Google was subject to surveillance by U.S. intelligence agencies. The DPA found that encryption technologies controlled by Google are insufficient because Google “is subject to 50 U.S.C. § 1881a (“FISA 702) [and] has a direct obligation with regard to the imported data that is in [its] possession, custody or control to grant access to or release them. This obligation can expressly also apply to the cryptographic key without which the data cannot be read.” The DPA concluded, “In the opinion of the data protection authority, the Google Analytics tool (at least in the version dated August 14, 2020) cannot be used with the requirement of Chapter V of the GDPR.”
Not long after the EDPS and Austrian DPA decisions, the French Data Protection Authority, CNIL, on February 10, 2022, followed suit, issuing a statement cautioning that transfers to the United States of unique identifiers collected through Google Analytics cookies are not sufficiently supervised, and indicated that CNIL was initiating formal notice procedures for website managers using Google Analytics. The CNIL stated that it considers these transfers to be illegal because there are insufficient measures to exclude the possibility of access by American intelligence services to this data. The CNIL statement requires a manager of a French website to comply with the GDPR, and, if necessary, to no longer use this tool under the current conditions.
 Discussions herein of the Austrian DPA decision and CNIL statement rely on machine translations of these documents.