Use of Google Analytics – Status update
Over the past months, European DPAs (Data Protection Authorities) have been investigating Google Analytics, as use of this online tool for measuring the effectiveness of advertising campaigns has been reported to entail the transfer of personal data, including user identifiers, IP addresses and browser parameters, to Google servers in the United States. Such transfers, since the July 2020 invalidation of the EU-US Privacy Shield program, are no longer freely allowed.
Initially, the French and Austrian DPAs ruled that use of Google Analytics did indeed constitute a violation of European privacy legislation, i.e. the GDPR, but recently, the French DPA (CNIL) has toned down its previous verdict by a post on its official website in which it is judged legitimate for French sites to continue using Google Analytics on condition of deployment of an appropriately configured proxy server.
Since then, the Dutch DPA, “Autoriteit Persoonsgegevens” (AP) has also completed its investigation into the use of Google Analytics, but its conclusions are not expected to be published until later this year. Meanwhile, the Dutch AP website still contains a warning that use of Google Analytics may in the near future be against the law.
Upcoming EU fines for online platforms allowing deepfakes
In 2018, the European Commission presented its Code of Practice on Disinformation, a code of conduct that in the years between 2018 and 2020 has been ratified by multiple leading tech companies including Facebook, Google, Twitter, TikTok and Mozilla who, with their signature, committed to joining the cause of preventing disinformation, deepfakes and dummy accounts. Since what they are subscribing to, however, is no more than a code of intended conduct, observance of its principles cannot be enforced.
According to sources quoted by media specialist Reuters however, the code’s status is about to change to that of an official EC guideline, making it mandatory for tech companies to prevent disinformation, observance of the rules being monitored by national DPAs and lack of active compliance being subject to serious fines, up to the equivalent of 6 percent of an organisation’s annual worldwide revenue.
Cookies in the UK – From opt-in to opt-out
Currently, the UK is still conforming to European privacy legislation, but meanwhile, ever since leaving the EU, has been working on its own implementation of the GDPR and on June 17 announced some of the changes it intends to make.
Another change has to do with the obligation for small businesses to appoint a DPO, which if British authorities have their way, will no longer apply. The UK is also looking at ways to simplify the use of personal data for research purposes by eliminating the need for consent for specific studies in favour of a system of general permission.
EU Data Governance Act is now in force
On June 23, the new European Data Governance Act (DGA) officially entered into force, its aim being to create an internal marketplace for the free flow of information. The act is intended to ensure that start-ups and established businesses gain access to larger collections of data, which is thought to encourage product and service innovation, which in turn will benefit consumers. Apart from this, the DGA is intended to increase the safety and simplicity of data sharing, enhance general confidence in information exchange (by introducing regulations for online data platforms for instance) and facilitate secondary use of data from the public sector.
The new rules will apply as of 15 months from the act having entered into force, that is as of September 24 2023.
DPA reminder to French municipalities
The French Data Protection Authority (Commission nationale de l’informatique et des libertés, CNIL) has issued a reminder to 22 domestic municipalities that the clock is ticking on their GDPR-based obligation to appoint a dedicated Data Protection Officer. In fact, they have only four months left to do so. In June of 2021, the CNIL already sent notifications of the DPO requirement to cities with populations of over 20,000 citizens. Now, one year after the initial admonishment, some cities appear to not have acted on their legal obligations. Municipalitiess still found lacking in compliance at the end of the four-month window, can expect serious sanctions in the form of significant fines.
Dutch government plans for centralised biometric database
In 2011, a government plan for the creation of a centralised biometric database in The Netherlands met with large-scale resistance from all layers of Dutch society. At the time, the plan was swiftly cancelled due to legal objections, political dispute and technical problems. Now, Dutch Secretary of Digital Affairs Mrs Alexandra van Huffelen again suggests the creation of a similar construct, consisting of one national database storing fingerprints, photographs and signatures of all Dutch citizens requesting a passport or ID card. And again, there is ample resistance among the Dutch population, as shown by an internet consultation. The Privacy First foundation, for instance, points out that the proposed database, as a prime target for cybercriminals, would constitute an unacceptable privacy risk, while objecting to mandatory fingerprinting and mass fingerprint storage, questioning the necessity and proportionality of the suggested system and mentioning the danger of “function creep”, use of the database for unforeseen purposes.