In late December, the Austrian Data Protection Authority (“DPA”) ruled that a local Austrian website’s use of Google Analytics—specifically, the sharing of personal data with the U.S.-based provider—violated the privacy protections set forth in the General Data Protection Regulation (“GDPR”) as clarified in the Schrems II decision.
In order to transfer data from a location within the E.U. to a location outside of the E.U., an entity must either (1) be sending the personal data to a country that the E.U. Commission has determined provides “adequate” safeguards equivalent to those in the E.U.; or (2) making the transfer subject to appropriate safeguards. Those safeguards can take the form of the Standard Contractual Clauses (“SCCs”), binding corporate rules, or additional contractual safeguards.