The Data Protection Authorities (DPAs) of France, Austria, and Italy found that processing European user data by Google Analytics could result in the unauthorized transfer of data outside of Europe since it takes place without the safeguards provided by the EU Regulation. The decisions were made in regards to Google Analytics 3.
In an effort to address some of the issues raised by this discussion about the use of Google Analytics, Google published Google Analytics 4. If you’d like to learn more on Google Analytics 4 see our guide, Google Analytics 4 – all you need to know.
2) Newly Published Documentation
EU Justice Commissioner Didier Reynders offered updates on the transatlantic data privacy framework after a visit to the US. He said that a legal text may surface “in the next weeks,” partially in the form of an executive order issued by the United States, which would then trigger a lengthy review process in Europe. “I’m quite confident in the fact that we have a robust solution, taking into account the specificities of the American legal system and the specificity of what is possible to do or not with the different actors,” he said during a sit-down with reporters and editors at The Washington Post last week. Reynders also mentioned that “an adequacy decision on our side will take about six months, so it will be [on track] for the end of the year, the first quarter of next year if we can exchange on the legal text before the summer.”Read the full report here →
The Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) sets a high standard for responses to data subject access requests. AD recently issued an opinion (the Opinion) on the interpretation of an individual’s right to access their data under Article 15 GDPR (commonly referred to as a data subject access request, or DSAR/SAR). Access the official opinion here →
3) Notable Case Law
The latest decision of the Italian DPA (Garante Privacy) is the result of one of 101 complaints filed by the ‘NOYB’ regarding Google Analytics compliance. While the decision is close to that of previous rulings issued by the French and Austrian Authorities, there are some differences.
The Garante did not directly order the service to be removed but instead granted the Data Controller a 90-day period from the decision’s notification to identify suitable additional technical measures.
Furthermore, in accordance with the other Authorities, no economic sanctions were imposed on the company in question.
The GarantePrivacy issued a fine of EUR 50,000 to a telephone company. As it stands, the framework prohibits the creation of generic telephone directories that are not extracted from the DBU (Single Data Base). Telephone directories must comply with the rules on the protection of personal data. The Authority’s summary can be found here → (in Italian)
The Norwegian DPA has announced that it has fined an organization for failing to implement adequate technical and organizational measures to protect personal data under its control. Members of the organization were able to access someone else’s shopping history by registering someone else’s account number on the member profile. Reported here → (in Norwegian)
4) New and Upcoming Legislation
The bipartisan “American Data Privacy and Protection Act” was formally introduced by the US House Energy and Commerce Committee. Energy, Commerce Committee, Consumer Protection, and Commerce Subcommittee Leaders affirmed that it is “another important step in restoring people’s control over their data and strengthening our nation’s privacy and data security protections.”Access the press release here →
In Canada, the new proposed data privacy legislation included in the federal government’s Bill C-27 aims to strengthen restrictions on the collection of private data and includes a provision to limit the use of artificial intelligence in the private sector but not in law enforcement. Read more on this here →
The Irish Government published the General Scheme for the Communications (Retention of Data) (Amendment) Bill 2022 today. The general and indiscriminate retention of communications traffic and location data is only permissible on national security grounds if approved by a designated judge. Access the General scheme here →
5) Strong Impact Tech
The United Kingdom‘s plan to eliminate cookie consent boxes will make it “easier to spy” on web users, a privacy campaign group has warned. Ministers announced proposals on Friday to move to an “opt-out” model for cookie consent. Reported here →
Other key information from the past weeks
Wojciech Wiewiórowski, European Data Protection Supervisor, called for a “pan-European data protection enforcement model” in a keynote speech at the two-day conference titled “The Future of Data Protection: Effective Enforcement in the Digital World.”