Tryptophan Won’t Put the Privacy World to Sleep
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: February 17, 2022
Published: January 14, 2022
There are no doubt some important conversations happening inside board rooms today after the decision by Austria's data protection authority that a website's use of Google Analytics is illegal under the GDPR.
The regulator said that a heath-focused website in the country, which was transferring IP address data to the U.S. via Google Analytics, violated the law.
Google Analytics is a widely used tool to help organizations understand how visitors use their sites and apps. Google says the tool is never used to track people across sites or apps and that customers are prohibited from uploading information that could be used to identify a person. But the Austrian DPA said IP addresses, combined with other data, could ostensibly identify a person and therefore is personal data.
A little context: Europe is very worried about U.S. authorities' access to EU citizens' data. That's the reason, in general, that the EU government shut down the Safe Harbor Framework in 2015 and then did the same to its successor, Privacy Shield.
The drama began when Max Schrems, a Facebook user, sent an inquiry to the company asking about his personal data. Dissatisfied by the company's practices, he asked the Irish Data Protection Commission to investigate the case. This happened after the Snowden revelations, and Schrems was concerned that U.S. intelligence agencies could access his personal data. That's because there are U.S. laws that allow law enforcement to access information it otherwise wouldn't have access to in the name of fighting crimes.
We call Schrems I the case that resulted in Safe Harbor's demise. With Schrems II, Privacy Shield dissolved.
Both cases were hugely problematic from U.S. companies using the frameworks to export data out of the EU legally.
This decision by Austria's regulator follows the same European concerns: that data stored in the U.S. doesn't protect EU citizens the way the GDPR does. That's a big problem because if you've ever been to a Congressional hearing on Section 702 of the FISA Act, the provision that allows law enforcement such access, the FBI and the NSA aren't interested in giving up that power. They say it's essential in thwarting crimes. Much of law enforcement's work under 702 is classified, however, so it's never exactly clear how impactful having broad access to data has been in solving crimes.
The implications of this Austrian case aren't yet clear. I asked Twitter what people are thinking and what kind of conversations organizations using Google Analytics are having. This response was pretty good, I thought:
"Has anyone been in touch with IT yet?"
— Christopher Schmidt (@PiracyByDesign) January 14, 2022
"Where is our DPO when we need it?"
"How do you install that weird @matomo_org thing again?" pic.twitter.com/GvxZxrEMdd
For its part, Google released a statement explaining analytics and saying, in part, that it applies numerous safety measures to protect data transferred outside of the EU. "Our infrastructure and encryption is designed to protect data and safeguard it from any government access."
What's a company to do? I don't know yet. But as this story plays out, I'll keep you updated. I promise!
For now, enjoy a round-up of this week's major privacy news, and I'll see you next week!
Austrian data protection authority rules site's use of Google Analytics violates GDPR
Austria’s data protection authority has found that a website using Google Analytics (and thus exporting its visitors’ data to the U.S.) violated the EU’s GDPR. The regulator said the IP addresses are considered personal data. Despite Google’s assertion that it implemented protections for data, such as such as encryption-at-rest in its data centers, the Austrian regulator said he did not find “sufficient safeguards had been put in place to effectively block U.S. intelligence services from accessing the data, as required to meet the GDPR’s standard,” TechCrunch reports.
Read Story
FTC threatens to enforce again organizations that neglect to patch Log4j
On Dec. 9, a vulnerability in Log4j disrupted organizations around the globe. A vulnerability in the widely used logging tool for the popular Java programing language allowed attackers to remotely gain control of a device or system using the utility. It’s been over a month, but “the crisis shows no sign of abating,” Brookings Institution reports. Because the U.S. doesn’t have broad rules on how to handle the risk, the Federal Trade Commission has told companies they have a legal duty to take “reasonable steps to mitigate.” It also threatened to come down on companies that fail to do so, citing its $700 million settlement with Equifax in 2017 when it failed to patch a known security risk.
Read Story
German telecom law contains new rules on tracking cookies
On Dec. 1, 2021, Germany passed the Telecommunications-Telemedia Data Protection Act. The law regulates services like email and messaging services and codifies into national law that organizations deploying tracking technologies must gain consent – regardless of whether the data is processed. Here’s what you need to know about how the rule applies to cookies.
Read Story
US lawmakers introduce TLDR Act
The Washington Post reports that a bipartisan group of lawmakers has introduced legislation that would require websites to make their terms of service agreements easy for users to digest. There’s plenty of data suggesting users don’t read a website’s terms before agreeing to them. They’re long and filled with legalese. But the TLDR Act would require sites to display a “summary statement” that not only discloses their terms in an “easy to understand” manner but also whether they’ve had a data breach recently and what sensitive personal data they collect.”
Read Story
VR headsets are fun, but could help your employer spy ... so
The Washington Post reports on virtual reality headsets, which pundits say will become part of everyday working life within the next few years. But a headset can collect more data about the person wearing it than the average computer screen can, which gives “companies more opportunities to take and share that data for profiling and advertising.” The Washington Post reports that it could provide both employers and the government the ability to monitor behavior.
Read Story
Upcoming webinar: How to build a privacy program
It can be a daunting task to be assigned "privacy" at your organization. Depending on the resources and budget your company is willing to spend, there's not a one-size-fits-all checklist to follow. But there are steps you can take – whether you're an office of one or at a later stage on the privacy maturity spectrum – toward building a sophisticated and agile privacy program. This free webinar features three privacy experts who've built their own programs to give you some concrete strategies and actions items you can take whether you're a beginner or advanced.
Register for Webinar
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.