The news following last week's ruling by the Austrian Data Protection Authority, and now the European Data Protection Supervisor, continues to concern companies exporting data from the EU via Google Analytics or similar tools. The rulings indicate EU companies using Google Analytics are breaching the EU GDPR by sending the data to the U.S., where Google is based.
The question is: I use Google Analytics in the EU. Am I safe? And the answer is: No one knows yet. But the Future of Privacy Forum's Gabriela Zanfir-Fortuna wrote a super helpful analysis of the decisions by both the European Data Protection Supervisor and the Austrian Data Protection Authority that should help you understand this. She's way smarter on all things EU, so I'm sharing some of her work below and the link to her full post on, "Understanding why the first piece fell in the transatlantic transfer domino."
The big takeaways, as Zanfir-Fortuna notes, are:
Personal data is being "processed" through cookies once they're deployed, even if users are identified and the cookies are thought to be "inactive."
The rulings indicate that data transfers to the U.S. placed by cookies provided by U.S.-based companies from EU websites must contain "additional safeguards," like standard contractual clauses. The Austrian ruling said the supplemental measures companies take to protect data going to the U.S. must "eliminate the possibility of surveillance and access by U.S. intelligence agencies." And good luck with that one, y'all.
The rulings also indicate regulators view cookie identifications numbers as personal data and that cookie identification numbers combined with other elements are additional personal data.
In addition, because activist Max Schrems' group launched these complaints, noyb, it's possible we'll see more regulators consider similar complaints and side with their colleagues. As Zanfir-Fortuna notes below, "The implications are so big, they are difficult to quantify." Noyb launched 101 complaints, and seven data protection authorities are involved in investigating the complaints.
Does this only concern an obscure EP website for scheduling covid tests and an Austrian website using Google Analytics cookies? No. Not at all. The implications are so big, they are difficult to quantify.— Dr. Gabriela Zanfir-Fortuna (@gabrielazanfir) January 27, 2022
Give it a read, it's long, but I think it's worth it. 8/END
To read Zanfir-Fortuna's full analysis, go here. And for more context, see my blog post from last week on why EU authorities are so worried about EU citizens' data being transferred into the U.S. The Cliff's Notes version: U.S. law enforcement agencies have broad access to data stored in the U.S., and there's no U.S. privacy law or even cross-border data transfer agreement between the U.S. and the EU to protect it.
In the meantime, enjoy this round-up of the big privacy news, and I'll see you next week!
This week's big privacy news
Norway joins Austria in ruling against Google Analytics
The Austrian Data Protection Authority recently concluded that a local health website’s use of Google Analytics violates the GDPR because it transfers personal data to the U.S. This week, the Norweigan Data Protection Authority reached a similar conclusion. The implications could be hazardous for any company using tools that send personal data to the U.S. unless specific measures are implemented to protect it. This IAPP report rounds up the latest in the case.
How to comply with the CPRA: Two ways
Recently, Osano assembled three privacy attorneys with extensive experience working on California’s latest privacy law, the California Privacy Rights Act (CPRA). They talked about the CPRA’s new rules around targeted advertising, the new requirements for companies and their third-party contractors, and the new data minimization and retention rules. If you missed the program, you could watch it live here. If you prefer to read rather than watch your news, here’s an abbreviated transcript of the highlights.
Google celebrates Data Privacy Day by releasing differential privacy tool
In concert with Data Privacy Day on Jan. 28, Google released a new differential privacy tool that it says allows companies to better “tune the parameters used to produce differentially private information.” An example of using a differential privacy model would be looking at a website’s most visited webpages on a per-country basis in an aggregate and anonymized way.
Suicide help line shares conversations with for-profit spin-off
The Crisis Text Line is one of the world’s most prominent mental health support lines. But the non-profit shares the data it collects from online text conversations with people with its for-profit spin-off, Politico reports. The company, Loris.ai, uses the data to create and market customer service software. Crisis Text Line says the data is completely anonymized before it shares it with Loris.ai, but critics say that’s insufficient.
NIST releases AI-friendly privacy and security assessment tools
The National Institute of Standards and Technology (NIST) has finalized assessment procedures that correspond with its updated security and privacy controls. In September, NIST released privacy and supply-chain risk management controls to help companies manage cyber risk. This most recent publication outlines assessment procedures in multiple data formats “so agencies can process them using automated tools and free up cybersecurity assessors for more challenging work,” FedScoop reports.