DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


Cookies & Data Transfers: The Google Analytics decision

The Google Analytics Decision

The Google Analytics decision has recently rocked the transatlantic privacy domain.  The decision is about two main things: cookies and data transfers.  Long story short: Cookies are unique identifiers, thereby making them personal data, which means that transferring them to the United States of America is a violation of the General Data Protection Regulation, Article 44.

Cookies as Personal Data

Cookies are pieces of data created by a web server while a user is browsing a website and placed on the user’s device by the web browser.  Cookies are capable of containing unique identifiers.  When a cookie does contain a unique identifier, the cookie itself constitutes personal data.

In the instant case, netdoktor.at transferred data to Google in the US that included cookie data that contained unique identifiers and IP addresses of visitors to the site. By sending cookie data and IP addresses, a part of a story was told.

IP address xxx.xx.xxxx.xx.x (a unique data subject) visited netdoktor.at after engaging in various behaviors that were tracked by cookies.  This story, told through little bits of data in cookies and a sequence of numbers in an IP address, is personal data.

International Data Transfer

Article 44 requires that any transfer of personal data abroad, must comply with the provisions of Articles 45 through 49.  They outline methods by which data can and cannot be transferred abroad such that the data privacy rights of EU residents are preserved.

Article 45 allows transfers when the country to which the data is being transferred is “adequate” – meaning that the country has its own data privacy laws and enforcement, comparable to what is in the GDPR.

Article 46 allows transfers when certain appropriate safeguards are put in place regarding the transfer.  Possible appropriate safeguards would be:

  • A legally binding and enforceable instrument between public authorities or bodies,
  • Binding corporate rules
  • Standard data protection clauses
  • An approved code of conduct with binding and enforceable commitments on the controller or processor in the third country or
  • An approved certification mechanism with binding and enforceable commitments of the controller or processor in the third country

Article 47 spells out what binding corporate rules should look like.

Article 48 clarifies that courts, tribunals, or administrative authorities in third countries can not compel a controller or processor to transfer personal data internationally unless the compulsion is based on an international agreement between the third country and a Union or Member State.

Article 49 specifies niche cases in which a data transfer can proceed internationally outside of the approved means listed in Articles 45 and 46.  Such circumstances are:

  • The data subject consents to the transfer
  • The transfer is necessary for the performance of a contract between the data subject and the controller
  • The transfer is necessary for the performance of a contract in the interest of the data subject
  • The transfer is necessary for public policy reasons
  • The transfer is necessary for establishing, exercising, or defending legal claims
  • The transfer is necessary in order to protect vital interests of the data subject or others
  • The transfer is made from a register which under law is intended to provide information to the public and which is open to consultation

In the instant case, which was brought against netdoktor.at by the Austrian Data Protection Authority, cookie information was sent to the US (a third country), even though the US hasn’t been deemed adequate, even though none of the Article 46 appropriate safeguards were in place, and even though none of the Article 49 derogations applied.

The Telling of the Story

In the European Union, the data privacy laws limit what controllers can do with these little bits of story they collect.  In the US, there are not nearly as robust protections for the individuals whose stories are told through bits of data and sequences of numbers.

So, when a controller transfers that story to the US, that is a scary thing for the data subject whom the story is about.  Accordingly, the Austrian Data Protection Authority, in this case, said, you can tell this story, but you can’t tell this story to third countries, where they aren’t limited in what they can do with the story.

At Clarip, we help companies get their stories straight.  With automated data mapping and website scanning, we can see where information is stored and where information flows, even if it flows from one country to another.  We provide consent management so that data subjects can consent to international data transfers if they are so inclined.  We also provide data subject access request fulfillment so that they can share their data however they want, but can also access, delete, correct, restrict, or opt-out of the sale of their data.  Call us at 1-888-252-5653 or visit us at www.clarip.com to learn more.

CONTACT

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

    •   888-252-5653