WebProNews

Tag: max schrems

  • Norway On the Verge of Banning Google Analytics

    Norway On the Verge of Banning Google Analytics

    Norway may soon join the list of EU countries banning Google Analytics following an initial conclusion that it violates the GDPR.

    Google Analytics has increasingly come under fire by EU jurisdictions, accused of violating European data protection laws, specifically the GDPR. According to Simple Analytics, the Norwegian data protection authority (Datatilsynet) has issued a preliminary decision that “the use of Google Analytics was in violation of the GDPR’s transfer rules.”

    At the heart of the issue is a 2020 EU ruling that US cloud providers are not in compliance with the GDPR. There have long been concerns regarding the transmission of EU user data to US cloud providers, especially given US cloud providers’ obligation to assist US intelligence agencies.

    When Austria became one of the first jurisdictions to issue an adverse ruling against Google Analytics, Max Schrems, honorary chair of The European Center for Digital Rights (noyb), predicted it would simply be the first of many such rulings.

    “We expect similar decisions to now drop gradually in most EU member states,” Schrems said. “We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.

    “This is a very detailed and sound decision,” Schrems continued. “The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

    As Simple Analytics points out, it is possible — although unlikely — that Norway’s final conclusion will differ from its initial conclusion. If Norway’s final decision is in line with its preliminary one, it will join Austria, Denmark, Finland, France, and Italy, all of whom have ruled against Google.

  • Privacy and Cybersecurity Challenges in 2023 – Part One

    Privacy and Cybersecurity Challenges in 2023 – Part One

    With a new year comes new privacy and cybersecurity challenges for companies large and small, not the least of which is new regulation. The tech industry is facing new regulations in 2023, some of which will have profound impacts on day-to-day business and carry heft penalties for non-compliance.

    Here’s some of the top regulatory issues companies need to be aware of:

    Voluntary Cooperation Is Out; Regulation Is In

    One of the major changes moving forward in 2023 is an expected change in the US government’s approach to cybersecurity. In the past, the government was largely willing to allow companies to handle cybersecurity issues on a voluntary basis, but those days appear to be over.

    The White House Office of the National Cyber Director is expected to unveil major new initiatives in the first half of 2023, and many of them will be mandatory.

    “We’ve been working for about 23 years on a largely voluntary approach,” said Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “The way forward is going to require thinking about regulation.”

    California Consumer Privacy Act of 2018

    One of the biggest regulatory challenges businesses will face is the California Consumer Privacy Act of 2018 (CCPA), including the Proposition 24 amendments that were passed in 2020 and expanded the scope of the CCPA.

    Per the California Attorney General’s office, the CCPA guarantees the following rights:

    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale or sharing of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.

    In addition, the Proposition 24 amendments add the following:

    • The right to correct inaccurate personal information that a business has about them; and
    • The right to limit the use and disclosure of sensitive personal information collected about them.

    The latter two rights, in particular, are of special note since they went into effect on January 1, 2023.

    Most important, however, is a provision that allows customers to take legal action against companies that fail to properly protect their data and expose such data as a result of a breach. This places a tremendous responsibility on companies to ensure all possible measures are being taken to reduce their possible liability.

    Increased GDPR Enforcement

    Another major hurdle many businesses will face is increased enforcement of the European Union’s GDPR. While the GDPR has been in effect for years, companies on both sides of the Atlantic have largely ignored some of its provisions.

    The EU sent a clear message in 2022, however, that companies will continue to ignore the GDPR at their own peril. For example, in January 2022, the Austrian Data Protection Authority ruled that Google Analytics violated the GDPR and was therefore illegal, impacting countless EU-based companies and websites.

    At the heart of the issue is the protection of EU citizens’ data when it is in the hands of US-based companies. The EU is especially concerned that US intelligence agencies could have unwarranted access to such data. While the US and EU are working to establish a new data-sharing deal that would address such concerns, such a deal is still a ways off, leaving companies to navigate the complicated situation on their own.

    In the meantime, the EU has made it clear it will continue to go after companies that ignore its privacy and cybersecurity regulations.

    “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” says Max Schrems, honorary chair of The European Center for Digital Rights. “Many EU companies have followed the lead instead of switching to legal options.”

    General Issues

    In addition to the above specific concerns, there are a number of general concerns companies face. Ransomware attacks have been a growing threat in recent years, especially attacks that target vital infrastructure.

    As a result of the growing threat, cybersecurity has been a major focus of the Biden administration, with multiple executive orders, memorandums, and fact sheets addressing the issue. Some of these include unprecedented requirements, including mandatory measures to improve the overall cybersecurity of US businesses and agencies.

    Dealing With the Challenges

    Understanding the challenges is just the first step in properly preparing for and dealing with them. In Part Two of this series, we’ll look at some specific steps companies and organizations can take.

  • Google Analytics Is Illegal in Austria, Violates the GDPR

    Google Analytics Is Illegal in Austria, Violates the GDPR

    In what may be the first of many such rulings, Austria has ruled that Google Analytics violates the GDPR and is therefore illegal.

    Google Analytics is the premier tool available to website operators to gauge their traffic, and better understand how they’re engaging with visitors. Unfortunately for Google, Google Analytics seems to run afoul of the GDPR, the EU’s privacy legislation.

    The issue is the result of a 2020 EU ruling that using US cloud providers violates the GDPR. Because US cloud providers are legally compelled to help US intelligence agencies, they were deemed inherently incapable of being GDPR-compliant. As a result, data on EU citizens could no longer be sent to US companies as freely as it once was. Google Analytics runs afoul of this law because it transmits user IP addresses and other identifiable information to the US.

    Unfortunately for users’ privacy, many companies — both in the US and EU — are choosing to ignore the law and continue with business as usual. The European Center for Digital Rights (noyb) has filed 101 cases against such companies, and the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has ruled on one of them, concluding that Google Analytics is illegal.

    EU authorities have been cooperating on such cases, acting as a task force, making it likely that Austria’s ruling is just the first of many that will soon be handed down.

    “We expect similar decisions to now drop gradually in most EU member states,” said Max Schrems, honorary chair of noyb.eu. “We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.

    “This is a very detailed and sound decision,” Schrems continued. “The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”

    Schrems also highlighted the need for the US to adopt its own data protection laws, something prominent US executives have also advocated for, lest platforms and services be splintered.

    “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems noted. “I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”

  • Court Kills EU-US Privacy Shield

    Court Kills EU-US Privacy Shield

    An EU court has struck down a privacy agreement that made it possible to share the data of EU citizens with the US.

    Under the EU-US Privacy Shield, companies could implement higher privacy standards to allow for the transfer of EU citizen data. This was necessary because of the EU’s stricter privacy legislation. In spite of the goals behind the Privacy Shield, privacy groups raised a number of concerns about its effectiveness.

    In particular, advocates were concerned about the privacy threat the US government poses. Thanks to the Edward Snowden leaks, the world is aware of the US government’s long history of digital spying, even on law-abiding citizens. Advocates were concerned that, even if a company met the necessary data sharing privacy requirements, there was no guarantee the US government wouldn’t snoop on any shared data.

    Max Schrems, an Austrian privacy advocate, initially filed the complaint that eventually made its way to the European Court of Justice (ECJ). After considering the case, the ECJ struck down the law.

    This will have major ramifications for many companies with customers in the EU. At the very least, companies will need to use Standard Contractual Clauses. This is a type of non-negotiable legal contract drawn up in the EU that governs data transfers. Specifically, they are used to make sure any data transfer abides by the GDPR privacy laws, especially when transferring the data to a country that does not have the same level of privacy protection.

    The ECJ’s decision is a big win for privacy advocates, and will no doubt put additional pressure on the US to adopt privacy regulation of its own.

  • Google Accused of Tracking EU Users

    Google Accused of Tracking EU Users

    Austrian privacy advocate Max Schrems has levied a complaint against Google, accusing the search giant of tracking users and passing the info to advertisers.

    Google has been mired in privacy and antitrust issues in the EU, generally considered to be the most privacy and consumer-focused part of the world. EU regulators have repeatedly hit Google with billions of dollars in fines, in 2017, ’18 and ’19.

    Now Bloomberg is reporting that Schrems campaign group Noyb has accused Google of using a unique ID to track Android users without the proper opt-in consent.

    “Google does not collect valid ‘opt-in’ consent before generating the tracking ID, but seems to generate these IDs without user consent,” according to the group.

    “Android does not allow deleting the tracking ID. It only allows users to generate a new tracking ID to replace the existing tracking ID. This neither deletes the data that was collected before, nor stops tracking going forward.”

    If the claim has merit, the EU’s GDPR laws allow for fines up to “4% of a company’s global annual sales.” If Google is found guilty, the result could be one of its biggest fines yet.

  • What Will Your Facebook Timeline Look Like On Paper?

    Now that the much ballyhooed Facebook Timeline is live and available to everyone, people have already started adopting the new feature. The new profile design permits users to tell their entire life story by including or excluding as many events as you want. Have fond memories of that beach vacation to Puerto Rico with your high school senior class? Throw it on there. Still embarrassed about the time you got caught stealing expired cookies from Big-Lots after you graduated college? Leave it out and nobody’s none the wiser. It’s up to you. Add events to your own biography like never before.

    This Timeline business is about to be an information bonanza for Facebook. But do you ever pause between Likes and consider exactly how much of your information is sitting around on Facebook’s shelves? That’s what 24-year-old Max Schrems of Vienna, Austria, wanted to find out so he asked Facebook for a copy of every single piece of information that they had collected on him.

    The result? 1,222 PDF files that “was roughly the length of Leo Tolstoy’s War and Peace.” See the accompanying video that details the startling density and depth of information that Facebook has been quietly plumbing from him:

    And to see what Schrem’s info looks like as a graphic visualization, check out the links at the bottom of this page.

    In case you weren’t creeped out enough, go watch that video again. Every log-in, every log-out, every message, every Like, every friend request accepted, every friend request ignored, every relationship status, every photo, every post, every poke, every app, every tag, every group you joined, every fan page you liked and literally everything in-between. And as if that wasn’t enough, they kept all of the material he deleted, too.

    That Facebook has such a rich trove of information on Schrem (and, presumably, all of us) isn’t exactly a complete surprise as I’m sure we all have some drunken, low-level awareness that this is happening each time we sign on to the site. What’s disturbing is actually having that fear validated. It’s hard to even conceptualize how much information we happily hand over to Facebook until a story like Schrem’s comes along and puts it into terms that we can understand. 1,222 PDF files. That’s gobsmacking. I doubt I’ve even read that many PDFs in my entire life. Moreover, if the mass of information Facebook had already collected on us was enough to rival some of the beefiest tomes ever written, how will the size of our information on Facebook balloon now with the new Timeline feature where we can freely choose to include anything in our Facebook biography? If someone were an earnest Facebook Timeliner, could their profile eventually amount to 4,000 PDF files?

    They probably don’t even have names for the types of memory size we would need to download it all. But when it is invented, it’ll probably sound like something we enjoy saying, like a Facebookbyte.