Monday, May 23, 2022

Austrian data regulator decision on Google Analytics raises questions

An interim decision by Austria’s data regulator against Google Analytics may affect the ability of the search engine’s tool to be used in European countries that follow the EU’s General Data Protection Regulation (GDPR).

However, a Canadian privacy lawyer says the ruling is also a warning to companies here about the consent they need before gathering tracking data of visitors to their websites.

According to Wired, the controversy involves a just-published December interim decision by Austria’s data regulator that Google Analytics breached the GDPR because website visitor data collected by a Google Analytics cookie is sent to the U.S. for processing. Under the GDPR, personally-identifiable data sent outside the EU must have data protection. But since the EU struck down the Privacy Shield agreement with the U.S. in 2020, no such legal protection exists.

According to Google, the Austrian regulator ruled that a local web publisher’s implementation of Google Analytics didn’t provide an adequate level of protection, on the grounds that U.S. national security agencies have a theoretical ability to access user data.

The EU takes privacy seriously. In fact, according to Wired, the European Data Protection Supervisor ruled the European Parliament’s Covid-19 testing website had also breached GDPR by using cookies from Google Analytics and Stripe.

This week Kent Walker, president of global affairs and chief legal officer of Google and its parent company, Alphabet, said in a blog that the U.S. and the European Union have to agree soon on a replacement for Privacy Shield.

“Google has offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received the type of demand the [Austrian regulator] speculated about,” he added. “And we don’t expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law.”

Canadian privacy lawyers questioned by ITWorldCanada about the controversy initially saw little impact here.

“This should be a reminder to Canadian business that consent is needed to track and profile people online, including via the use of analytical tools,” said Barry Sookman of the McCarthy Tetrault law firm.

However, he added, the current federal privacy law, the Personal Information Privacy and Electronic Documents Act (PIPEDA), has yet to be determined to be equivalent to the GDPR. The EU has given countries an unspecified amount of time to bring their privacy laws close to the GDPR, or to negotiate a privacy agreement with the EU as the United States did before the Privacy Shield was struck down.

“If Canada does not update our privacy laws soon, we will lose our adequacy status and Canadian businesses may not be able to transfer data outside of the EU without getting consents,” Sookman said.

Iman Ahmad, co-head of information governance, privacy and cybersecurity at Norton Rose Fulbright Canada LLP, notes the Austrian decision can be appealed. “If held up,” he added, “it would be a major development.”

However, he also questioned the fact-finding of the Austrian regulator, which in part concluded that encryption doesn’t give enough protection of data.

Firms in Canada are in a somewhat better position since much of the concern in the Austrian case was around the transfer of personal information between the EU and the U.S. and the sufficiency of standard contractual clauses, he said. Canada benefits from an adequacy standing with PIPEDA with the EU, he said, which arguably simplifies any data transfer.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.