Little Austria Throws a Giant Wrench Into Transatlantic Data Flows

February 8, 2022

Europe’s standoff with America over digital privacy may be coming to a head — sparked by a little-noticed court decision in Austria.

Photo: Karl Nehammer, Austrian Federal Chancellor at the European Council in Brussels. Credit: European Council.

It’s been a year and a half since the European Court of Justice ruled illegal the Privacy Shield which allowed the transatlantic transfer of personal data. Since then, data has continued to flow, with companies falling back on standard contractual clauses.

But this workaround now looks in jeopardy. Austria’s data protection agency Datenschutzbehörde recently ruled the use of Google Analytics on an obscure local medical site called NetDoktor breached European privacy rules. Following the European Court of Justice ruling, the agency said NetDoktor’s data sent to the US wasn’t protected against potential access by US intelligence agencies. Almost simultaneously, the Dutch data protection agency let it be known that it would draw a similar conclusion.

The rulings, some of the first following the European Court Privacy Shield judgment, represent a giant challenge for both American and European companies. In a blog post, Google’s President for Global Affairs Kent Walker criticized the decision, saying that US regulators never had requested such data in the fifteen years since the company began offering Analytics tools.

The Google Analytics data in question is of little practical interest to US intelligence agencies. Like almost all websites, NetDoktor places a small snippet of code — a cookie — on computers connecting to it and tracks how long your computer stays on the website and what interests you. Yet because the data transits through Google’s US data centers, the Austrian Court said it breaks Europe’s GDPR privacy rules.

“While this decision directly affects only one particular publisher and its specific circumstances, it may portend broader challenges. If a theoretical risk of data access were enough to block data flow, that would pose a risk for many publishers and small businesses who use the web,” Walker wrote. “The stakes are too high — and international trade between Europe and the United States too important to the livelihoods of millions — to fail at finding a prompt solution to this imminent problem.”

Although US and European negotiators continue to hint that they are close to solving the transatlantic data flows conundrum, they reportedly remain stuck on one issue: the countermeasures Europeans could take if the US government demands access to their data. The US is not prepared to change the rules that allow its National Security Agency to access data flows “in transit” through the US. The European Commission must find an agreement that its European Court of Justice will uphold.

Time is running out. While the Americans and Europeans remain stuck in a legal impasse, authoritarian countries led by China are moving fast. At the beginning of this year, China adopted new privacy rules which allow data packages to be categorized, priced, and traded like any raw material. Shanghai’s newly created Data Exchange is of course is under the control of the Communist Party.

While the Chinese system remains an internal matter (at least for now), it could become the standard setter. Already, it threatens to give carte blanche to autocracies to create new standards for data management.

Joe Biden’s White House is concerned. The Chinese data threat has motivated the US to attempt to build a Democratic Internet Alliance. Data flows have become a key topic of the Trade and Technology Council (TTC) between the EU and the US.

In the meantime, expect continued turbulence. Regulators in 30 European countries are reportedly investigating the other cases, which cover both the use of Google Analytics and Facebook Connect. In addition to questioning the data practices of the largest US tech companies, cases are being opened against a broad array of both American and European companies, ranging from Airbnb to Ikea to the Huffington Post. Analysts expect regulators and European courts to come to a similar conclusion as in Austria — all data shared with any US company violates Europe’s GDPR privacy rules.

If Brussels and Washington thought they could just forget the data flow conundrum, and see it fade away, they seem to be mistaken. Europe’s highest court cannot be ignored. The only solution is for US and European negotiators to come up with a new Privacy Shield that can pass legal muster and allow the crucial, unimpeded flow of data across the Atlantic Ocean.

Otto Lanzavecchia is an Italian journalist currently writing for Formiche.net and Decode39. A City, University of London alumnus, he focuses on international affairs, technology, and the ecological transition.