Google Analytics is one of the most widespread and popular services on the web: it is used by almost all websites, and even the social network Facebook (one billion users) relies on it. But how can it guarantee compliance with the new European data protection regulations?
Last year Google updated its Privacy Policy to comply with the GDPR: in particular, it implemented a new tool to let people know what data is collected and how it is used. The information is now more detailed and explicit.
Google Analytics, however, would not comply with the European rules on data transfer, considering the technical, organizational and contractual measures adopted by Google to be insufficient: the question is contextualized in the activities subsequent to the Schrems II judgment which declared the Privacy Shield agreement between Brussels and Washington illegitimate.
For the same reason, the EDPS recalls that Google Analytics must be considered a "processor" pursuant to Article 28 of the GDPR, but also stresses that this does not mean that it is subject to all the provisions of that regulation. Indeed, if a company wishes to process personal data on behalf of another entity (in this case Google), then it must ensure that there are appropriate safeguards for adequate protection of such data (Articles 32-36).
In the wake of this decision, the Austrian authorities have asked Google to comply with the provisions of the General Data Protection Regulation (GDPR) adopted in 2018, so that users can obtain access, rectification or deletion and data portability.
To this end, Google had to provide a copy of all data processed on behalf of each user.
The DSB authority has already published a first inspection report on the subject. The conclusions are devastating for Google, which would not respect European rules on data transfer. Indeed, the EDPS recalls that the Schrems II judgment declared the agreement invalid "Privacy Shield"Between the EU and the United States regarding transfers of personal data. The EDPS therefore invites Google to make further efforts to comply with European standards.
What is the Privacy Shield and when was it abolished?
The GDPR Privacy Shield is an agreement that allows us to send your data to the United States.
The GDPR Privacy Shield is a new framework for transatlantic data flows between the US and the EU. It is a "privacy shield" because it protects personal data when it is sent from the EU to US companies. The agreement replaces an old framework, called a "safe harbor", which has been used by thousands of US companies since 2000. safe harbor was abolished because it was not strong enough to protect information.
The GDPR privacy shield works differently than safe harbor. Use stronger enforcement powers and stricter policies for US companies handling EU citizen data. This will ensure that your personal information is handled well and used only for legal reasons.
The GDPR Privacy Shield went into effect on July 12, 2016, but has been controversial ever since. In September 2017, EU privacy regulators decided the deal isn't strong enough to protect people's information. They said they would take action to suspend the deal if no more changes were made by September 2018.
What are the risks and penalties for those who do not comply with the GDPR?
The GDPR is a big deal. In fact, the fines can be huge - up to 4% of a company's global annual revenue or € 20 million, whichever is greater. You don't want to risk violating the GDPR, which means you need to know what it says and how it applies to your business.
The General Data Protection Regulation (GDPR) is a regulation by which the member states of the European Union establish common data protection standards for European citizens regarding the collection of personal data. It also regulates the export of personal data outside the EU.