Explore alternatives to Google Analytics: advice from the Norwegian DPA

With multiple European authorities ruling against the use of this service, the Norwegian DPA suggests that companies explore alternatives to Google Analytics. 

 

In a recent blog, we covered why the use of Google Analytics (and Stripe) by the European Parliament was considered a violation of the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. After multiple European authorities have ruled against the use of Google Analytics, and the illegal transfer of data to the US, the Norwegian DPA has suggested in this report, that companies seek alternatives to the use of Google Analytics, as the pattern of companies and organisations being sanctioned over their use of the service is very likely to continue. 

Personal data transferred from the EU to the US is subject to very strict conditions, and may quite likely be illegal. 

 

The Austrian Data Inspectorate (DSB) recently investigated a website’s use of Google Analytics. They concluded that the use of Google Analytics means that personal information is sent to the United States, and that therefore, the use of   Google Analytics may be illegal. In light of the Schrems II ruling from the European Court of Justice, the Austrian DPA  came to the conclusion that this transfer was indeed illegal. With the use of Google Analytics, it is possible to de-identify the IP addresses of website users, however it is important to note that this will not solve the problems identified by the Data Protection Authorities. The Austrian DPA has pointed out that Google Analytics also involves cookies, and they believe that if a user is already logged in to a Google account, it is possible to link the analysis data to their Google account.

 

The Norwegian DPA foresees further sanctions for the use of the service and urges organizations to explore alternatives to the use of Google Analytics. 

 

The Norwegian Data Protection Authority is also currently dealing with two cases involving the use of Google Analytics. Although the Authority has not concluded in these cases, they will look at European practice in case processing. “We know that there will also be more decisions about Google Analytics from other European data regulators. Therefore, we now recommend everyone to explore alternatives to Google Analytics.” says section chief Tobias Judin. Transferring data to the US is not inherently illegal, however a number of measures need to be implemented in order to ensure that this is legal. In many of these cases, these measures are not in place. For this reason, the Norwegian DPA is suggesting that organisations explore alternatives to Google Analytics. It is also important to note that other website tools may also send personal information to the United States. Some tools send much more data than Google Analytics does. Therefore, it is important that website owners have a full overview of what tools they use and what personal information they process through the tools. If it is found that personal data is being transferred to the US through these tools, website owners may need to stop the use of these tools immediately, as serious cases may result in sanctions. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EDPS reprimands European Parliament for use of Google Analytics

Illegal EU-US data transfers by the European Parliament lead to sanction from EDPS 

 

Due to a complaint made approximately one year prior, the European Parliament has been sanctioned by the EDPS over illegal EU-US data transfers, among other violations. On a COVID-19 testing site, the use of Google Analytics and Stripe (both US companies) by the European Parliament was a violation of the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. In the complaint, filed in January 2021 by noyb, several issues were raised, including deceptive cookie banners, vague and unclear data protection notices, and of course.  the illegal transfer of data to the US. The European Parliament did not incur a fine, but was reprimanded and ordered to come into compliance and address its data protection notice and other transparency issues within a month. 

 

Personal data transferred from the EU to the US is subject to very strict conditions, and must ensure an adequate level of protection.

 

Since the Schrems II ruling, Data transfers to the US have, under much scrutiny. This is because personal data transferred from the EU to the US in most cases do not ensure adequate protection for the data. The COVID-19 testing website provided by the European Parliament was no different. According to the EDPS, “the Parliament provided no documentation, evidence or other information regarding the contractual, technical or organisational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the US in the context of the use of cookies on the website.” The data stored included health data, for example symptoms and results of a COVID-19 test. This is considered special category personal data, and therefore particularly sensitive. 

 

The EDPS found the European Parliament to be in violation of several articles of the GDPR and therefore issued a reprimand.

 

The placement of cookies by a US provider without having appropriate measures in place is a violation of EU privacy law. This leaves the site open to possible surveillance by US bodies. The complaint from noyb also highlighted the fact that the site’s cookie banners were unclear and deceptive. The banner did not list all the cookies, and there were also differences between the language versions. As a result users were unable to give valid consent. The European Parliament removed all cookies from the website during the investigation. 

 

There were also several issues of transparency noted in the complaint filed by noyb. It stated that the privacy policy was not clear and transparent and referred to a wrong legal basis. The privacy policy was also changed during the course of the investigation, however the changes made may have worsened the situation. The EDPS concluded that the European Parliament was violating the obligation of transparency under the GDPR. In addition it was found that the Parliament did not adequately reply to the access request of the complainants. The EDPS found the European Parliament To be in violation of several articles of the GDPR, and therefore issued a reprimand in accordance with article 58(2)(b) of the Regulation.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Facebook loses challenge

Facebook loses challenge as court rules in favor of DPC

Facebook loses challenge as court rules in favor of DPC’s draft decision for an inquiry and suspension of Facebook’s data transfers to the US. 

Following the Schrems II judgement of last July, the Irish Data Protection Commission, launched an inquiry into Facebook Ireland Ltd, and suspended the company’s EU-US data flows. Facebook disagreed with, and decided to challenge the decision. The company asserted that the DPC’s decision, and the procedures subsequently adopted are susceptible to judicial review. This long standing legal battle over Facebook Ireland’s right to continue making data transfers to the US, has now come to an end. This ruling, affirming Ireland’s lead regulator’s decision to suspend their EU-US data flows is likely to have major effects on Facebook’s operations. 

This decision is the culmination of an eight year battle, initiated by a 2013 complaint from Mr. Max Schrems.

Facebook Ireland, a subsidiary of the US company Facebook Inc, provides the social networks Facebook and Instagram to the European region, and houses its central administration and European headquarters in Dublin. In June 2013, Mr Maximilian Schrems filled a complaint with the DPC regarding the transfer of his personal data to the US by Facebook Ireland, claiming that it was unlawful under national and EU law, and in October 2013, the DPC stated that the matter would be “investigated promptly with all due diligence and speed”. In May 2016, the DPC wrote to Facebook Ireland and Mr Schrems with a draft decision that Standard Contractual Clauses could not lawfully be relied upon in respect to transfers of EU citizens’ personal data to the US. After this judgment, in July 2020, the CJEU gave a judgment. The court ruled that according to the GDPR, EU residents whose personal data is transferred to a third country using Standard Contractual Clauses must be afforded the same level of protection guaranteed within the European Union and the GDPR. Since the authorities in the United States cannot be bound by Standard Contractual Clauses, data transferred there may not be effectively protected. As a result of last year’s judgment, the Irish DPC launched an inquiry, and came to a preliminary decision to halt Facebook’s data transfers to the US, a decision that was subsequently challenged by Facebook. 

Facebook challenged the draft decision by the DPC claiming that they should have awaited guidance from the EDPB. 

Facebook challenged the draft decision, as well as the inquiry, claiming that the Data Protection Commission should have waited for guidance from the European Data Protection Board before proceeding with an inquiry and ordering suspension of its data transfers. The company asserted that as a member of the EDPB, the DPC would have received imminent guidance from the EDPB, and should not have acted prior to receiving that. This guidance was eventually published in November 2020, and as of May 14th 2021, the High Court has ruled that Facebook Ireland “ has not established any basis for impugning the DPC decision or the PDD of the procedures for the inquiry adopted by the DPC.” The judge rejected claims by Facebook that the DPC was in breach of its duty in how the case was handled. Justice David Barnaville also stated however, that the DPC should have responded to certain questions that Facebook raised in their October 2020 correspondence.

Facebook loses challenge as high court ruling gives the Irish DPC the right to open a second “own volition“ investigation against Facebook.

This long standing battle has now come to an end, resulting in an inevitable suspension of Facebook’s data transfers to the US. A second, “own volition” investigation has also been opened and is running simultaneously with the original complaint dating back to 2013, which led to the CJEU’s “Schrems II” decision. Regarding Facebook’s appeal of the DPC’s decision, the High Court, in its 127 page document outlining its judicial review of this case, rejected Facebook’s claims against the DPC. Eight years after the initial complaint, it is now certain that the DPC will have to act to stop Facebook‘s EU-US data transfers. This decision is likely to heavily impact Facebook’s operations. Regardless, the company said it looked forward to defending its compliance to the Data Protection Commission.

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

CNPD ordered Statistics Portugal to suspend all data transfers within 12 hours

CNPD ordered Statistics Portugal to suspend all data transfers to a US based processor within 12 hours earlier this week.

The Portuguese DPA, Comissão Nacional de Proteção de Dados or CNPD ordered Statistics Portugal (INE) to suspend all data transfers specific to their census within 12 hours, due to an inadequate level of protection for international data transfers, IAPP reported. After receiving complaints about the conditions for the collection of data via the internet, the Authority carried out a quick investigation. This probe revealed that INE used Cloudfare Inc, a California based web infrastructure and website security company to handle census survey operations. Due to the nature of the services provided by Cloudfare, the company is directly subject to US surveillance legislation for the purposes of national security.

While the international transfers were based on SCCs, it was concluded that the data was still not adequately protected.

Even in cases where the data transfers are based on Standard Contractual Clauses, data protection authorities are obliged to suspend or prohibit data transfers where there are no guaranteesthat these can or will be complied with in the recipient country. US surveillance legislation imposes on certain companies a legal obligation to give unrestricted access to US authorities to the personal data in their possession, without being able to inform their clients of it. With Cloudfare Inc being subject to this legislation and being in possession of large amounts of personal data from Portuguese citizens, this posed some serious risk.

CNPD ordered INE to cease data transfers within 12 hours due to the sensitive nature of the information collected.

The data collection process for the census exercise being executed by INE began on April 19th and was due to be completed by May 3th, however due to the complaints received by CNPD, about a week into the process, they were ordered to cease data transfers within 12 hours. The main reason for the immediate order to cease data transfers was, in addition to the sheer amount of data being collected and processed, the sensitive nature of the data itself. The data included information like religious and health data from the individuals in this large data pool.

Of late, similar issues have been dealt with by various data protection authorities across the EU.

In recent times we have seen similar action being taken by other EU DPAs, for example in Spain and Germany, concerning data transfers on the basis of Standard Contractual Clauses. However, with these transfers being made to the U.S. or any other third country that may have not been recognized as providing an adequate level of data protection and without applying any additional measures, these present an issue. This risk is particularly difficult when dealing with particularly sensitive data, as it was the case in this instance. It is extremely important, when making international data transfers on the basis of Standard Contractual Clauses that the data is subject to a level of protection equivalent to the level provided under EU law.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.