Austrian watchdog rules German company's use of Google Analytics breached GDPR by sending data to US The Austrian data protection authority has ruled that use of Google Analytics by a German company is in breach of European law in light of the Schrems II EU-US data sharing ruling. Datenschutzbehörde, or DSB, has found that a German publisher, not named in the case, was in breach of Article 44 of the General Data Protection …
UK has committed to follow EU data protection policies. In simple terms, means your answer is no - we'll have a squabble with the EU over UK data sovereignty and our lovey-doveyness with the US and allowing giga-corps to suck us dry of data for free, then we'll cave in a bit until the next EU fan starts rotating.
No because UK-GDPR and GDPR are different things and court rulings in the EU don't affect the UK now. Companies may wish to treat the EEA and the UK as the same thing anyway to make things easier for themselves technically (no problem, EU rulings are probably always going to be more restrictive than the UK) or they want to monetize that data as much as possible and treat the UK differently.
Also:
Google Analytics helps retailers, governments, NGOs and many other organizations understand how well their sites and apps are working for their visitors – but not by identifying individuals or tracking them across the web
The Google PR guy is on trend by just outlandishly lying:
"UK-GDPR and GDPR are different things"
As they say in pantomime "oh no they're not" - at least in this case.
The UK-GDPR differs from the GDPR only in respect of its territorial scope and the repeal of a small number of articles, none of which affect this issue. The UK's DPA 2018 does make some changes, but again not relevant to this issue. There are plans to change the UK legislation quite significantly, and apparently in the direction of 'liberalisation', but they're still at the discussion stage. Consequently, the ruling (if it stands) would apply to the UK as well at present.
What is perfectly clear, however (and has been from dot), is that the data exporter has the primary duty, so it's incumbent on it to ensure that the importer meets comparable standards to those in the EU (and thus at present the UK) legislation. Currently the US doesn't, and didn't really even when Privacy Shield was accepted as it always was a non-statutory regime that could be overriden by options open to government agencies under federal law.
Consequently, the ruling (if it stands) would apply to the UK as well at present.
Post-Brexit, I don't see how a court in the EU has jurisdiction over a UK law* and can issue rulings which immediately apply to UK-GDPR.
The next UK data adequacy review is in 2025, maybe the UK would want to update UK-GDPR to take into account EU court rulings on GDPR before then, but until then I don't see how there are any changes.
If the UK suddenly liberalises UK-GDPR one day then they are in danger of losing adequacy before 2025.
* Unless it's something to do with single market access or citizens rights and even so such a ruling would kick off high level meetings or renegotiations between the EU and UK.
> Post-Brexit, I don't see how a court in the EU has jurisdiction over a UK law* and can issue rulings which immediately apply to UK-GDPR.
The outcomes of cases started before EU Exit completed may also be included in our agreement to maintain GDPR. No idea if this case started before though.
"The bottom line is: companies can't use US cloud services in Europe anymore. "
No Max - that may be your wish but the ruling actually said you cannot send improperly protected PII to the US, and to Google in particular. Once they switched on IP anonymisation they were fine.
I dont necessarily disagree with Schrems aims but I object to the lack of nuance in his statement. I get that Max wants to attack the usual suspects like Google and Facebook - (and agree) but this avenue smacks of a sideshow.
That's somewhat how I was interpreting that at first, but then I got to this sentence in the article:
However, the authority said in its decision that the IP address is "in any case only one of many 'puzzle pieces' of the complainant's digital footprint."Considering 'the authority' referred to there is not Max, but '[t]he Austrian data protection authority', I don't think your (and formerly my) interpretation stands.
I think Gordon 10 is correct still.
The vague "puzzle pieces" statement seems aimed at the likelihood that the Google Analytics platform anonymization does not provide 100% coverage of the data set. So there are example fields besides IP that can be used to poke holes but the burden is on the website folks not Google.
Basically, the pre Brexit ruling of ECJ in Schrems II says that the section 702 FISA warrants and US CLOUD act mean the regulatory framework in the US does not allow EU citizens sufficient recourse to protect their personal information and enforce their rights under GDPR.
INAL but many have expressed the opinion that if a US corp is handed a CLOUD Act warrant, for access to an EU/UK citizens data then they will basically have to choose which law to break, as they are incompatible.
This means, in order to ensure GDPR level protection, you either need binding agreements that they will break the CLOUD Act, or can not use any server owned or operated by any undertaking part of a US-based data or communication company.
so No MS Google or Amazon
Oh, there's much more. Google Fonts, for instance, don't provide accurate metrics but can confirm your visit to a site (one of the reasons we also banned the use of Adobe TypeKit, same problem).
However, if you take a step back from the Google focus you will notice another rather large explosive whose fuse has just burned up:
The default Jetpack plugin in Wordpress, also used by gazillions and actively collaborates with Google.
That's your Earth shattering kaboom, right there.
Once they switched on IP anonymisation they were fine.
apparently the instructions/guidelines for implement6ing whatever the publisher implemented are not clear enough. Wouldn't that be Google's fault? "Oh crap I forgot to add that line of code" should NEVER happen. And just why WAS that 'anonymizer' (apparently) "OFF be default" ?
But of course I would prefer that Google STOP TRACKING PERSONAL INFORMATION ALTOGETHER.
(and do not forget flying pigs, and honest politicians, and snowballs in HELL, and other impossible things)
The problem is, if the cloud service you are using has ties to the US (HQ in the US or even a branch office), you will face big problems.
CLOUD Act gives the US authorities direct access to the data stored outside of US jurisdiction, without having to go through the "tedious" task of getting a local warrant to access the data.
Likewise, the Patriot Act and National Security Letters (through the FISA Court) also mean that the cloud provider has to hand over the information, without even informing you of the fact.
If you are a company and have EU employees or EU customer/supplier information stored in your cloud, you have to be very careful about informing them all, and getting their permission, to store the data on a system that is not subject to EU data protection standards.
Cloud in Uruguay or Japan? No problem. Cloud with a footprint in the USA? Big problem.
.. until they find the right person to bribe in Brussels.
I bet they're already combing through their data stores looking for the sod who organised the "legitimate interest" backdoor of EU cookie laws which rendered the whole cookie purpose selection pretty much meaningless. Bung that person a few million and provide some juicy blackmail data from their surveillance and it'll be sorted soon.
Yes, I'm a cynic. Why?
One has to wonder about Google's rationale for offering GoogleAnalytics as a free service; the obvious one, of course, would be collecting data for their own use. For a page with GoogleAnalytics Google gets the URL of the page and ip-address* of the user and there is a unique per site (first-party) id-cookie expiring in 2 years from last visit. Assuming Google uses these for its own purposes it essentially has everyone's browsing history for the pages using GoogleAnalytics; this works somewhat subtly: as long as your ip-address stays the same it is a perma-cookie in its own right, when it changes, the id-cookies can be used to re-identify an user as soon as a previously visited page with GoogleAnalytics is re-visited within 2 years of the last visit.
* Google can always store this as is for its own purposes regardless of ip-address obfuscation
While I support the principal of data ownership the GDPR is trying to legally address.
In this case it is not clear how standard use of Google analytics puts the defendant in obvious breach of GDPR.
This is because technically the EU data subject (the website user) provided all the personally identifiable data directly to Google themselves. In effect Google is the data controller for the data the data subject handed over to Google.
This is because although the defendant's website may have acted at an 'introducer' it did not act as an obvious middleman relaying the data. The website user interacted directly with a Google website when it was 'invited' to do so by the website configuration. I say invited because there is numerous methods the website user could have taken to have prevent that from happening if they were so concerned.
The data subject is the party that gave Google the data.
Understanding the actual method and act of conveyance of the data is an important part of how the GDPR law is constructed.
I am not trying to troll with this comment, but it is important the legal system understands and clarifies such important technical facts when it is being attacked by the GDPR law.
Now if the defending company had given Google a copy of the personally identifying data themselves, that would in clear breech territory.
This is equivalent to have the 3 parties in the same meeting room, having the customer recite their personally identifying data out loud. Then claiming there is a GDPR breech by the defending company, because Google wrote the information down.
> The data subject is the party that gave Google the data.
No.
The website wrote the webpage. They choose to include a library in it, the Google Analytics library. Therefore it is they, the publisher, who are the ones who are providing the data to Google by making the choice to include the Analytics library (by reference) in the webpage they created.
> This is because technically the EU data subject (the website user) provided all the personally identifiable data directly to Google themselves. In effect Google is the data controller for the data the data subject handed over to Google.
No, GDPR doesn't view it that way.
That would be true if the user visited the Google analytics site in their browser, but they didn't, they went to example.at.
The operators of example.at embedded google analytics into the site, and gave the user no control/means to prevent it's use (it doesn't matter what the user could have installed in their browser, the calling site needs to provide a control)
Under your interpretation, there'd be a huge loophole, because you'd just embed JS from a third party who'd do your dodgy processing for you. The relationship exists between you (site operator) and Google, and between you and the user.
It's simpler if you view it another way: you (site operator) are using analytics, not the user. The user's data gets fed in, but it's being processed for your benefit - Google is acting on your instruction.
> I am not trying to troll with this comment, but it is important the legal system understands and clarifies such important technical facts when it is being attacked by the GDPR law.
It has - you're commenting on an article where an authority has made a decision on the matter. There may (and probably will) be a legal challenge to see if it's compliant with the regulations.
> This is equivalent to have the 3 parties in the same meeting room, having the customer recite their personally identifying data out loud. Then claiming there is a GDPR breech by the defending company, because Google wrote the information down.
Analogies are always flawed, but let's take your example anyway.
You're in a meeting with bob, Bob voices his personal details, and Charlie (from Google) writes them down, giving rise to a complaint.
- Why was Charlie in the meeting room with you?
- Did you invite him or did Bob?
If you invited him, you might be on the hook - depending on whether you could provide a good reason as to why Charlie was invited, as well as whether you met your responsibilities in terms of ensuring Charlie would handle personal data properly. For example, you could and should have exercised a control by asking Charlie to leave the room whilst personal details were dealt with.
When you get sued, you might launch your own action against Google/Charlie, but Bob's case would be with you - it's you that he has the relationship with.
You're right in that there is a loose equivalence, it just doesn't support the argument that you think it does.
Disclaimer: I am not a lawyer and I am certainly not an expert, but a small part of my job entails familiarity with the GDPR.
You wrote: "This is equivalent to have the 3 parties in the same meeting room, having the customer recite their personally identifying data out loud. Then claiming there is a GDPR breech by the defending company, because Google wrote the information down."
Erm... no, that is not an accurate analogy of the situation and certainly not the way GDPR sees it.
A better analogy would be: "This is equivalent to having a meeting to sign a contract between 2 parties, and one party brings their pumped up bodybuilder friend along and says to the other party, "I need you to sign here, here and by the way, if you have any questions, address them to him *gestures at bodybuilder*, he has access to your data".
The user did not sign up with Google, but with the defending companies providing the service.
GDPR clearly differentiates between the roles of Data Controller and Data Processor and specifies that the Data Controller cannot delegate their PII* safeguarding responsibility to the Data Processor.
In this scenario, Google is the data processor but the defending company is the data controller and hence directly responsible according to GDPR.
*Personally Identifiable Information
@NoKangaroosInAustria :
If you go to the front desk at the Vienna Hilton, you can buy a T-shirt with your username on it. With a choice of various droll images of the problem, eg an alarmed-looking kangaroo with Alps looming behind him.
I bought mine in 1997 ; I believe they're still doing them.
They told me it was because every 1 or 2 weeks they get an American ask Reception which way to go to see some kangaroos.
although it was not directly obvious to me from the article, my guess is that the user simply logged into the publisher's web site with a Google login, and the publisher used the appropriate scripty things to make that happen, excluding the IP address anonymization stuff that apparently has to be ADDED IN A SPECIAL WAY to comply with GDPR, but the code that was copypasta'd from Stack Overflow (ok that was snarky of me) did not include this one provision, nor properly warn that it did not comply with GDPR (so it's "not my fault" from the publisher's viewpoint). Or something like that. Heh.
Yes, but the weasels are already hard at work to backdoor it. A good example of that is the "legitimate interest" lark, which now doubles the amount of selections you have to say "no" to.
Personally I think they should mandate a one-button opt-out which leaves exactly one cookie to prevent them from harassing you with having to make that choice every subsequent visit (another trick very much in use).
I know Marketing does have a function, but the people who come up with this crap deserve HCl enemas.
Am I right in thinking it is currently impossible for a US company to comply with EU GDPR, as US law allows not only access to US based data without adequate safeguards, but also allows non-US subsidiaries to be accessed by the US govt as well? IIRC the CLOUD Act?
So, separate products wouldn't make any difference if they were operated by the same company or a EU subsidiary of the US company?
GDPR allows data that is necessary to provide the service to be collected and processed in order to provide the specific service.
So you can have a login and payment processing, store and serve up said emails and documents.
You cannot do any data analysis or further processing on any of said login, payment details, emails and documents.
In other words, you can sell me a service, or even show advertising at me to fund a free service, but you are not allowed to be a creepy stalker or sell or otherwise permit someone else to stalk me.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
