The IT Nerd

TechCrunch reporting something that is bad news for US cloud services. An Austrian website’s use of Google Analytics has been found to breach GDPR:

A decision by Austria’s data protection watchdog upholding a complaint against a website related to its use of Google Analytics does not bode well for use of US cloud services in Europe.

The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.

In this specific case, an IP address “anonymization” function had not been properly implemented on the website. But, regardless of that technical wrinkle, the regulator found IP address data to be personal data given the potential for it to be combined — like a “puzzle piece” — with other digital data to identify a visitor.

Consequently the Austrian DPA found that the website in question — a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics — had violated Chapter V of the EU’s General Data Protection Regulation (GDPR), which deals with data transfers out of the bloc.

That’s not good and I suspect that this decision is being discussed in a lot of places as I type this. I’ve got two comments on this with the first being from Elizabeth Wharton who is the VP Operations for SCYTHE:

Legal clashes between US and foreign privacy policies have been ongoing since the Reagan era. Although we’re seeing more privacy concerns in the US, evidenced by CPRA and proposed federal legislation in 2021 among others, a consistent resolution isn’t imminent. The overlaps between security and privacy mean that more business models need to take that into consideration, especially companies who profit from user data. This is another reminder that security and privacy are not equal to compliance, and companies collecting personal information need to go beyond the bare minimum requirements.

And the second is from Chris Olson, CEO at The Media Trust:

“With the Austrian court’s ruling, we are finally seeing the concrete impact that emerging data privacy laws will have on unregulated third-party code. Under the hard interpretation of GDPR adopted in this case, a majority of organizations with online domains would be in violation, based solely on the activity of their digital partners.”

“Moving forward, CMPs, encryption-at-rest and other workarounds for data privacy laws just won’t cut it. Businesses have only one way to guarantee their visitors’ privacy and avoid costly fines: understand the code that is executing on your website, continually scan for violations, and vet your third parties for data privacy practices.”

I think that this will make a lot of companies scramble to rethink and reimplement how they handle data so that they aren’t the next headline that I’m reporting on.

This entry was posted on January 13, 2022 at 12:16 pm and is filed under Commentary with tags GDPR, Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.