Podmienenie statnych sluzieb akceptaciou podmienok 3. stran (napr. Google reCAPTCHA)

omg, len aby to vyšlo :smiley:

Rakusko:


Francuzsko:

1 Like

Dve novinky, na ktoré sa dlho čakalo:

US, EU sign data transfer deal to ease privacy concerns
https://techxplore.com/news/2022-03-eu-ease-privacy.html

Five things to know about the EU’s landmark digital act

Prejde mnoho dní, kým sa obe novinky dostanú do praxe. Neistota pretrvá dlho.

1 Like

Ved prave. Ked uz chcu odrbavat, tak nech to schovaju na back-end, nemusia sa tym chvalit takto primitivne. :slight_smile:

A potom by som rad videl argumentaciu NASES-u, ze teda preco ma mat UPVS integraciu napr. na Google Analytics a co presne cez nu “tecie”.

Alebo ze preco su intengracie na GA lacne a rychle, zatialco vsetky ostane integracie v eGov drahe a zlozite. Ale to uz zacinam byt ustipacny.

To su tie debaty okolo “data controler” (v tomto priklade teda Ty) a “data processor” (ten poskytovatel, od ktoreho pouzivas v Tvojej stranke nejaky skriptik). V zasade ma mas vopred upozornit na to, ze ides nejake data o mne zdielat s niekym dalsim. A teda skor, nez to realne urobis. Cize kym nemas moj suhlas, tak ta Tvoja stranka nema includovat tie 3rd party veci. Bolo by pre mna zbytocne povedat “nie dakujem, idem radsej prec” v case, ked uz moja IP a par dalsich udajov realne oddtieklo “niekam prec”.

Zaroven z toho vyplyva, ze nemozes pouzivat len tak hocijaky 3rd party skriptik. Ak chces mne vysveltit, co ta 3rd party zbiera alebo nezbiera, tak to ta 3rd party najprv musi vysvetlit Tebe. A zrejme aj konktraktom medzi nimi a Tebou garantovat, inak sa moze stat, ze mi slubis nieco, co nevies dodrzat, cim sa vystavujes riziku, ze Teba aj mna ta 3rd party okabati (sami zneuziju data, niekto im tie data ukradne a oni Ti nedaju vediet, atd.), ale na sud budem hnat ja Teba.

Celkovo chapem, ze teda niektorym web-masterom sa to da byt zbytocne a komplikovane. Na druhu stranu nechapem, lebo casto krat by stacilo tie fonty a pod. skratka dat na vlastny server/hosting (a priplatit trosku viacej za stortage a prenesene data) a vyhnut sa tak vcelku netrivialnym nakladom na pravnikov.

Maly update situacie za mna:

  • v novembri som nahlasil danu problematiku NBU,
  • informoval som sa o stave podnetu po 3 mesiacoch a vzhladom na protokol o tom nemozem nic napisat (a aj keby som mohol, tak realne nemam co),
  • informoval som sa o stave podnetu po dalsich 3 mesiacoch, ale uz som sa odpovede zo strany NBU nedockal.
1 Like

Uz aj Taliansko zakazalo pouzivanie GA:

https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782874#english


A este starsia spravicka z maja:

Relevantna cast:

Google’s IP anonymisation doesn’t protect data. The Austrian DSB also rejected Google’s arguments that websites could activate IP anonymization when using tools like Google Analytics to effectively protect the transferred data from surveillance. This was rejected for two reasons: first, Google’ IP anonymisation only affects the IP address as such. Data such as online-identifiers set per cookies or device data are transferred in the clear. Second, the IP anonymization only takes place after the data have been transferred to Google.

2 Likes

Celkovo, používať služby reklamnej spoločnosti a očakávať nejaké “súkromie” je podľa mna bláznovstvo :wink:

1 Like

Sumar od CNIL-u (Francuzska obdoba nasho UOOU):

Relevantna cast:

Is it possible to set the Google Analytics tool so that personal data is not transferred outside the European Union?

No. In response to the questionnaire sent by the CNIL, Google indicated that all the data collected through Google Analytics is hosted in the United States.

1 Like

Neviem ci to s tou obdobou neprehanas. Ten nas urad akoby v tomto smere neexistoval asi ma na praci dolezitejsie veci

@miromr:

Ja osobne si myslim, ze aj keby nas UOOU mal rozhodnut o nesulade GA s GDPR na zaklade rozhodnuti z inych clenskych krajin EU, tak by aplikoval dvojaky meter (stat vs sukromne firmy), kde by len sucho skonstatoval, ze stat ma vynimku z GDPR alebo ze je vo verejnom zaujme, aby stat nadalej pouzival GA a na zaklade ziskanych dat mohol skvalitnovat sluzby pre nas vsetkych…

Cesky UOOU udelil pokutu MVCR.

https://www.uoou.cz/milionova-pokuta-za-neopravnene-shromazdovani-osobnich-udaju/d-56444

A uz aj Dansko:

Relevantna cast:

On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.

Organisations in Denmark that use Google Analytics must therefore assess whether their possible continued use of the tool takes place in compliance with data protection law. If this is not the case, the organisation must either bring its use of the tool into compliance, or, if necessary, discontinue using the tool.

4 Likes

Riešenie je už blízko → Private Access Tokens

Vysvetlenie tu Replace CAPTCHAs with Private Access Tokens - WWDC22 - Videos - Apple Developer

1 Like

Relevantna cast:

Does Google reCAPTCHA Require Consent?

Yes, according to the French data protection authority, Google reCAPTCHA requires consent. This is because Google reCAPTCHA cookies collect information about a user’s device and browser and transfer that information to Google.
Because this data processing is not “strictly necessary” for providing login authentication, Google reCAPTCHA cookies require consent.

Isn’t Google Responsible for reCAPTCHA?

No, Google is not responsible for how website owners use reCAPTCHA.
The CNIL found that the app or website owner using reCAPTCHA is responsible for getting consent and providing information. Google also states that reCAPTCHA users have these responsibilities.
Generally speaking, you cannot outsource your GDPR compliance obligations—you are accountable for any activities of data processors working on your behalf.

3 Likes

https://www.goodwinlaw.com/en/insights/blogs/2023/05/european-court-finds-pseudonymized-data-is-not-personal-data-in-the-hands-of-recipient-that-cant-rei

1 Like

1 Like

A má dnes CAPTCHA zmysel?

Bots are better at CAPTCHA than humans, researchers find

1 Like

Relevantna cast:

The court found that LinkedIn cannot ignore “Do Not Track” signals sent by users’ browsers. These signals allow internet users to opt-out of having their online activities tracked. Despite receiving these signals, LinkedIn still announced on its website that it engages in tracking for analysis and marketing purposes. The court said this communication is misleading, as LinkedIn is legally required to respect the Do Not Track requests.

2 Likes

Uz aby sme mali GPC a nie rozne stare standardy a otravne cookie listy.