What happened?
The online travel agency operator eDreams collected personal data through HTML code embedded in its website and transferred the same to the U.S. by using Google Analytics and Google Ads services. According to the complainant, represented by non-governmental organization NOYB, such activity breached international data transfers rules in the post-Schrems II environment.
Data processing arising from the use of Google services
The Decision examines to what extent the implementation of Google Analytics on a website enables the website administrator and Google to make a data subject (a visitor to the website in question) identifiable. Apart from (re)confirming that IP addresses are personal data, the AEPD clarifies that when several elements are combined (IP addresses plus other unique identifiers created to differentiate between and single out individuals, metadata, time log, etc.), they allow for the individual identification of visitors to the website by singling them out. It is not necessary to know the actual name or physical address of the visitor following recital 26 of the GDPR. The fact that analytic cookie editors have no intention of identifying individuals is not relevant for the determination that the pieces of information are personal data.
International data transfer in breach of the GDPR
By way of introduction, it should be recalled that the NYOB complaint was filed immediately after the Schrems II judgment. The CJEU declared the European Commission's EU-U.S. Privacy Shield Decision invalid, and, while it upheld the use of Standard Contractual Clauses (“SCCs”), it also stated that the agreement of SCCs, alone, is likely not to be enough to enable international data transfers.
In 2020, when the AEPD received the complaint, it analyzed the safeguards adopted by eDreams for the international transfer of data, and found that eDreams subscribed the SCCs (in force at the time) with Google LLC (not Google Ireland). Although such SCCs also included some complementary measures adopted by the U.S. tech company, the AEPD concluded that these were not effective because they did not prevent the potential access by U.S. intelligence services or render such access ineffective.
Although the AEPD recognizes that:
- such initial SCCs were later modified, and replaced, by the new SCCs that impose different obligations on the parties according to their role in the transfer (either data importer or data exporter) regardless of their status as data processor or data controller (i.e. therefore considering Google Ireland as the exporter instead than eDreams); and
- there is currently a new adequacy decision that could potentially cover international transfers of personal data to U.S. (i.e. the EU-U.S. Data Privacy Framework),
the AEPD appears to conclude that the international transfer of data to the U.S. (even with the SCC and safeguards adopted in 2020 directly with the U.S.-based company) did not comply with the requirements of Chapter V of the GDPR. In particular, the AEPD found that the SCCs were not sufficient to cover the transfer, for the following reasons:
- Google LLC is a provider of electronic communications services within the meaning of 50 U.S.C. § 1881(4)(a) and is subject to surveillance by the U.S. Secret Service pursuant to 50 U.S.C. § 1881(a); and
- the additional measures taken by Google LLC in addition to SCCs do not protect the personal data of the complainant (and of all other users who visited the eDreams website) from access by the U.S. secret services.
Interestingly, as we further analyze in the following section, the AEPD briefly states (in a short paragraph which responds to a subsidiary argument brought by the defendant) that eDreams remains liable for the breach, even following the implementation of the new SCCs (i.e. where the data exporter would not be eDreams, but Google Ireland).
Subsidiary allegations submitted by eDreams – lack of the subjective element of the infringement
As mentioned earlier, eDreams asserts the absence of the subjective element in the commission of the infringement. According to eDreams, it transfers data to a processor (Google Ireland) located within the EU (specifically, Ireland), and therefore, it does not engage in international transfers nor hold the status of an exporter. This stance is reinforced by the fact that, subsequent to the adoption of the new Standard Contractual Clauses (SCCs) by the European Commission, Google Ireland and Google LLC entered into Module 3 (processor-to-processor) of the new SCCs in September 2021.
Addressing this argument, the AEPD concludes that, even if the current SCCs contemplate Google Ireland as the data exporter, eDreams, as data controller, assumes, along with the other terms and conditions of the contract with Google LLC, the agreements relating to data processing and the SCCs that allow the data to be transferred to Google LLC, based in the United States. Therefore, eDreams is responsible for the international transfer of data that occurs as a result of the service provided by Google LLC.
In its reasoning, the AEPD relies on the EDPB Guidelines 05/2021 which state that: “Considering that the transfer is a processing activity carried out on behalf of the controller, the controller is also responsible and could be liable under Chapter V, and also has to ensure that the processor provides for sufficient guarantees under Article 28.”
The question is: would the AEPD have understood that eDreams is responsible for the international transfer of data to the U.S. if it had not been an exporter in the first place and reasonably aware of such transfers and the contractual arrangements surrounding them? Or would it simply be liable due to a lack of due diligence? What does the EDPB mean when it uses the term 'could' to imply potential liability instead of assigning it directly? Unfortunately, the decision does not clarify these questions.
Additionally, it is questionable whether the criteria of considering controllers liable for all breaches regarding international transfers by their processors, acting as exporters, is universally shared by all the DPAs in Europe. Interestingly, the British DPA, ICO, in its Guide to international transfers establishes that a data processor making a restricted transfer to a sub-processor located outside of the UK, must comply with the transfer rules and that the data controller is not responsible for complying with the transfer rules (regardless of any other obligations it may have).
Consequences of the infringement
While, in our opinion the decision still leaves some interesting questions unanswered, the AEPD concludes that eDreams carried out an international data transfer without implementing the appropriate safeguards and, thus, infringed article 44 of the GDPR. This constitutes a very serious breach under the Spanish Data Protection Act. Surprisingly, the AEPD has not imposed any monetary sanction on the entity (neither did the AEPD impose a sanction in the NOYB vs. RAE case).
Instead, it has instructed the entity to align the data processing activity of the Google Analytics service to the provisions of article 44 of the GDPR, in particular by ceasing the international transfer of data until it is established that the Google Analytics service complies with the aforementioned provisions of the GDPR.
Next steps
It should be noted that the AEPD has analyzed a data processing carried out in 2020, considering the context prevailing at that time. Today, following the adoption of the EU-U.S. Data Privacy Framework, the classification of the processing of personal data underlying the activity would probably be different. In fact, the AEPD itself clarifies that "(…) although it is true that a new adequacy decision has been adopted by the European Commission, this was not in force on the date of the opening of the present sanctioning procedure". The AEPD also emphasizes that such adequacy decision does not preclude data protection authorities from assessing the existence of an infringement for transfers made to the U.S. prior to the Commission's new decision on 10/07/2023.
