France's Privacy Watchdog Latest To Find Google Analytics Breaches GDPR (techcrunch.com) 59
An anonymous reader quotes a report from TechCrunch: Use of Google Analytics has now been found to breach European Union privacy laws in France -- after a similar decision was reached in Austria last month. The French data protection watchdog, the CNIL, said today that an unnamed local website's use of Google Analytics is non-compliant with the bloc's General Data Protection Regulation (GDPR) -- breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections. The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.
France's CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 -- after the bloc's top court invalidated the EU-U.S. Privacy Shield agreement on data transfers. Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty. While it has taken EU regulators some time to act on illegal data transfers -- despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka 'Schrems II) -- decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics. In France, the CNIL has ordered the website which was the target of one of noyb's complaints to comply with the GDPR -- and "if necessary, to stop using this service under the current conditions" -- giving it a deadline of one month to comply.
"[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services," the CNIL writes in a press release announcing the decision. "There is therefore a risk for French website users who use this service and whose data is exported." The CNIL does leave open the door to continued use of Google Analytics -- but only with substantial changes that would ensure only "anonymous statistical data" gets transferred. The French regulator is also very emphatic that under "current conditions" use of Google Analytics is non-compliant -- and may therefore need to cease in order for the site in question to comply with the GDPR. The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach. Additionally, it says it's launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.
France's CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 -- after the bloc's top court invalidated the EU-U.S. Privacy Shield agreement on data transfers. Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty. While it has taken EU regulators some time to act on illegal data transfers -- despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka 'Schrems II) -- decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics. In France, the CNIL has ordered the website which was the target of one of noyb's complaints to comply with the GDPR -- and "if necessary, to stop using this service under the current conditions" -- giving it a deadline of one month to comply.
"[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services," the CNIL writes in a press release announcing the decision. "There is therefore a risk for French website users who use this service and whose data is exported." The CNIL does leave open the door to continued use of Google Analytics -- but only with substantial changes that would ensure only "anonymous statistical data" gets transferred. The French regulator is also very emphatic that under "current conditions" use of Google Analytics is non-compliant -- and may therefore need to cease in order for the site in question to comply with the GDPR. The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach. Additionally, it says it's launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.
"Equal treatment under the law" (Score:2)
> The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.
To be fair, U.S. citizens aren't provided that information either, thanks to things like NSLs.
Re:"Equal treatment under the law" (Score:5, Insightful)
To be fair, U.S. citizens aren't provided that information either, thanks to things like NSLs.
That is an internal problem of the USA. We Europeans cannot force the US to give their citizens better protection from sweeping surveillance, but we don't need to adopt the US standards as normal either.
If that leads to some difficulties for companies in Europe that are relying on US services, so be it. Globalization is sometimes overrated.
Re: (Score:3)
> The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.
To be fair, U.S. citizens aren't provided that information either, thanks to things like NSLs.
True and that sucks. However that is a problem the US population has to solve by itself. But there is no reason EU citizens should accept a degradation of their rights just because some other nations do not treat their citizens well in this regard.
Re: (Score:1)
Indeed. It was just the phraseology implied that US citizens had ways and means explicitly denied to non-US citizens.
Re: (Score:1)
... to read USA user here telling something like "Europe is COMUNIST" :P #ColdWarFellengsAllOverAgain
And you're trying to make certain that happens, eh Trollerena?
Slow Moving Enforcement (Score:4, Interesting)
When I was working in financial services in the US it was surprising to me how slowly and lax enforcement of regulations were. Both in the US and Europe. Laws would be passed and their effective date would pass and we wouldn't do anything (including for GDPR). Then the regulators would come and identify gaps in compliance, and they would be appeased with plans to slowly make improvements over time. Often years would pass before any meaningful changes to compliance took place, but our IT executives were very good at convincing regulators some meaningless updates were a show of good faith.
It never again surprised me how much we spent on lobbyists and consultants who specialized in government (non)compliance. I recall numerous examples of consultants saying we don't need to focus on the wording of the law but instead on their insider information about how regulators were planning on enforcing the laws. But sure enough when the regulators came those consultants were right.
Re:Slow Moving Enforcement (Score:4, Informative)
As a (part time) IT auditor, I think I understand by now why this is so slow. The law is generally very slow and the implementation is basically broken. Regulation is a bit better but still quite slow and stuck in the past. But, and that is the kicker, many companies cannot actually move very fast either.
I just observed how a medium-sized insurance company took more than a year to finally get a data-classification scheme that allows them to identify and decide what data needs which level of protection. And these were 3 really competent people that, after some difficulties and some help from me (I am internal audit so I can help a bit but not too much and I cannot do their work for them), managed to really work well together. If you look at the 3 people, you understand why this is so difficult: This was the IT director (Computer Scientist), the main Actuary and risk manager (Mathematician) and the director for privacy and compliance (Law Graduate). It took quite a while for them to find a common understanding and language. And then the people that need to do the data classification (the application-owners in this case) tried to delay and sabotage the whole thing because they do not want to do it.
Now, if the regulator were to push hard for this to happen fast, they would just end up with a mess of non-compliance and cleaning that up would probably take even longer than what they are doing now. To be fair, regulators regularly also ask things in IT that are not yet in the official guidelines, because they know they will change too slowly. In the end, you really need to know what the regulator wants and in this case, hiring consultants with that knowledge and those contacts makes sense. Once things have settled down and are more stable, the official guidelines by the regulators will become useful again and eventually there will be enough comments on things like the GDPR that you do not necessarily need those consultants anymore.
Re: (Score:3)
Now, if the regulator were to push hard for this to happen fast, they would just end up with a mess of non-compliance and cleaning that up would probably take even longer than what they are doing now.
We had two types of audits. Ones required by partners and customers, and ones required for government compliance. Although to be fair many customer audits were to ensure we complied with regulations they were required to.
We moved heaven and earth to rectify audit gaps identified by partners and customers. We barely acknowledged audits done by regulators. My opinion was there was only one difference between the two: financial incentive. If the fines laid down by regulators were equal to or greater than the f
Do your own.. (Score:5, Insightful)
If you want to do analytics on who accesses your site, do your own parsing of your logs. Don't rely on a third party service.
Not only is this more accurate since your server logs will still be there even if the user blocks things like javascript, third party cookies or externally hosted files, but this also means you've not giving away information about who visits your site to an external party.
Re: (Score:2)
No idea why this got modded "funny". It is exactly what you should do. Yes, requires some skills ans insights (hence the "funny", I guess), but you can also buy this as a service that does keeps the data private or as a product.
Re: (Score:2)
If you have the skills to set up a webserver, then getting stats should be no problem either.
If you don't, then chances are you pay someone to host your site for you - there's no reason that they couldn't offer analytics as part of the service or as a paid extra. Some webhosts already do.
Re: (Score:2)
Or you know, you can find stats plugins for most CMSes, that do not send data to 3rd parties. If you're really GDPR conscious they are usually easy to audit, otherwise you can just add them to your website and voila, basic stats.
Re:Big Tech Always Violates GDPR (Score:4, Insightful)
The EU is greedy for money. The EU has tolerated Google and other big tech companies breaking GDPR for many years, because it was getting paid, somehow, to turn a blind eye. The ONLY reason the EU might now be complaining is, the existing bribes are not big enough. The EU is a bloated, ineffective, tyrannical bureaucrasy. The EU is always greedy for money, and, in the end, it will get more and more money from Google and Facebook and those guys. Given Facebook and Google and their ilk are also evil, this is an interesting battle.
Greed or not, if you install script blockers and other computer condoms like Ghostery, you will find that Google is getting insane amounts of information about you if you allow it.
So just because the EU is greedy, are they wrong about this? I submit that they are not.
Re: (Score:3, Insightful)
Re: (Score:2)
But why did France and EU wait so long? They turned a blind eye to the evil, that's my point.
Nope. They did not wait. This is a bureaucratic process and it is slow. Also, it sometimes needs citizens to file a complaint and Max Schrems did in this case. This is basically a result from the "Schrems II" judgement by the European court of law.
Re: (Score:1)
Re: (Score:2)
Yes, a law by itself does not mean much until lawyers start using it in court. After a while, the interpretation of law becomes accepted by judges, and the interpretation becomes enforceable, and others can follow in the same steps. That's exactly what's happening here.
Re: (Score:2)
Due diligence to build a solid legal case in the judicial system takes its time. And even then blunders do happen. But if you don't do your homework, a case might be easily dismissed on a technicality and then (if not a criminal case that's covered by ne bis in idem also known as double jeopardy in common law) has to start over, costing even more time and money.
Re: (Score:1)
Re: (Score:2)
If your judicial system is profit based then that might be a huge conflict of interest in itself for the system to always side with the party that has the deeper pockets instead of interpreting and applying the law.
Re: (Score:2)
Yes, it's a judicial system. They're not meant to create wealth. If your judicial system is profit based then that might be a huge conflict of interest in itself for the system to always side with the party that has the deeper pockets instead of interpreting and applying the law.
I think the point is that the EU, which in a competitive world, should be completely free to innovate around every thing on the internet that makes them go Reeee!
But they don't. Their uncreative outlook, and their demands to run the world through fining those who do create, leaves them as a group of people who are cranky, but completely impotent. It isn't possible for them to compete. I would love to hear the reason why the EU isn't taking over the internet with their presumably important fines. Because
Re: (Score:2)
That's a pretty pessimistic point of view.
I don't see any extortion being made by the EU here. It's just stating that GA is not privacy-compliant, due to the fact that Google does not provide any guarantees that it's not doing sh*t with the data it collects.
And this is largely due to the fact that the US government allows itself to pry upon the data collected by GAFAM for its internal purposes. This is why the all data transfer agreements that were negotiated between the US and EU were rebuked.
Also about Eu
Re: (Score:1)
Re: (Score:2)
If this is handled by courts the regular way, if such a lawsuit fails, it's the plaintiff can sit on all the legal costs, with the defendant only having to pay whatever their contract with their lawyers specifies.
Details differ, if this is handled on a national basis. As far as I know in France a judge can also have the winning party will have to cover the legal costs.
Re: (Score:1)
Re: (Score:2)
All very well, but such a system is just burning money. Remember, there is no wealth creation going on here. Even though I definitely see the merits of holding Big Tech to account. Big Tech is certainly a menace, and gets away with too much. This is globalism. But, the EU is also globalist. I despair for the world...
You are correct. The EU really doesn't create much. They have reached a point of just fining others. This is not sustainable.
Re: (Score:1)
Re: (Score:2)
Correct. You have a higher IQ than the average slashdot droid.
I see so much disjointed thinking in some of these folks.
Now we're not perfect here in the USA, but to my way of thinking, the best way of kicking Googles ass is to make a competitor that will drown it in the bathtub.
Re: (Score:2)
We create laws to stop problematic behaviors from rogue actors - whether individuals or companies.
We somehow have decided that privacy is a right, and we now have a problem of foreign companies - sorry to say that in a global world - not respecting our laws and continue their business as they used to, while our businesses have to comply with new regulations. This is unfair to us.
Fining foreign companies when they misbehave is legitimate. You actually do that in the US on a regular basis, see the Xiaomi case
Re: (Score:2)
We create laws to stop problematic behaviors from rogue actors - whether individuals or companies.
And apparently cannot make a replacement product that is superior, that tracks no one, and is 100 percent secure. Explain why they do not do that.
I like my privacy. The route I took was to wrap my computers in the equivalent of a privacy condom. No script get run unless I specifically run it. All tracking is disabled. Google is stopped in it's tracks to the extent possible.
Here is what you do - you create a digital ecosystem that conforms to whatever you want.
As an example - I have a couple websites
Re: (Score:2)
But why did France and EU wait so long? They turned a blind eye to the evil, that's my point.
They can only tackle a few of the fines they want to enact at a time.
Now all that being said, they will find themselves in the precariuos position of needing the money they fine people for. This will mean they either have to find new things to fine, or make certain they allow GA to continue so they can continue fining it.
It's like the taxes on say, cigarettes. If the presumptive goal is to have everyone quit smoking, their revenue stream from ciggys dries up.
Re: (Score:1)
Re: (Score:2)
You sound very bitter. Has a socialist run over your dog or something?
Re: (Score:1)
Re: (Score:2)
You sound very bitter. Has a socialist run over your dog or something?
What we have is matters of degree. "Social" programs in and of themselves are neither good nor evil. Here in the USA, we have Social programs to an extent that would shock the souls of those who've bought into the narrative that the US is run by capitalist vampires who drink the blood of the proletariat.
Don't have much money? You can get a free cell phone. As in no cost. Free food for women and children (WIC) Free childcare programs. And of course, the items like road care, street lighting, snow removal,
Re: (Score:2)
The EU is greedy for money. The EU has tolerated Google and other big tech companies breaking GDPR for many years, because it was getting paid, somehow, to turn a blind eye. The ONLY reason the EU might now be complaining is, the existing bribes are not big enough. The EU is a bloated, ineffective, tyrannical bureaucrasy. The EU is always greedy for money, and, in the end, it will get more and more money from Google and Facebook and those guys. Given Facebook and Google and their ilk are also evil, this is an interesting battle.
Greed or not, if you install script blockers and other computer condoms like Ghostery, you will find that Google is getting insane amounts of information about you if you allow it.
So just because the EU is greedy, are they wrong about this? I submit that they are not.
The EU isn't greedy, that is a myth largely propagated by anti-EU papers in the UK.
But that is besides the point. You're quite right. They're not wrong and yes ordinary people need to start taking anti tracking measures themselves for one simple reason. Laws are reactive. Enforcement only really happens after they've been broken and because of this, prevention is better than cure.
Enforcement in the EU is slow (well it's slow everywhere) for the good reason that the prosecution must develop a watertigh
Re: (Score:2)
The EU is greedy for money.
Bullshit. This is small money compared to the size of the EU economy. You have no clue how things really work.
Re: (Score:1)
Re: (Score:2)
Your logic is invalid because of a wrong postulate:
The EU has tolerated Google and other big tech companies breaking GDPR for many years, because it was getting paid, somehow, to turn a blind eye.
The GDPR was enacted 5 years ago. In law, this is very short term. It was decided that after enactment, we would give a surprisingly long amount of time to companies to comply. Where I live, we had almost 4 years to reach a minimal level of compliance - that means we are not expected to be fully GDPR compliant as of today, but to have started the process of being compliant.
If the GDPR control administration of my country comes for controlling my company, th
Re: (Score:1)
The GDPR... (Score:2)
... was designed by people who have no idea how the internet or computer networks in general work. It also defines personal data as something so vague that virtually everything is covered , even your IP address. God knows what they'll do when they find out how the IP protocol works, probably try and ban it because it can require sending a users IP address outside the EU! Quelle horreur!
Re: (Score:2)
Uhm. No.. The 'something so vague' was completely and 100% intentional. What you call vague, is what the people designing it call "Protection against lawyers".
And yes. An IP address is personal data, and the website you're connecting to can use that perfectly fine. The problem exists when 5 million other companies also use that because they all harvesting everyone, everywhere.
There's my hyperbole to your hyperbole.
Re: (Score:3, Informative)
You do realise that they may be many routers owned by seperate companies and organisations between your PC and your destination that have to see that IP address and pass it on? Not to mention any DNS resolution first.
Like I said, it was designed by techno illiterates living in the past.
Re: (Score:3)
Which is neither the point, nor the problem, unless those intermediate routers are run by companies that harvest all your traffic and sell it to the highest bidder.
Re: (Score:2)
The GDPR doesn't distinguish based on what the collector of the data is doing. It simply requires collectors get user permission first if any of their data goes outside the EU. Well good luck with that for basic networking.
Re: (Score:2)
And if that were true, it would be a problem. It is not. You have no clue what you are talking about and you certainly do not understand the requirements the GDPR places on IP addresses.
For example, it is perfectly fine to store, use and process IP addresses while a service the user of said IP has requested is provided. It is fine to store them a bit longer for security purposes. What is not fine is to store the IP together with what the user requested and then model the user's behavior without explicit (wr
Re: (Score:2)
Yes, and the law asks for network admins to keep logs for a sometimes long time (for example if you work in a public institution, 1 year). This is legitimate use, and as such the users do not have to be "warned" that such data collection is taking place - this is considered a technical use. But if you start reusing those logs to create user profiles and try selling them stuff, then this should take place on an opt-in basis - you can't do that by default.
Re: (Score:2)
Exactly. Whatever you do with personally identifying data, you need a valid business reason. If somebody used your website, you have that valid business reason to keep the logs for a while. If you want to model their behavior, you only get a valid business reason with explicit user consent. Processing or even keeping that data without that valid business reason is illegal and, if done intentional, a crime.
Re: (Score:2)
DNS resolution is a bugger, specially if, like many organizations, you set up your network to use the Google DNSes. I think this may fall in the same category as Google Analytics since Google can definitely build a user profile based on your DNS queries. Easy peasy since each DNS query originates from your IP - which is a reasonably good personal identifier in most situations.
The same can be said for javascript files such as jquery.js hosted on Google servers. Those allow Google to do profiling too since yo
Re: (Score:2)
... was designed by people who have no idea how the internet or computer networks in general work. It also defines personal data as something so vague that virtually everything is covered , even your IP address. God knows what they'll do when they find out how the IP protocol works, probably try and ban it because it can require sending a users IP address outside the EU! Quelle horreur!
And in actual reality the GDPR is somewhat hard to read, but pretty well thought out. An IP address is only personally identifiable data if it is linked to some action by a person. Incidentally, the GDPR does not mention IP addresses (or cookies) anywhere. It does mention tracking and observation and modelling people's behavior.
Re: (Score:3)
People get upset about cookies banners but the reality is that GDPR does not require a cookie banner unless said cookies are used for tracking and profiling purposes. Technical cookies are OK! It's perfectly possible to build a GDPR compliant website that won't require a cookie banner. It takes a bit more effort than just gluing together random libraries directly linked from shady sources tho.
Re: (Score:2)
This is actually one of the key differences between European laws and American laws:
In European laws, it is the intent of the law that matters.
In American laws, it is the letter of the law that matters.
Re: (Score:2)
I think in the US you also have "case law" or "common law". I wrote something earlier about a law being meaningless before it is used in a trial for the first time, because lawyers and judges have to agree on how to interpret it - and the way to interpret law changes over time. This exists in the US too!
GDPR has been crafted so that many interpretations can be made and that it can stay relevant in the face of rapidly changing technologies. I think it's a pretty clever text and I'm happy to see Google gettin
Re: (Score:2)
You've got too narrow a focus. There are many differences, even though in the particular area you are attending to they act the same way. (China also often uses corporate intermediates, and the US also often doesn't.)
Re: (Score:2)
Also the Chinese government can do whatever it wants, while in the US the law-breakers in the CIA and elsewhere have at least to hide what they are doing and need to lie about it. That is a significant difference.