Austria's Datenschutzbehörde (DSB) is the lead supervisory authority for cases filed by NOYB — None of Your Business — the privacy advocacy organization founded by Max Schrems. NOYB has filed over 1,000 strategic GDPR complaints since 2018, and the DSB has handled 422 of them in 2022-2024. Understanding DSB enforcement means understanding the strategic litigation that has reshaped EU data transfer law twice.
NOYB and the DSB: A Strategic Enforcement Pattern
Schrems I (2015): Max Schrems' complaint about Facebook's EU-US data transfers ultimately invalidated the Safe Harbor framework used by 4,000+ companies.
Schrems II (2020): Schrems' follow-up challenge invalidated the EU-US Privacy Shield, affecting 5,000+ companies and triggering an emergency renegotiation resulting in the current EU-US Data Privacy Framework (2023).
Anticipated Schrems III (2025-2026): NOYB has filed challenges to the DPF adequacy decision, arguing that FISA Section 702 remains incompatible with GDPR. A CJEU referral is anticipated.
78% of DSB enforcement cases involve data transfers or third-party integrations — this transfer-centric focus is the defining characteristic of Austrian enforcement.
The DSB's Google Analytics Decision
The DSB's January 2022 Google Analytics decision established the pattern for all subsequent transfer enforcement:
- IP addresses are personal data. Even truncated IPs combined with session data enable re-identification in Google's database.
- US vendor access = transfer. When US engineers can access EU user data (for support, maintenance, or legal compulsion), that access constitutes a data transfer under GDPR.
- SCCs without adequate TIA = violation. Standard Contractual Clauses without a Transfer Impact Assessment demonstrating US surveillance law does not nullify them are insufficient.
The DSB found the Austrian website operator — not Google — was the data controller responsible for the illegal transfer. This principle affects every EU business that embeds third-party scripts.
Supplementary Technical Measures: What Actually Works
Post-Schrems II, the EDPB issued guidance on supplementary technical measures required when SCCs alone are insufficient. The DSB enforces this guidance:
Encryption with EU-held keys: If EU personal data is encrypted before transfer to the US, and decryption keys are held exclusively by EU-based key holders, the data is effectively anonymous for GDPR transfer purposes — US authorities cannot compel access to data they cannot read.
Pseudonymization before transfer: If transferred data contains only pseudonymous identifiers (re-identification key held in the EU), the transferred data is not "personal data" for the transfer.
Local processing: Data that never leaves EU-hosted infrastructure avoids transfer requirements entirely. Only aggregate, truly anonymized statistics are transferred.
The DSB has found that organizations using US SaaS vendors for EU personal data processing must either implement these measures or demonstrate the data is genuinely anonymized.
The Schrems III Risk for Organizations Using US Vendors
Organizations relying solely on the EU-US Data Privacy Framework (DPF) for US data transfers face a specific risk: if NOYB's CJEU challenge succeeds — as happened with Safe Harbor (2015) and Privacy Shield (2020) — organizations must immediately scramble for alternative transfer mechanisms.
Organizations using supplementary technical measures (encryption with EU-held keys, genuine anonymization before transfer) are insulated from DPF invalidation risk. The transfer technically does not occur if the data is genuinely anonymized or encrypted with keys the US vendor cannot access.
For Austrian operations specifically: website analytics using US tools (Google Analytics, Mixpanel, Amplitude), CRM systems with US parent companies (Salesforce, HubSpot), and cloud infrastructure with US-accessible admin access all create DSB enforcement exposure. The mitigation is ensuring personal data in these systems is either truly anonymized before it reaches the vendor's systems, or encrypted with keys held exclusively by the EU controller.
Sources: