Menu Close

What does the future look like for Google Analytics?

In this week’s issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at a recent decision by the data protection authority in Austria relating to the use of Google Analytics as well an enforcement notice issued on the Ministry of Justice in the UK.

What do the latest developments mean for you. Our weekly review below helps you decide. 

What happened

  • A recent decision by the data protection authority found that a company’s use of Google Analytics to be an infringement of data transfer rules contained within the EU GDPR.

  • The Austrian data protection authority ruled that in providing the Google Analytics service, the company in question collects and transfers personal data to the US that is potentially subject to surveillance by the US intelligence services.

  • In addition to this, the supplementary measures implemented by the company and Google (e.g. truncating IP addresses, encryption and transparency reports) were not considered effective or sufficient as they did not eliminate the possibility of US authorities accessing personal data received by Google or conducting surveillance.

Why it matters

  • The decision is the first of 101 complaints filed across the EU by advocacy group ‘My Privacy is None of Your Business’ (‘noyb’), alleging that companies using Google Analytics were not complying with the Court of Justice of the European Union’s ‘Schrems II’ decision on data transfers issued in July 2020.

  • The ‘Schrems II’ decision invalidated the use of the EU-US Privacy Shield and meant that data exporters transferring data to the US would, in most cases, need to rely on Standard Contractual Clauses (SCCs) to enable these flows of personal data.

  • However, SCCs alone cannot provide adequate protection for transferred personal data, an assessment of the level of protection in the recipient country and the use of additional supplementary measures would also be required.

What happened

  • The UK’s data protection authority (the Information Commissioner’s Office, or ‘ICO’) has issued an enforcement notice on the Ministry of Justice (MoJ) for failing to adequately respond to nearly 7,800 data subject access requests. This was found to be a contravention of the UK GDPR.

  • In its investigation, the ICO found that as of August 2021, there were 7,753 overdue data subject access requests, most of which had received only a partial response. This resulted in a total of 34 complaints being received by the ICO.

  • The MoJ stated that due to pressures resulting from the Covid-19 pandemic, only a limited subject access request service was implemented.

  • Under the notice, the MoJ is required to complete all outstanding SARs by no later than the end of the year, and must also carry out changes to its ’internal systems, procedures and policies as are necessary’ to ensure future subject access requests are addressed in a timely manner.

Why it matters

  • Under Article 15 of the UK GDPR, individuals are afforded the right to access and receive a copy of their personal data within one calendar month (which can be extended by two calendar months if the requests is considered complex).

  • The ICO took a measured approach before issuing this enforcement notice, opting to engage with the MoJ over a 12-month period from January 2019 to identify and resolve the issues facing the department.

  • However, despite this dialogue, the quantity of the backlog increased – resulting in the issuance of the enforcement notice.

  • Failure to comply with the enforcement notice may result in a fine of up to £17.5m or 4% turnover, whichever is higher.

What happened

  • The Irish Data Protection Commission (DPC) published the final version of its guidance ‘Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing’.

  • This guidance sets out principles and recommendations for companies to adhere to when processing children’s data in Ireland, both online and offline.

  • Principles include: ‘Letting children have their say’, ‘Know your audience’ and ‘Do a DPIA’. This involves companies ensuring that children are able to engage their data subject rights, taking steps to identify if users of a service are children and to perform a Data Protection Impact Assessment in order to minimise risks to children.

  • As there is no grace period stated following publication of this guidance, these principles contained within it apply now

Why it matters

  • This new guidance issued by the DPC in Irelands bears many similarities to the Age Appropriate Design Code prepared by the Information Commissioner’s Office in the UK.

  • Overlaps in respect to compliance include areas such as ensuring children are able to raise questions with the company processing their personal data, implementing appropriate age verification solutions and emphasising the need for transparency and fair processing information.

  • Companies that have already taken steps to comply with the Age Appropriate Design Code will likely find that this ensures a reasonable level of compliance with the DPC’s new guidance

One more thing…

Since the implementation of the GDPR, the data protection authority in Gibraltar has produced a steady flow of comprehensive and detailed guidance materials addressing issues such as data protection law in the employment context, data portability and international transfers. These materials are very useful for any Data Protection Officer seeking clarification on a particular issue and are all written in English. The full list guidance notes can be found here.

 

Stay in control of your inbox

Register your details to receive our featured insights,
news and analysis covered ‘In Perspective’ from our
Data Protection team.

Stay up to date and discover how the requirements impact your business. 

 

 

Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 

 

Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.

In this week’s issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at a recent decision by the data protection authority in Austria relating to the use of Google Analytics as well an enforcement notice issued on the Ministry of Justice in the UK.

What do the latest developments mean for you.  Our weekly review below helps you decide.

What happened

  • A group of data protection experts have met for the first time to help Britain seize the opportunities of better global data sharing.

  • The International Data Transfer Expert Council will provide independent advice to the government to help it achieve its mission of unlocking the benefits of free and secure cross-border data flows now the country has left the EU.

  • Household tech and industry names are represented on the council alongside international universities and organisations at the forefront of this rapidly moving policy area, such as the World Economic Forum and the Future of Privacy Forum.

Why it matters

  • International data transfers underpin our everyday life and are the foundations for our most-used technology, from GPS navigation and smart devices to online banking.

  • They are also instrumental to digital healthcare – having driven the development of treatment and vaccines during the pandemic.

  • Removing barriers to data flows will mean these services can be provided more reliably and securely.

  • Billions of pounds worth of trade goes unrealised around the world due to barriers associated with data transfers.

What happened

  • During its January plenary session, the European Data Protection Board (EDPB) adopted Guidelines on the Right of Access.

  • The Guidelines provide clarifications on the scope of the right of access, the information the controller must provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests.

  • A stakeholder event on this topic was held in November 2019 and stakeholders’ views and opinions were taken into consideration during the drafting process.

Why it matters

  • The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information.

  • It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

  • The Guidelines issued by the EDPB provide examples to support controllers to answer access requests in a GDPR compliant manner.

  • The Guidelines will be subject to public consultation for a period of 6 weeks

What happened

  • On 28 January 2022, the Secretary of State laid before Parliament the international data transfer agreement (IDTA), the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum) and a document setting out transitional provisions.

  • This final step follows the consultation the Information Commissioner’s Office ran in 2021.

  • The documents are issued under Section 119A of the Data Protection Act 2018.

  • If no objections are raised, they come into force on 21 March 2022.

Why it matters

  • Exporters will be able to use the IDTA or the Addendum as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers.

  • They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”.

  • The IDTA and Addendum form part of the wider UK package to assist international transfers.

  • This includes independently supporting the Government’s approach to adequacy assessments of third countries.

One more thing…

The UK’s newly appointed Information Commissioner, John Edwards, has announced a major listening exercise to hear direct from businesses, organisations and people about their experiences of working with the ICO.

The exercise will include a survey, as well as a series of events held across the UK.

The online survey can be found on the ICO website now. Invites to events and meetings will be sent out in February.

 

Stay in control of your inbox

Register your details to receive our featured insights,
news and analysis covered ‘In Perspective’ from our
Data Protection team.

Stay up to date and discover how the requirements impact your business. 

 

 

Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 

 

Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.