With the Jan 2022 “Austrian ruling” sending shockwaves around the online world, whats actually changed with GDPR Law? As a data manager, what do you need to know, and what are the implications for your data collection strategy?
What’s New in GDPR Law?
Nothing. Seriously – absolutely nothing. The European Union’s GDPR law that came into effect in May 2018 has not changed. What you are seeing are some important rulings recently based on that law. Essentially any EU citizen can make a complaint concerning data collection to any EU data protection authority. If there is merit in the complaint, the authority has a duty to investigate it. And that is what you are seeing. The organisation that has initiated these recent complaints is NOYB (Max Schrems et al). But there are others, such as iccl.ie.
Remember there is no Internet police force in the EU, or anywhere else I am aware of (except China). That is, I have heard conspiracy theorists say the EU is “going after” US big tech, so they can build their own alternatives and dominate/control the world in a Spectre type of way. I say that is nonsense.
Data Protection is About Jigsaw Puzzles…
The Austrian ruling sent many shockwaves around news desks because it set a precedent concerning an Austrian company’s transmission of IP addresses (considered personal information) of EU citizens to other countries that do not have the same privacy protections as the EU. This could be Russia, Turkey, China and so on. In this particular case, Google Analytics was cited as the main culprit. However, it could have been any US owned tech – and that’s the BIG problem. The numerous headlines of “Google Analytics is now illegal” is misleading as it hides the much wider implications – because so much web tech has historically come from the US.
Why Jigsaw Puzzles?
It’s a direct analogy because there no longer exists such as thing as “anonymous” data. Essentially, like a jigsaw puzzle, the more pieces (data points) you have, the more able you are to identify the subject of the puzzle – it’s only a matter of time. And because companies like Google and others continuously suck up vast quantities of data – thousands of data points about individuals – it is trivial for them to do this. That is the key to understanding this problem. In fact, there is plenty of research proving this…
An early and now classic example of this happening was the AOL data scandal of 2006. This initially involved the authorised release of a large volume of “anonymised” search query data – intended for research purposes. However, New York Times journalists (and others) were able to analyse this and subsequently identify individuals by triangulating the data points.
More recent academic studies showing how anonymous data is not so anonymous:
- nature.com/articles/s41467-019-10933-3 – only 15 data points required – Nature.
- www.usenix.org/system/files/soups2020-bird.pdf – 150 web histories was all it took to re-identify 80% of users – Imperial College London.
- karelkubicek.github.io/post/floc – scientific paper showing how flawed FLoC is (LinkedIn summary) – ETH Zürich.
FISA 702 (and the “CLOUD Act”)
The problem highlighted by the recent Austrian ruling – and subsequent ones in Germany (against Cookiebot, Google fonts) and in France – is actually about ANY transfer of data to ANY entity that does not have the same high standard of privacy and data protection as the EU.
Note, I deliberately use the word “entity” rather than country. This is because a US business such as Google, Facebook et al, are subject to US FISA 702 (and the “CLOUD act” amendments). Meaning the US government and its agencies can gain access to data whenever they demand – and in secret, meaning the end users affected are unaware and have no powers of redress. This is fundamentally incompatible with EU law. It means that even if Google et al geographically ring fenced its cloud services and data centres e.g. within the EU, it does not solve the problem.
And this is NOT LIMITED to Google Analytics – it is in the spotlight for this ruling because they are so ubiquitous and quite frankly riddled with personal identifiers without a clear definition of who can use the data. That is, apart from the website collecting it, is Google itself mining the same data? Adobe Analytics faces identical issues. Also think about your CMS, CRM, email, cloud document storage etc…
Privacy and Data Protection is a Good Thing
Despite all the problems these rulings have introduced, this is a good thing. Just like the principal of a free and fair democracy is a good thing. There is no point wining about its imperfections. The principle is fundamentally good for us. We just have to figure our how to work with it.
Hopefully judgements like these will force US legislators to take data privacy seriously. I find it amazing that the position we now face is a shock to Google et al. The original Schrems II ruling, which these further decisions are based on, was made in July 2020. Asking the EU to “back off”, lower its standards of protecting citizen data, or changing the GDPR, is not an option because it is written into the founding EU Charter of Fundamental Rights (think of that as similar to a constitution). Rather, it is the US that needs to step up to resolve the problem that exists today!
Summary of the Latest Legal Implications
- If the data you collect is from EU citizens and you store and/or process it in the US, there is a problem at the moment. This is due to less data protections in the US that a citizen would have in the EU.
- These rulings are a logical following on from the Schrems II ruling of 2020 – there are no changes in GDPR or any other EU law taking place.
- This is not only about whether IP addresses can be considered personal information or not – it is about triangulating data (jigsaw puzzles!).
- There is no EU Internet police force “going after” US tech companies. Rather, these are EU citizens making a complaint about how their data is processed and stored, and the EU legal system making decisions on existing law. This was entirely predictable and predicted by many.
- Although not directly related to this ruling, if you collect any data that is not strictly necessary to run your website/app, you need explicit consent from the EU data subject i.e. your web visitor or app user. Although legally limited to EU citizens, I argue the privacy of all citizens should be equally respected. See my consent whitepaper on the best practice approach for doing this while maintaining a high opt-in rate.
- These legal rulings are not anti-US. The exact same problems exists if you store or process data in any other country outside of the EU (Russia, China, Turkey etc.). It just happens to be that the vast amount of web technology is designed/built/hosted in the US.
- This is not just about Google Analytics or Google. It’s ALL online tech that stores or processes data with a lower privacy protection than if it was within the EU.
- Asking the EU to “back off”, lower its standards of protecting citizen data, or change the GDPR, is not an option. It is the US that needs to step up.
BTW, if you are interested in what I am building in this space – a forensic GA data auditing tool with an emphasis on GDPR compliance – visit verified-data.com.