Friday, September 30, 2022

Italy’s data watchdog latest to warn on use of Google Analytics – TechCrunch

Another strike against the use of Google Analytics in Europe: The Italian data protection authority has found that a local web publisher’s use of the popular analytics tool does not comply with EU data protection regulations, as user data was transferred to the US Going to – a country that lacks a uniform legal framework to protect information from being accessed by US spooks.

guarantee found that the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, OS, screen resolution, language selection, as well as the date and time of site visits, which were assigned to the Site. was transferred to. Without implementing adequate complementary measures to raise the level of protection to the required EU legal standard, the U.S.

The security enforced by Google was not sufficient to address the risk, it added, echoing the conclusions of several other EU DPAs, who have also found the use of Google Analytics violates the block’s data protection rules on the data export issue.

Italy’s DPA has given the publisher (a company called Caffeina Media Srl) 90 days to correct the compliance violation. But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing a press release. [translated from Italian with machine translation],

[T]That authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made through GA to the United States [Google Analytics]Taking into account the numerous reports and queries the Office is receiving, and invites all data controllers to verify compliance with the methods of use of cookies and other tracking tools used on its websites, in particular From Google Analytics and other similar services, together with the law on the protection of personal data.

Earlier this month, France’s data protection regulator issued an updated guidance warning on illegal use of Google Analytics – after discovering a similar fault with the software’s local website use in February.

CNIL’s guidance suggests only very limited possibilities for EU-based site owners to use Google’s analytics tools legally – either by applying additional encryption where keys are kept under the exclusive control of the data exporter or other institutions established in the area offering an adequate level of protection; Or by using a proxy server to avoid direct contact between the user’s terminal and Google’s servers.

Austria’s DPA also upheld a similar complaint in January over the use of Google Analytics by a site.

Whereas the European Parliament found itself in hot water earlier in the year over the same basic issue.

All of these are linked to a series of strategic complaints filed in the strike against Google Analytics August 2020 By European privacy campaign group Noyb – which targeted 101 websites with regional operators, it was identified as sending data to the US via Google Analytics and/or Facebook Connect integration.

The complaints followed a landmark decision by the bloc’s top court in July 2020 – which invalidated a data transfer agreement between the EU and the US called the Privacy Shield, and made it clear that DPAs have a duty to that it moves and suspends the data flow to a third location. Countries where they suspect the information of EU citizens to be at risk.

The so-called ‘Schrems II’ ruling is named after Noyb founder and longtime European privacy campaigner, Max Schrems, who filed a complaint against Facebook’s EU-US data transfer, citing surveillance practices revealed by NSA whistleblower Edward Snowden. was registered, which ended – through legal referral – in front of the CJEU. ,The previous EU-US data transfer arrangement was annulled by the court in 2015 as a result of an earlier challenge by Schrems.)

In another recent development, a replacement for Privacy Shield is on the way: In March, the European Union and the US announced that they had reached a political settlement on this.

However the legal details of the planned data transfer framework still have to be finalized – and the proposed mechanism reviewed and adopted by EU institutions – before it can be put to any use. Which means the use of US-based cloud services is fraught with legal risk for EU customers.

The bloc’s lawmakers have suggested the replacement deal could be finalized by the end of this year – but in the meantime EU users of Google Analytics can’t access any easy legal patches.

Additionally, tThe gap between US surveillance law and EU privacy law continues to widen in some respects – and it is by no means certain that the negotiated replacement will be strong enough to avoid inevitable legal challenges.

A simple legal patch looks like a high bar for such a fundamental conflict of rights and priorities – failing to adequately reform existing laws (which neither side is tempted to introduce).

So we’ve started to see software-level responses by some of the US cloud giants – in a bid to find a way around data transfer legal risk – to give European customers more control over data flow.

Updates: A Google spokesperson sent us this statement after guarantee decision:

People want the websites they visit to be well designed, easy to use, and respect their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors – but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected from these devices, and how it is used. Google helps by providing a variety of safeguards, controls, and resources for compliance.

They also told us that Google is reviewing the Italian DPA’s decision.

In a blog post in January the company sought to redefine the narrative about Google Analytics – claiming that the tool is not used to track or profile people on the web; and arguing that it does not pose a privacy risk by suggesting customers be in control of the data collected through analytics tools; Also it indicates that it provides an IP anonymization feature.

Google’s blog post also stresses “a number of measures” it claims apply to “protecting data, and keeping it safe from any government access”.

Although many European DPAs have now come to a very different conclusion, related to Schrems II is the risk of using Google Analytics – which (in the case of Austria’s DPA) involves finding out that even if IP anonymity is enabled. has been done. The site does not determine this risk.

However – responding to this point – a Google spokesperson pointed to a recent update (Google Analytics 4) in which they said that more controls and product configurations have been introduced since versions of the software, which generate complaints to the DPA; and what he suggested could help address concerns about data export risks – such as through the ability to prevent Transfer of IP addresses (including anonymous IP addresses) outside the European Union; DDisabled Google Signal data collection at the country level; and dFine location and device data collection can be disabled at the country level.

He added that while Google is convinced that a sustainable legal framework is the only permanent solution to the recurring uncertainty surrounding US data exports from the EU, the tech giant is developing additional controls to provide its customers with further assurances about the security of user data. are doing.

This report was updated with additional responses from Google.

Nation World News Desk
Nation World News Desk
Nation World News is the fastest emerging news website covering all the latest news, world’s top stories, science news entertainment sports cricket’s latest discoveries, new technology gadgets, politics news, and more.
Latest news
Related news
- Advertisement -