Four GDPR Data Transfer Lessons from the EDPB’s 101 Task Force Report

The European Data Protection Board (EDPB) has published a report on the work of its 101 Task Force. The report provides insights into how European data protection authorities (DPAs) are approaching complaints about one of the GDPR’s toughest problems: international data transfers.

The European Data Protection Board (EDPB) has published a report on the work of its 101 Task Force. The report provides insights into how European data protection authorities (DPAs) are approaching complaints about one of the GDPR’s toughest problems: international data transfers.

This article will explain the background of the EDPB’s 101 Task Force and draw out four key lessons from the report—to help you understand why using certain US-based software products could be illegal under the GDPR.

What Is the 101 Task Force?

The EDPB’s 101 Task Force was established to deal with 101 complaints submitted in several EU countries by the privacy campaign group noyb (“None of Your Business”).

The complaints came shortly after noyb’s founder, Austrian activist Max Schrems, won a Court of Justice of the European Union (CJEU) case against Facebook (now Meta).

The case, now known as “Schrems II”, concerned the GDPR’s rules on international data transfers—sharing personal data with organisations based outside of the European Economic Area (EEA).

Under the GDPR, international data transfers must be covered by a “transfer safeguard”. In Schrems II, the CJEU overturned an international data transfer scheme called Privacy Shield, used by thousands of US-based businesses to safeguard data transfers from the EEA.

Standard Contractual Clauses (SCCs)

As well as invalidating Privacy Shield, the CJEU questioned the validity of another commonly-used transfer mechanism known as “standard contractual clauses” (SCCs). 

SCCs are provisions that can be entered into an agreement between a “data importer” (based in a “third country”, such as the US) and a “data exporter” (based in the EEA), binding the data importer to uphold a strong standard of data protection.

The CJEU noted that SCCs alone do not prevent foreign intelligence services—specifically those in the US—from accessing personal data. 

The court found that EEA-based data exporters must also implement technical measures to effectively eliminate the risk of unauthorised access to personal data.

Google and Meta

Noyb’s 101 complaints each concerned EEA-based companies using two popular online tracking tools: Google Analytics and the Meta Pixel (previously the “Facebook Pixel”).

The group alleged that companies using these tools were breaking the law because they had not implemented safeguards that would prevent access to personal data by US intelligence services.

However, note that Google Analytics and the Meta Pixel are not unique in the way that they transfer personal data to US-based companies. The lessons from the 101 Task Force’s report could apply to many other software tools.

Four Lessons from the 101 Task Force Report

By now, you should understand the background and the meaning of important terms such as “SCCs” and “international data transfer”. So let’s look at four lessons on data transfers from the 101 Task Force report.

1. Data transfers aren’t the only consideration when using Google and Meta’s tools

From the outset, the EDPB notes that data transfers are just one consideration for EEA-based companies wishing to use Google Analytics or the Meta Pixel.

“…if a certain tool is being used for collection of personal data on a website without a legal basis within the meaning of Article 6(1) GDPR, the data processing is unlawful, even if there were no issues with the requirements of Chapter V GDPR.”

Article 6(1) of the GDPR requires that all processing of personal data is “lawful, fair, and transparent”. Chapter V of the GDPR covers the rules on international data transfers.

While the 101 Task Force focuses exclusively on data transfers, it’s important to remember that there might be other legal issues with using products such as Google Analytics and the Meta Pixel.

For example, processing personal data under the GDPR requires a “legal basis”. Organisations running analytics and advertising tools that employ cookies should normally get consent, which means configuring tools so they do not activate without a website visitor’s permission.

Noyb’s 101 complaints focused on data transfers—but this is just one piece of the GDPR compliance puzzle. Google and Meta products collect a lot of personal data, and there could be broader GDPR compliance issues to consider before using these tools.

2. Encryption doesn’t always protect personal data

The 101 Task Force agreed that Google and Meta’s tools transfer personal data to the US, and don’t employ the sorts of technical safeguards that meet the GDPR’s data transfer requirements.

As noted above, SCCs can be a valid data transfer tool. But in the Schrems II decision, the CJEU found that companies using SCCs might also need to supplement the protection provided by SCCs via additional technical safeguards.

Encryption can be one such technical safeguard. But the 101 Task Force notes that encryption is not always enough

EEA-based companies can lawfully transfer personal data to US-based companies if the following three conditions are met:

  1. SCCs are in place, and
  2. The personal data is encrypted, and
  3. The US-based company does not have the decryption keys.

Google Analytics and the Meta Pixel meet the first two conditions—but not the third.

Google Analytics and the Meta Pixel are used in part to analyse individuals’ behaviour on users. As such, Google and Meta need to “see” the personal data that their tools collect.

Google and Meta both state that they encrypt personal data “in transit” to the US, which should prevent any unauthorised third party from intercepting personal data. 

However, Google and Meta control the encryption keys, allowing the companies to decrypt and analyse the personal data and share the results of this analysis with website operators. The personal data is thus accessible to these companies in unencrypted form.

Due to the nature of US national security law, US intelligence services can order US companies to hand over both encrypted personal data and the encryption keys required to decrypt it. This creates an unacceptable risk of unauthorised access and renders the transfer unlawful.

3. European organisations are liable for unlawful data transfers

European companies—not Google and Meta—are accountable for any GDPR violations caused by using tools such as Google Analytics and the Meta Pixel.

Although Noyb’s 101 complaints focused on these two products, Google and Meta were not the respondents. Noyb’s complaints were directed at EEA-based websites acting as “data controllers” by implementing Google Analytics or the Meta Pixel on their websites.

Under the GDPR, a data controller “determines the purposes and means” of the processing of personal data. 

The starting point in assessing each of the 101 complaints was that a website operator using Google Analytics or the Meta Pixel is a data controller, because it:

  • Decides (determines) to install the tool on its website.
  • Has a reason (purpose) for using the tool (e.g. to drive sales through behavioural advertising).
  • Chooses the method (means) of processing personal data (e.g. using the Meta Pixel to collect personal data about its users and display relevant ads).

Website operators using Google Analytics and Meta Pixel transfer personal data about their website visitors to US-based servers owned by Google and Meta (respectively). These website operators are responsible for implementing data transfer safeguards—not Google or Meta.

4. European regulators are taking a consistent approach

In early 2022, EU DPAs began concluding some of the 101 complaints. For example, DPAs in several countries, including Finland, Austria, France, Italy, and Denmark, have all decided complaints about companies that use Google Analytics.

In each case, the DPAs came to the same conclusion: Google Analytics, when implemented in any of the standard configurations provided by Google, cannot be used without violating the GDPR.

Each DPA made the same decision: the website operator must remove Google Analytics.

There’s a reason for this consistent approach. EEA regulators have mechanisms to help them resolve any disagreements and ensure they are applying the law consistently.

This means that all of the outstanding 101 complaints are likely to be decided in the same way—together with any further complaints that arise regarding Google Analytics, the Meta Pixel, or any other tools that transfer personal data to the US without sufficient safeguards.

We hope this guide was helpful. Thank you for reading and we wish you the best of luck with improving your company’s privacy practices! Stay tuned for more helpful articles and tips about growing your business and earning trust through data-protection compliance. Test your company’s privacy practices, CLICK HERE to receive your instant privacy score now!