The European Union’s Supreme Data Protection Supervisor has authorized the European Parliament for a series of violations of Block’s data protection rules.
This decision warns local sites and services about the need for due diligence in the flow and transfer of personal data, including proper scrutiny of bits of third-party providers, plugins, or other embed codes. increase. Expensive legal sanctions. This time, Congress has avoided a financial penalty.
The European Data Protection Supervisor (EDPS) intervention is related to the COVID-19 test booking website launched by the European Parliament in September 2020 and uses a third-party provider called Ecolog.
The website has fascinated many people Complaints, Submitted by 6 MEPs last year — with the support of the European Privacy Campaign Group noyb — Among many other compliance issues, such as transparency and data access issues, the existence of third-party trackers and misleading cookie consent banners.
After the investigation, EDPS found Congress was negligent in several respects and issued a rebuke ordering the correction of unresolved issues within a month.
The test booking website was found to be removing cookies related to Google Analytics and Stripe, but Congress properly protected the transfer of relevant personal data to the United States in the light of breakthrough Schrems. We could not prove that we applied special measures to ensure that it was done. II decision by the EU Supreme Court.
In July 2020, the CJEU will terminate the block’s major data transfer agreement with the United States (also known as the EU-US Privacy Shield) and will be case-based if it transfers the personal data of EU people to all third countries. ..
The ruling also clarified that EU regulators need to intervene and suspend data flows if they believe that people’s information is at stake. Therefore, if some transfers (such as EU-US data flows) are legal, additional measures are needed to raise the level of protection to the required standards of intrinsic equivalence with EU law. there is. This is what the European Data Protection Commission (EDPB) has. Since publication Detailed guidance upon.
However, in the case of Congress’s COVID-19 test booking site, EDPS is evidence that EDPS or its provider has applied such additional measures to protect EU-US transfers resulting from the addition of Google Analytics and Stripe Cookies. Did not find.
It turns out that the provider was copying and pasting the code from another website they built for the Brussels International Airport test center. Therefore, there is a cookie for the payment company Stripe on the Congress site (although the test booked on the website does not actually require payment). ).
On the other hand, according to EDPS research results, Google Analytics cookies appear to be included by providers “for the purpose of minimizing the risk of spoofing and optimizing websites.”
Position-Schrems IIThe existence of cookies designed to send data to US-based providers for processing is the presence of EU-based websites and / or their clients (in which case Congress is the only data controller by EDPS). Turned out, but Ecolog was a data processor). Therefore, incorporating Google Analytics may be the opposite of “optimizing” your site’s compliance with EU data protection regulations.
That said, the enforcement of this particular compliance issue has been only part of a regulatory-led investigation since the 2020 CJEU decision. The clearest leadership that comes from EDP S itself..
Meanwhile, a (very) long-term complaint about Facebook’s EU-US data transfer by Noyb founder Max Schrems following Snowden’s 2013 disclosure of NSA mass monitoring of social networks and Internet data. Was not yet finalized as a decision by Lead Data Protection Supervisor Irish Data Protection Commission (DPC) —although the latter agrees one year ago To finalize a complaint “quickly”..
Again, that makes EDPS’s intervention in parliamentary complaints even more important. tl; dr: EU van hammers are gradually decreasing.
In another survey of Congress, EDPS had problems with the misleading cookie consent notifications displayed to visitors to test booking websites. It turns out that this is providing inaccurate information. It did not always offer a clear option to refuse third-party tracking. It contained a deceptive design that could manipulate consent.
In contrast, EU law on consent as a legal basis for processing people’s data is informative, specific (that is, limited in purpose, not bundled) and freely given. It makes it clear that you have to.
Congress also found that it was unable to adequately respond to plaintiffs’ requests for information. This violates the additional legal requirement law that provides Europeans with a set of access rights related to personal data.
Congress was embarrassed to be rebuked by EDPS, but avoided fines. Regulators have less power to impose fines stating that these violations were not triggered.
However, the discovery of negligence by Block’s Chief Data Protection Supervisor draws a fresh red line around the everyday use of US-based tools like Google Analytics (or, in fact,). Facebook page) Schrems II decision by the European Union Court of Justice..
Copy-pasting code using standard analytic calls may seem immediately successful to website builders, but EU-based law is responsible for the entity responsible for protecting the visitor’s information. This is not the case if the target risk cannot be properly assessed.
Therefore, EDPS’s rebuke to Parliament is broader and more important as it is likely to foresee a series of coordinated decisions by EU regulators. Similar complaint scores for block-wide websites submitted by noyb in August 2020..
“We expect more decisions on this issue next month,” Noyb’s Honorary Chairman Max Schrems told TechCrunch. “The fact that EDPS is in a clear position is a good sign for other DPA.”
Parliamentary EDPS sanctions on misleading cookie banners are accepted and unacceptable regarding obtaining user consent for tracking, despite the misleading dark pattern that is still shamefully widespread in the EU. Sends a strong signal about.
(See this for a particularly ironic example. Blog post by analyst Forrester — This is what the analyst’s own web page looks like as a non-compliant cookie notification, given the only obvious button that says “accept cookies” and multiple clicks on the submenu. Despite the offer, it warns that regulators are seeking a “dark pattern”. To find an option to reject tracking cookies …)
noyb also kicks off Last year, a major effort to address non-compliance with this type of cookie — This suggests that EU regulators may be able to file up to 10,000 complaints about suspicious cookie banners.
Local regulators clearly plan to cut back on work to wipe out many infringements. This will allow the DPA to coordinate enforcement standardization to drive the required scale changes.
The EDPS decision is a clear signal that the misleading cookie banner is the same as the non-compliant cookie banner from the agency responsible for providing expert guidance on how to interpret and apply data protection laws to EU lawmakers. Add high levels of accelerators by sending.
This is an exemplary excerpt from that decision. This explains some of the confusion that hit the visitor when the visitor to the Congress website tried to parse the cookie notification at the time of the complaint (tracking cookies have been removed from the site). ).
“The English version only looks at the required cookies and encourages users to click the” Accept All “or” Save “button. The difference between the two buttons was unknown. The French version of the second tier of the cookie banner referred to both mandatory cookies and “external media.” These external media cookies included cookies from Facebook, Google Maps, Instagram, OpenStreetMap, Twitter, Vimeo and Youtube. Visitors can also choose to either “accept all” or “save”. The German version of the second tier of the cookie banner referred to only one “external media” cookie (Google Maps) in addition to the required cookie. “
The EDPS conclusion was that the cookie banners in all three languages did not meet EU consent standards.
As another sign of cookie (non) compliance currently being deployed in the region, some EU regulators are taking action.For example, CNIL in France Big slap down to Google and Facebook last weekIf you choose a dark pattern design over a clear choice in the cookie consent flow, you will be fined $ 170 million and $ 68 million, respectively.
EDPB, which supports the enforcement of DPA of pan-EU regulations such as the General Data Protection Regulation, has established a task force on the issue of cookies. last fall — Noyb has submitted to many regional agencies, saying, “We will coordinate the response to complaints about cookie banners.”
Schrems describes that step as “good” development, but also states that it slows things down.
Although he suggested that the direction of travel is towards a standard that requires a simple yes / no for tracking. (Of course, given that few people like to be stalked by ads, in most cases this means “no” categorically. UK DPA’s recent warning to Adtech that the end of tracking is approaching.. )
“The CNIL and EDPS decisions support our view that we need to move to a fair’yes’or’no’ option,” Schrems told us. “I hope other authorities will follow this lead.”
What about his vintage dataflow complaints about Facebook’s EU-US transfers? Are there any signs of Ireland’s promised “quick” resolution to that particular complaint? Should it bring Facebook a DPA order to suspend dataflow many years ago? But so far Temporary order for September 2020 Facebook suspends the transfer.
“They always say that each decision will come someday. I stopped following these rumors, but now there are rumors about this …” Schrems at DPC, texting in an eye-roll emoji I finished it.
European parliament found to have broken EU rules on data transfers and cookie consents – TechCrunch Source link European parliament found to have broken EU rules on data transfers and cookie consents – TechCrunch
The post European parliament found to have broken EU rules on data transfers and cookie consents – TechCrunch appeared first on California News Times.