Google Gets In Trouble w/ CNIL

It's funny the things that we remember about our childhood. In the summer of 1983, I was seven years old, and although I don't recall a lot about that year, two things are forever seared into my memory. First, "Every Breath You Take" by The Police was the number one hit of the year. It was on a heavy rotation and appealed to music fans of all ages.

The other memory I have from that summer was that a gang of 9-year-old girls thought it would be funny to dunk my head in the water at the community pool to prove that they were stronger than me (which is still easy to do). Around the 20th dunk, I became convinced that the end was nigh. Our adult supervision was busy enjoying cocktails and grilling hotdogs while I quietly resigned to the irony that Sting might be crooning about breath while I could not catch one.

Fast forward many years (including an arguably lousy couple of decades for pop music), and I'm proud to report that I survived that trauma, although I can no longer stand The Police. But now, as Google repeatedly gets its proverbial head dunked in the waters of data privacy enforcement actions again in less than a month, I think I can imagine how Google's legal & compliance team must feel each time they come up for a breath. The French DPA (CNIL) and NYOB, in a true "hold my beer" moment, piled on to Austria's finding that a website’s use of Google Analytics violates the GDPR and that Google Analytics is effectively illegal in France as well.

What does this mean for Google and the broader MarTech ecosystem?

NYOB has a strong opinion on the topic: "In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States."

Unfortunately, building infrastructure outside of the United States may not be sufficient. If a US company hosts data outside of the US, but that data is still subject to long-arm jurisdiction of US surveillance, will it still be a potential violation of the GDPR? We at Osano and the rest of the privacy community wait with bated breath to see whether the EU regulators and data protection authorities will provide more clarity and whether real progress can be made while the US surveillance laws and federal privacy protections remain unchanged.

The recent slew of rulings against big tech do raise a big question: Is GDPR, with all of its good intent driving us towards a set of nationalized Internets where the EEA has an entirely separate infrastructure and ecosystem in the same way that China has effectuated its network (albeit through less altruistic intents in the eyes of the West)?

Robert Bateman from GRC World Forums put together an excellent long-form piece on the current situation and shared his opinions on the potential impact.

There is a lot that is uncertain right now. Rest easy though, friends; one thing is for sure, as we all hold our collective breath waiting to see how this drama plays out, Sting is still richer than all of us and probably more tired of that song than I am. If I were a betting man, I'd wager that you'll have an earworm soon.

Until next week,
-Arlo

Top privacy stories of the week

CNIL rules Google Analytics violates GDPR.

On the heels of the Austrian Data Protection Authority’s ruling that Google Analytics violates the EU GDPR, France’s data protection authority, the Commission Nationale de l'informatique et des libertés (CNIL), reached a similar decision. Similar investigations are pending with other EU data protection authorities while companies and privacy practitioners are waiting for Google to address the issue in a meaningful way. Check Out the Story

U.S. state privacy bills making progress.

Bipartisan support at the state level is high as privacy bills in at least 16 states have been proposed and are making their way through the process. While plenty of hurdles remain before these bills become law, the growing number of proposed bills signal the trend of states taking action as the US waits for federal privacy law. The proposed bills share commonalities, such as the consumer right to access. Read the Latest

The EDPB publishes guidelines on DSARs.

The European Data Protection Board (EDPB) published guidelines on Data Subject Access Requests (DSARs) to clarify how an individual’s right to access has to be implemented in different situations. The right of access includes all personal data on the individual, whether the individual provided the data or not, including data inferred from other data. Get the Guidelines

India privacy law is getting close.

As it gets closer, we have our eye on the long-awaited Indian privacy law. Following a 2017 ruling that the right to privacy is fundamental, India’s Personal Data Protection Bill seeks to balance economic growth and protect citizens' data. It includes some provisions we’ve seen before and some that are unique (and controversial), like the inclusion of non-personal data. Follow Along