There are no doubt some important conversations happening inside board rooms today after the decision by Austria's data protection authority that a website's use of Google Analytics is illegal under the GDPR.
The regulator said that a heath-focused website in the country, which was transferring IP address data to the U.S. via Google Analytics, violated the law.
Google Analytics is a widely used tool to help organizations understand how visitors use their sites and apps. Google says the tool is never used to track people across sites or apps and that customers are prohibited from uploading information that could be used to identify a person. But the Austrian DPA said IP addresses, combined with other data, could ostensibly identify a person and therefore is personal data.
A little context: Europe is very worried about U.S. authorities' access to EU citizens' data. That's the reason, in general, that the EU government shut down the Safe Harbor Framework in 2015 and then did the same to its successor, Privacy Shield.
The drama began when Max Schrems, a Facebook user, sent an inquiry to the company asking about his personal data. Dissatisfied by the company's practices, he asked the Irish Data Protection Commission to investigate the case. This happened after the Snowden revelations, and Schrems was concerned that U.S. intelligence agencies could access his personal data. That's because there are U.S. laws that allow law enforcement to access information it otherwise wouldn't have access to in the name of fighting crimes.
We call Schrems I the case that resulted in Safe Harbor's demise. With Schrems II, Privacy Shield dissolved.
Both cases were hugely problematic from U.S. companies using the frameworks to export data out of the EU legally.
This decision by Austria's regulator follows the same European concerns: that data stored in the U.S. doesn't protect EU citizens the way the GDPR does. That's a big problem because if you've ever been to a Congressional hearing on Section 702 of the FISA Act, the provision that allows law enforcement such access, the FBI and the NSA aren't interested in giving up that power. They say it's essential in thwarting crimes. Much of law enforcement's work under 702 is classified, however, so it's never exactly clear how impactful having broad access to data has been in solving crimes.
The implications of this Austrian case aren't yet clear. I asked Twitter what people are thinking and what kind of conversations organizations using Google Analytics are having. This response was pretty good, I thought:
For its part, Google released a statement explaining analytics and saying, in part, that it applies numerous safety measures to protect data transferred outside of the EU. "Our infrastructure and encryption is designed to protect data and safeguard it from any government access."
What's a company to do? I don't know yet. But as this story plays out, I'll keep you updated. I promise!
For now, enjoy a round-up of this week's major privacy news, and I'll see you next week!
This week's top privacy news
Austrian data protection authority rules site's use of Google Analytics violates GDPR
Austria’s data protection authority has found that a website using Google Analytics (and thus exporting its visitors’ data to the U.S.) violated the EU’s GDPR. The regulator said the IP addresses are considered personal data. Despite Google’s assertion that it implemented protections for data, such as such as encryption-at-rest in its data centers, the Austrian regulator said he did not find “sufficient safeguards had been put in place to effectively block U.S. intelligence services from accessing the data, as required to meet the GDPR’s standard,” TechCrunch reports.
FTC threatens to enforce again organizations that neglect to patch Log4j
On Dec. 9, a vulnerability in Log4j disrupted organizations around the globe. A vulnerability in the widely used logging tool for the popular Java programing language allowed attackers to remotely gain control of a device or system using the utility. It’s been over a month, but “the crisis shows no sign of abating,” Brookings Institution reports. Because the U.S. doesn’t have broad rules on how to handle the risk, the Federal Trade Commission has told companies they have a legal duty to take “reasonable steps to mitigate.” It also threatened to come down on companies that fail to do so, citing its $700 million settlement with Equifax in 2017 when it failed to patch a known security risk.
German telecom law contains new rules on tracking cookies
On Dec. 1, 2021, Germany passed the Telecommunications-Telemedia Data Protection Act. The law regulates services like email and messaging services and codifies into national law that organizations deploying tracking technologies must gain consent – regardless of whether the data is processed. Here’s what you need to know about how the rule applies to cookies.
US lawmakers introduce TLDR Act
The Washington Post reports that a bipartisan group of lawmakers has introduced legislation that would require websites to make their terms of service agreements easy for users to digest. There’s plenty of data suggesting users don’t read a website’s terms before agreeing to them. They’re long and filled with legalese. But the TLDR Act would require sites to display a “summary statement” that not only discloses their terms in an “easy to understand” manner but also whether they’ve had a data breach recently and what sensitive personal data they collect.”
VR headsets are fun, but could help your employer spy ... so
The Washington Post reports on virtual reality headsets, which pundits say will become part of everyday working life within the next few years. But a headset can collect more data about the person wearing it than the average computer screen can, which gives “companies more opportunities to take and share that data for profiling and advertising.” The Washington Post reports that it could provide both employers and the government the ability to monitor behavior.
Upcoming webinar: How to build a privacy program
It can be a daunting task to be assigned "privacy" at your organization. Depending on the resources and budget your company is willing to spend, there's not a one-size-fits-all checklist to follow. But there are steps you can take – whether you're an office of one or at a later stage on the privacy maturity spectrum – toward building a sophisticated and agile privacy program. This free webinar features three privacy experts who've built their own programs to give you some concrete strategies and actions items you can take whether you're a beginner or advanced.
Register for Webinar