Co sa tyka zmluvnych podmienok medzi Googlom a statom, tak nic take zial neexistuje. Kazdy prevadzkovatel si to riesi samostatne. V ramci mojej komunikacie so Statistickym Uradom SR (scitanie.sk) mam potvrdene, ze ten mal s Googlom (resp. jeho Irskou pobockou) uzavretu zmluvu len formou potvrdenia jej Vseobecnych obchodnych podmienok (Terms and conditions) v ich GCP ucte. Cize realne ono vlastne ani ziadna zmluva neexistuje.
Podmienky implementacie sluzby Google reCAPTCHA Enterprise su dostupne tu: Service Specific Terms | Google Cloud, konkretne k dnesnemu datumu bod 25 v sekcii Service Terms.
a. Information. reCAPTCHA Enterprise works by collecting hardware and software information, such as device and application data, and sending this data to Google for analysis. The information collected in connection with Customer’s use of the reCAPTCHA Enterprise Service will be used for providing, maintaining, and improving reCAPTCHA Enterprise and for general security purposes. It will not be used for personalized advertising by Google.
Nikde nie je definove, co presne znamena tato vagna definicia z 1. vety tohto bodu - “hardware and software information, such as device and application data”. Z povahy zvolenej implementacie mozno len konstatovat, ze prevadzkovatel umiestnil skript danej sluzby (ktory je hostovany na serveroch 3. strany a prevadzkovatel nad jeho obsahom nema kontrolu) priamo do webstranky, kde sa mozu nachadzat aj udaje obcana. Tym prevadzkovatel poskytol tejto 3. strane pristup k celemu obsahu webstranky a teda aj ku vsetkym udajom, ktore su tam pritomne a tym padom aj k mnozine udajov vyplnenych vo formulari, ktore spadaju pod PII. Tu je otazne, co v praxi tato skutocnost znamena v kombinacii s touto vagnou definiciou zo strany Googlu.
b. Privacy Policy. Customer will provide and adhere to a privacy policy for its API client that clearly and accurately describes to applicable Customer End Users what user information Customer collects and how Customer uses and shares such information (including for advertising) with Google and third parties. Customer will be responsible for providing any necessary notices or consents for the collection and sharing of this data with Google. Customer and its API client(s) will comply with the EU User Consent Policy.
Tu v zmysle 1. vety tohto bodu, prevadzkovatel mal informovat obcanov, ake udaje zdiela s Googlom, minimalne v rozsahu/textacii z 1. bodu tychto podmienok - “hardware and software information, such as device and application data”, kde sa opat dostavame k problematike, co tato vagna definicia vlastne znamena.
c. Terms. Customer agrees to explicitly inform applicable Customers End Users that Customer has implemented reCAPTCHA Enterprise on its properties and that Customer End Users’ use of reCAPTCHA Enterprise is subject to the Privacy Policy and Terms of Use. reCAPTCHA Enterprise may only be used to fight spam and abuse on Customer’s properties, and not for any other purposes, such as determining credit worthiness, employment eligibility, financial status, or insurability of a user.
A v tomto bode 1. veta hovori to, ze prevadzkovatel mal obcanov informovat o implementacii danej sluzby na svojej webstranke a co tato skutocnost znamena pre samotnych obcanov - ze pouzitim tejto sluzby obcan vlastne akceptuje zmluvne podmienky a ochranu sukromia Googlu. A nie, nejaky stvorcek dolu vpravo na obrazovke, v ktorom su umiestnene 2 odkazy bez kontextu tento bod nenaplna. Vlastne z toho stvorceka ani nie je zrejme, ci sa jedna o Enterprise verziu alebo nie. A to som videl aj variantu, kde bol tento stvorcek takmer kompletne prekryty floating action buttonom (tusim e-hranica to takto svojho casu mala).
Takze asi tolko k danym podmienkam z mojej strany. Co sa tyka planu B, tam je otazne co prevadzkovatelovi poskytne porovnatelnu ochranu (v ramci opravneneho zaujmu prevadzkovatela chranit si svoje webove sidlo) ako tato sluzba a navyse nebude obcana viazat ziadnymi dalsimi podmienkami. Napr. eID by slo na tento ucel pekne vyuzit, ale to tiez nie je povinne, cize by musel byt aj plan C. A takto mozme pokracovat dalej az nakoniec dojdeme k variante, ze by obcan musel postou posielat prevadzkovatelovi nejaky list/prehlasenie (a este by zalezalo od povahy sluzby, ci by musel obsahovat overeny podpis od notara/matriky).
A co sa tyka kompetentneho uradu, o tom som sa uz rozpisal vyssie. Sam som s touto zalezitostou kontaktoval viacero uradov/institucii, ale vsetci davaju od toho ruky prec. Nahlasovat nekorektne pouzitie priamo Googlu (ak je to vobec mozne), tiez nebude riesenim, kedze v praxi by to bolo mozno 1 nahlasenie na 1 000 000 pouziti, co by sa javilo len ako statisticka chyba a nikto by to dalej neriesil. Podvolit sa tiez nie je riesenie - dnes statu dovolime pouzit sluzby Googlu o rok to bude zase nieco ine a mozno este horsie. Lepsie je to podchytit hned na zaciatku. Preto som dufal, ze by toto vlakno mohlo nastartovat aj nejake aktivity zo strany SD, ku ktoremu by nase institucie s najvacsou pravdepodobnostou pristupovali inak ako k jednemu otravnemu obcanovi.