Sunday, November 27, 2022
HomeLawCookies, Google Analytics, transfers of PRN information and new tips on the...

Cookies, Google Analytics, transfers of PRN information and new tips on the suitable of entry… Wrapping-up January occasions in information safety

The New 12 months introduced us some fascinating developments within the information safety panorama. There are a couple of January info value noting:

Fines imposed on Google and Fb for non-compliance with the cookie guidelines 

Firstly of January*, the French supervisory authority, Fee Nationale de l’Informatique et des Libertés (CNIL), imposed a 150 million euro high-quality on Google and a 60 million euro high-quality on FACEBOOK IRELAND LIMITED – each for violations associated to using cookies. Based on the authority, customers of web sites owned by the businesses (particularly, and can’t reject cookies as simply as they will settle for them. Accepting cookies is feasible with a single click on of a button on the web page, whereas the equal choice will not be obtainable for refusing cookies. Denying consent to cookies requires extra involvement on the a part of the person and at the very least a number of clicks. Consequently, such a sophisticated refusal mechanism could act as a disincentive for customers, in order that they’re extra more likely to settle for cookies in opposition to their will. This in flip violates Article 82 of the French regulation transposing the provisions of the e-Privateness Directive. It additionally fails to satisfy the necessities of legally binding consent beneath the GDPR.

As a reminder, this isn’t the primary sanction imposed by the CNIL on Google. In December 2020, the CNIL additionally fined Google LLC and Google Eire Restricted 100 million euro, as a result of numerous cookies used for promoting functions was mechanically deposited on a person’s laptop, with out acquiring prior consent and with out offering enough data. The Google firms filed an attraction in opposition to the choice, however the French Council of State in late January 2022 upheld the CNIL’s determination

Use of Google Analytics not compliant with the GDPR

January was not a profitable month for Google by way of information safety. Along with the above penalties, the Austrian Information Safety Authority discovered {that a} instrument used on many web sites, Google Analytics, violates the safety of EU residents’ private information.** Why? As a result of the instrument transfers private information to the US, and within the US, Europeans’ private information will not be adequately protected. Beforehand, private information from the EU to the US could possibly be transferred beneath the EU Fee’s determination on the adequacy of the safety supplied by the EU-US Privateness Protect, however because the CJEU declared that call invalid in mid-July 2020, information controllers ought to base information transfers on a distinct authorized floor (for instance, on normal contractual clauses). The issue is that the US regulation doesn’t present enough safety in opposition to entry to private information by varied public authorities, whatever the authorized foundation on which private information is transferred. And no matter the truth that EU-US information transfers grew to become unlawful actually in a single day, many firms proceed to switch private information to the US, primarily utilizing IT instruments supplied by US firms, identical to Google Analytics or different related applied sciences. The choice of the Austrian authority is subsequently not shocking, nevertheless it definitely offers one other affirmation that transfers of private information to the US are legally questionable. Firms ought to study their practices and contemplate selecting different European IT instrument suppliers. However not solely firms! Appears to be like just like the European Parliament ought to too – the European Information Safety Supervisor additionally issued a choice in January this 12 months wherein he questioned the legality of knowledge transfers collected through cookies on one of many EP’s web sites.

EU guidelines on the gathering of air passenger data are according to the EU Constitution of Basic Rights and the GDPR, however with some reservations

On the twenty seventh of January, AG Pitruzzella delivered his opinion in case C-817/19 Ligue des droits humains regarding, inter alia, the interpretation of the provisions of Directive 2016/681 on using passenger identify file (PNR) information for the prevention, detection, investigation and prosecution of terrorist offences and critical crime. AG Pitruzzella assumes that the switch of PNR information and the pre-travel screening of air passengers via automated processing of such information is mostly suitable with Articles 7 and eight of the EU Constitution of Basic Rights. Nonetheless, he additionally identified that such information ought to solely be saved when crucial in view of a critical and real risk to safety and for a interval restricted to the minimal crucial. 

This case deserves a wider remark and a separate weblog publish, so we are going to come again to this subject shortly, as quickly because the English model of the opinion is revealed on the Court docket’s web site. 

Tips on information topic rights – proper of entry

Lastly, on the finish of January, the European Information Safety Board revealed new tips on information topics’ rights, particularly on the suitable of entry to information. In the meanwhile, that is the model for public session. The suggestions interval is now open, so make your voice heard till March eleventh!

* To be exact – CNIL’s choices have been issued on December 31, 2021, however the details about the fines was revealed on the authority’s official web site within the first days of January. 

** Once more, the choice was issued simply earlier than Christmas, however revealed on January 12, 2022. 



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments