WebProNews

Tag: European Center for Digital Rights

  • Privacy and Cybersecurity Challenges in 2023 – Part One

    Privacy and Cybersecurity Challenges in 2023 – Part One

    With a new year comes new privacy and cybersecurity challenges for companies large and small, not the least of which is new regulation. The tech industry is facing new regulations in 2023, some of which will have profound impacts on day-to-day business and carry heft penalties for non-compliance.

    Here’s some of the top regulatory issues companies need to be aware of:

    Voluntary Cooperation Is Out; Regulation Is In

    One of the major changes moving forward in 2023 is an expected change in the US government’s approach to cybersecurity. In the past, the government was largely willing to allow companies to handle cybersecurity issues on a voluntary basis, but those days appear to be over.

    The White House Office of the National Cyber Director is expected to unveil major new initiatives in the first half of 2023, and many of them will be mandatory.

    “We’ve been working for about 23 years on a largely voluntary approach,” said Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “The way forward is going to require thinking about regulation.”

    California Consumer Privacy Act of 2018

    One of the biggest regulatory challenges businesses will face is the California Consumer Privacy Act of 2018 (CCPA), including the Proposition 24 amendments that were passed in 2020 and expanded the scope of the CCPA.

    Per the California Attorney General’s office, the CCPA guarantees the following rights:

    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale or sharing of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.

    In addition, the Proposition 24 amendments add the following:

    • The right to correct inaccurate personal information that a business has about them; and
    • The right to limit the use and disclosure of sensitive personal information collected about them.

    The latter two rights, in particular, are of special note since they went into effect on January 1, 2023.

    Most important, however, is a provision that allows customers to take legal action against companies that fail to properly protect their data and expose such data as a result of a breach. This places a tremendous responsibility on companies to ensure all possible measures are being taken to reduce their possible liability.

    Increased GDPR Enforcement

    Another major hurdle many businesses will face is increased enforcement of the European Union’s GDPR. While the GDPR has been in effect for years, companies on both sides of the Atlantic have largely ignored some of its provisions.

    The EU sent a clear message in 2022, however, that companies will continue to ignore the GDPR at their own peril. For example, in January 2022, the Austrian Data Protection Authority ruled that Google Analytics violated the GDPR and was therefore illegal, impacting countless EU-based companies and websites.

    At the heart of the issue is the protection of EU citizens’ data when it is in the hands of US-based companies. The EU is especially concerned that US intelligence agencies could have unwarranted access to such data. While the US and EU are working to establish a new data-sharing deal that would address such concerns, such a deal is still a ways off, leaving companies to navigate the complicated situation on their own.

    In the meantime, the EU has made it clear it will continue to go after companies that ignore its privacy and cybersecurity regulations.

    “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” says Max Schrems, honorary chair of The European Center for Digital Rights. “Many EU companies have followed the lead instead of switching to legal options.”

    General Issues

    In addition to the above specific concerns, there are a number of general concerns companies face. Ransomware attacks have been a growing threat in recent years, especially attacks that target vital infrastructure.

    As a result of the growing threat, cybersecurity has been a major focus of the Biden administration, with multiple executive orders, memorandums, and fact sheets addressing the issue. Some of these include unprecedented requirements, including mandatory measures to improve the overall cybersecurity of US businesses and agencies.

    Dealing With the Challenges

    Understanding the challenges is just the first step in properly preparing for and dealing with them. In Part Two of this series, we’ll look at some specific steps companies and organizations can take.

  • Google Analytics Is Illegal in Austria, Violates the GDPR

    Google Analytics Is Illegal in Austria, Violates the GDPR

    In what may be the first of many such rulings, Austria has ruled that Google Analytics violates the GDPR and is therefore illegal.

    Google Analytics is the premier tool available to website operators to gauge their traffic, and better understand how they’re engaging with visitors. Unfortunately for Google, Google Analytics seems to run afoul of the GDPR, the EU’s privacy legislation.

    The issue is the result of a 2020 EU ruling that using US cloud providers violates the GDPR. Because US cloud providers are legally compelled to help US intelligence agencies, they were deemed inherently incapable of being GDPR-compliant. As a result, data on EU citizens could no longer be sent to US companies as freely as it once was. Google Analytics runs afoul of this law because it transmits user IP addresses and other identifiable information to the US.

    Unfortunately for users’ privacy, many companies — both in the US and EU — are choosing to ignore the law and continue with business as usual. The European Center for Digital Rights (noyb) has filed 101 cases against such companies, and the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has ruled on one of them, concluding that Google Analytics is illegal.

    EU authorities have been cooperating on such cases, acting as a task force, making it likely that Austria’s ruling is just the first of many that will soon be handed down.

    “We expect similar decisions to now drop gradually in most EU member states,” said Max Schrems, honorary chair of noyb.eu. “We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.

    “This is a very detailed and sound decision,” Schrems continued. “The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

    Schrems also highlighted the need for the US to adopt its own data protection laws, something prominent US executives have also advocated for, lest platforms and services be splintered.

    “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems noted. “I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”