MPC – Practical Insight Series
A landmark decision in Europe this past month marks the month of data privacy: Stripe and Google Analytics have been declared “illegal” in Europe, as they violate privacy law.
We don’t want to focus on the technology but rather on the many lessons to be learned from this judgment:
- organizations will use technologies that are advantageous for them in attracting customers
- most organizations try to conduct due diligence but some third parties do not respond, plain and simple
- some technologies are very invasive and organizations using them have no means of turning off privacy invasive settings or engineering privacy into their implementation of the tool
- organizations do not understand the triangle notice-choice-consent because these are abstract law concepts that are very difficult to translate into compliance language
One this is sure:
- GDPR Chapter V applies even for transfer of cookie data.
- The online identifiers collected by Google Analytics are personal data. They are identifiers either by themselves or when combined with other elements. Also, probabilistic identification is sufficient for the purpose of GDPR
If there are omissions, then ordinary people will have no clue what personal information is being harvested from their visits.
Furthermore, if such transparency is not followed through with some decent choices that involve less privacy invasive options, then is that really a choice?
And then, how can consent be “freely given, specific, informed and unambiguous” when the notice is not complete and the choices are not giving the data subject or individual the least privacy invasive options?
What do Google Analytics and Stripe have in common, other than a blatant disregard for privacy law? They are both technologies where privacy was purposely not engineered or designed in. The options provided are not congruent with the wishes of individuals to not have their information harvested at the will and mercy of the technology provider.
GDPR Article 4.11. Definitions. https://gdpr.eu/article-4-definitions/
If you are unsure how privacy protective or invasive a technology is, we can assist. We can conduct a Privacy Impact Assessment and/or a Data Transfer Assessment to put your mind at ease. Contact us and benefit immediately from the extensive knowledge of certified privacy professionals with strong technology knowledge and backgrounds.