Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
EU Google Privacy

France's Privacy Watchdog Latest To Find Google Analytics Breaches GDPR (techcrunch.com) 59

An anonymous reader quotes a report from TechCrunch: Use of Google Analytics has now been found to breach European Union privacy laws in France -- after a similar decision was reached in Austria last month. The French data protection watchdog, the CNIL, said today that an unnamed local website's use of Google Analytics is non-compliant with the bloc's General Data Protection Regulation (GDPR) -- breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections. The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.

France's CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 -- after the bloc's top court invalidated the EU-U.S. Privacy Shield agreement on data transfers. Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty. While it has taken EU regulators some time to act on illegal data transfers -- despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka 'Schrems II) -- decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics. In France, the CNIL has ordered the website which was the target of one of noyb's complaints to comply with the GDPR -- and "if necessary, to stop using this service under the current conditions" -- giving it a deadline of one month to comply.

"[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services," the CNIL writes in a press release announcing the decision. "There is therefore a risk for French website users who use this service and whose data is exported." The CNIL does leave open the door to continued use of Google Analytics -- but only with substantial changes that would ensure only "anonymous statistical data" gets transferred. The French regulator is also very emphatic that under "current conditions" use of Google Analytics is non-compliant -- and may therefore need to cease in order for the site in question to comply with the GDPR. The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach. Additionally, it says it's launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.

This discussion has been archived. No new comments can be posted.

France's Privacy Watchdog Latest To Find Google Analytics Breaches GDPR

Comments Filter:
  • > The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.

    To be fair, U.S. citizens aren't provided that information either, thanks to things like NSLs.

    • by Lonewolf666 ( 259450 ) on Friday February 11, 2022 @09:31AM (#62258849)

      To be fair, U.S. citizens aren't provided that information either, thanks to things like NSLs.

      That is an internal problem of the USA. We Europeans cannot force the US to give their citizens better protection from sweeping surveillance, but we don't need to adopt the US standards as normal either.
      If that leads to some difficulties for companies in Europe that are relying on US services, so be it. Globalization is sometimes overrated.

    • by gweihir ( 88907 )

      > The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.

      To be fair, U.S. citizens aren't provided that information either, thanks to things like NSLs.

      True and that sucks. However that is a problem the US population has to solve by itself. But there is no reason EU citizens should accept a degradation of their rights just because some other nations do not treat their citizens well in this regard.

      • Indeed. It was just the phraseology implied that US citizens had ways and means explicitly denied to non-US citizens.

  • by ranton ( 36917 ) on Friday February 11, 2022 @09:16AM (#62258797)

    When I was working in financial services in the US it was surprising to me how slowly and lax enforcement of regulations were. Both in the US and Europe. Laws would be passed and their effective date would pass and we wouldn't do anything (including for GDPR). Then the regulators would come and identify gaps in compliance, and they would be appeased with plans to slowly make improvements over time. Often years would pass before any meaningful changes to compliance took place, but our IT executives were very good at convincing regulators some meaningless updates were a show of good faith.

    It never again surprised me how much we spent on lobbyists and consultants who specialized in government (non)compliance. I recall numerous examples of consultants saying we don't need to focus on the wording of the law but instead on their insider information about how regulators were planning on enforcing the laws. But sure enough when the regulators came those consultants were right.

    • by gweihir ( 88907 ) on Friday February 11, 2022 @01:18PM (#62259691)

      As a (part time) IT auditor, I think I understand by now why this is so slow. The law is generally very slow and the implementation is basically broken. Regulation is a bit better but still quite slow and stuck in the past. But, and that is the kicker, many companies cannot actually move very fast either.

      I just observed how a medium-sized insurance company took more than a year to finally get a data-classification scheme that allows them to identify and decide what data needs which level of protection. And these were 3 really competent people that, after some difficulties and some help from me (I am internal audit so I can help a bit but not too much and I cannot do their work for them), managed to really work well together. If you look at the 3 people, you understand why this is so difficult: This was the IT director (Computer Scientist), the main Actuary and risk manager (Mathematician) and the director for privacy and compliance (Law Graduate). It took quite a while for them to find a common understanding and language. And then the people that need to do the data classification (the application-owners in this case) tried to delay and sabotage the whole thing because they do not want to do it.

      Now, if the regulator were to push hard for this to happen fast, they would just end up with a mess of non-compliance and cleaning that up would probably take even longer than what they are doing now. To be fair, regulators regularly also ask things in IT that are not yet in the official guidelines, because they know they will change too slowly. In the end, you really need to know what the regulator wants and in this case, hiring consultants with that knowledge and those contacts makes sense. Once things have settled down and are more stable, the official guidelines by the regulators will become useful again and eventually there will be enough comments on things like the GDPR that you do not necessarily need those consultants anymore.

      • by ranton ( 36917 )

        Now, if the regulator were to push hard for this to happen fast, they would just end up with a mess of non-compliance and cleaning that up would probably take even longer than what they are doing now.

        We had two types of audits. Ones required by partners and customers, and ones required for government compliance. Although to be fair many customer audits were to ensure we complied with regulations they were required to.

        We moved heaven and earth to rectify audit gaps identified by partners and customers. We barely acknowledged audits done by regulators. My opinion was there was only one difference between the two: financial incentive. If the fines laid down by regulators were equal to or greater than the f

  • Do your own.. (Score:5, Insightful)

    by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Friday February 11, 2022 @09:18AM (#62258807) Homepage

    If you want to do analytics on who accesses your site, do your own parsing of your logs. Don't rely on a third party service.
    Not only is this more accurate since your server logs will still be there even if the user blocks things like javascript, third party cookies or externally hosted files, but this also means you've not giving away information about who visits your site to an external party.

    • by gweihir ( 88907 )

      No idea why this got modded "funny". It is exactly what you should do. Yes, requires some skills ans insights (hence the "funny", I guess), but you can also buy this as a service that does keeps the data private or as a product.

      • by Bert64 ( 520050 )

        If you have the skills to set up a webserver, then getting stats should be no problem either.
        If you don't, then chances are you pay someone to host your site for you - there's no reason that they couldn't offer analytics as part of the service or as a paid extra. Some webhosts already do.

    • Or you know, you can find stats plugins for most CMSes, that do not send data to 3rd parties. If you're really GDPR conscious they are usually easy to audit, otherwise you can just add them to your website and voila, basic stats.

  • ... was designed by people who have no idea how the internet or computer networks in general work. It also defines personal data as something so vague that virtually everything is covered , even your IP address. God knows what they'll do when they find out how the IP protocol works, probably try and ban it because it can require sending a users IP address outside the EU! Quelle horreur!

    • by splutty ( 43475 )

      Uhm. No.. The 'something so vague' was completely and 100% intentional. What you call vague, is what the people designing it call "Protection against lawyers".

      And yes. An IP address is personal data, and the website you're connecting to can use that perfectly fine. The problem exists when 5 million other companies also use that because they all harvesting everyone, everywhere.

      There's my hyperbole to your hyperbole.

      • Re: (Score:3, Informative)

        by Viol8 ( 599362 )

        You do realise that they may be many routers owned by seperate companies and organisations between your PC and your destination that have to see that IP address and pass it on? Not to mention any DNS resolution first.

        Like I said, it was designed by techno illiterates living in the past.

        • by splutty ( 43475 )

          Which is neither the point, nor the problem, unless those intermediate routers are run by companies that harvest all your traffic and sell it to the highest bidder.

          • by Viol8 ( 599362 )

            The GDPR doesn't distinguish based on what the collector of the data is doing. It simply requires collectors get user permission first if any of their data goes outside the EU. Well good luck with that for basic networking.

            • by gweihir ( 88907 )

              And if that were true, it would be a problem. It is not. You have no clue what you are talking about and you certainly do not understand the requirements the GDPR places on IP addresses.

              For example, it is perfectly fine to store, use and process IP addresses while a service the user of said IP has requested is provided. It is fine to store them a bit longer for security purposes. What is not fine is to store the IP together with what the user requested and then model the user's behavior without explicit (wr

              • Yes, and the law asks for network admins to keep logs for a sometimes long time (for example if you work in a public institution, 1 year). This is legitimate use, and as such the users do not have to be "warned" that such data collection is taking place - this is considered a technical use. But if you start reusing those logs to create user profiles and try selling them stuff, then this should take place on an opt-in basis - you can't do that by default.

                • by gweihir ( 88907 )

                  Exactly. Whatever you do with personally identifying data, you need a valid business reason. If somebody used your website, you have that valid business reason to keep the logs for a while. If you want to model their behavior, you only get a valid business reason with explicit user consent. Processing or even keeping that data without that valid business reason is illegal and, if done intentional, a crime.

        • DNS resolution is a bugger, specially if, like many organizations, you set up your network to use the Google DNSes. I think this may fall in the same category as Google Analytics since Google can definitely build a user profile based on your DNS queries. Easy peasy since each DNS query originates from your IP - which is a reasonably good personal identifier in most situations.

          The same can be said for javascript files such as jquery.js hosted on Google servers. Those allow Google to do profiling too since yo

    • by gweihir ( 88907 )

      ... was designed by people who have no idea how the internet or computer networks in general work. It also defines personal data as something so vague that virtually everything is covered , even your IP address. God knows what they'll do when they find out how the IP protocol works, probably try and ban it because it can require sending a users IP address outside the EU! Quelle horreur!

      And in actual reality the GDPR is somewhat hard to read, but pretty well thought out. An IP address is only personally identifiable data if it is linked to some action by a person. Incidentally, the GDPR does not mention IP addresses (or cookies) anywhere. It does mention tracking and observation and modelling people's behavior.

      • People get upset about cookies banners but the reality is that GDPR does not require a cookie banner unless said cookies are used for tracking and profiling purposes. Technical cookies are OK! It's perfectly possible to build a GDPR compliant website that won't require a cookie banner. It takes a bit more effort than just gluing together random libraries directly linked from shady sources tho.

    • This is actually one of the key differences between European laws and American laws:

      In European laws, it is the intent of the law that matters.

      In American laws, it is the letter of the law that matters.

      • I think in the US you also have "case law" or "common law". I wrote something earlier about a law being meaningless before it is used in a trial for the first time, because lawyers and judges have to agree on how to interpret it - and the way to interpret law changes over time. This exists in the US too!

        GDPR has been crafted so that many interpretations can be made and that it can stay relevant in the face of rapidly changing technologies. I think it's a pretty clever text and I'm happy to see Google gettin

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...