What does the future look like for Google Analytics?

What happened

• A recent decision by the data protection authority found that a company’s use of Google Analytics to be an infringement of data transfer rules contained within the EU GDPR.
• The Austrian data protection authority ruled that in providing the Google Analytics service, the company in question collects and transfers personal data to the US that is potentially subject to surveillance by the US intelligence services.
• In addition to this, the supplementary measures implemented by the company and Google (e.g. truncating IP addresses, encryption and transparency reports) were not considered effective or sufficient as they did not eliminate the possibility of US authorities accessing personal data received by Google or conducting surveillance.

Why it matters

• The decision is the first of 101 complaints filed across the EU by advocacy group ‘My Privacy is None of Your Business’ (‘noyb’), alleging that companies using Google Analytics were not complying with the Court of Justice of the European Union’s ‘Schrems II’ decision on data transfers issued in July 2020.
• The ‘Schrems II’ decision invalidated the use of the EU-US Privacy Shield and meant that data exporters transferring data to the US would, in most cases, need to rely on Standard Contractual Clauses (SCCs) to enable these flows of personal data.
• However, SCCs alone cannot provide adequate protection for transferred personal data, an assessment of the level of protection in the recipient country and the use of additional supplementary measures would also be required.

What happened

• The UK’s data protection authority (the Information Commissioner’s Office, or ‘ICO’) has issued an enforcement notice on the Ministry of Justice (MoJ) for failing to adequately respond to nearly 7,800 data subject access requests. This was found to be a contravention of the UK GDPR.
• In its investigation, the ICO found that as of August 2021, there were 7,753 overdue data subject access requests, most of which had received only a partial response. This resulted in a total of 34 complaints being received by the ICO.
• The MoJ stated that due to pressures resulting from the Covid-19 pandemic, only a limited subject access request service was implemented.
• Under the notice, the MoJ is required to complete all outstanding SARs by no later than the end of the year, and must also carry out changes to its ’internal systems, procedures and policies as are necessary’ to ensure future subject access requests are addressed in a timely manner.

Why it matters

• Under Article 15 of the UK GDPR, individuals are afforded the right to access and receive a copy of their personal data within one calendar month (which can be extended by two calendar months if the requests is considered complex).
• The ICO took a measured approach before issuing this enforcement notice, opting to engage with the MoJ over a 12-month period from January 2019 to identify and resolve the issues facing the department.
• However, despite this dialogue, the quantity of the backlog increased – resulting in the issuance of the enforcement notice.
• Failure to comply with the enforcement notice may result in a fine of up to £17.5m or 4% turnover, whichever is higher.

What happened

• The Irish Data Protection Commission (DPC) published the final version of its guidance ‘Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing’.
  This guidance sets out principles and recommendations for companies to adhere to when processing children’s data in Ireland, both online and offline.
• Principles include: ‘Letting children have their say’, ‘Know your audience’ and ‘Do a DPIA’. This involves companies ensuring that children are able to engage their data subject rights, taking steps to identify if users of a service are children and to perform a Data Protection Impact Assessment in order to minimise risks to children.
• As there is no grace period stated following publication of this guidance, these principles contained within it apply now

Why it matters

• This new guidance issued by the DPC in Irelands bears many similarities to the Age Appropriate Design Code prepared by the Information Commissioner’s Office in the UK.
• Overlaps in respect to compliance include areas such as ensuring children are able to raise questions with the company processing their personal data, implementing appropriate age verification solutions and emphasising the need for transparency and fair processing information.
• Companies that have already taken steps to comply with the Age Appropriate Design Code will likely find that this ensures a reasonable level of compliance with the DPC’s new guidance

One more thing…

Since the implementation of the GDPR, the data protection authority in Gibraltar has produced a steady flow of comprehensive and detailed guidance materials addressing issues such as data protection law in the employment context, data portability and international transfers. These materials are very useful for any Data Protection Officer seeking clarification on a particular issue and are all written in English. The full list guidance notes can be found here.