GDPR compliance is not to be confused with privacy.
You don't have Data Protection Officer (even if you have one, you ought to publish their details). Neither does Plausible.
Your privacy policy lacks details, e.g.: where you process data and what is data retention.
You are incorporated in not an Adequate Country, meaning you face challenges becoming GDPR-compliant without additional measures that span beyond SCCs. Similarly to Fathom (BC is not under PIPEDA, hence is not adequate).
"its core activities involve processing of sensitive data on a large scale ---> OR <--- involve large scale, regular and systematic monitoring of individuals"
Any analytics provider is fundamentally doing "large scale, regular and systematic monitoring of individuals".
I was hoping to find something like this mentioned in here. I’ve worked on a tracking tool that I don’t think does tracking of “individuals”. Instead I’m collecting stats about the site and impressions on its pages. It’s actually very, very simple. I am not tracking visitors and I don’t log IP addresses. It doesn’t set any cookies or anything else in the browser.
I built this to track my own sites but I am curious if anyone else cares. I created a landing page to see if there’s any interest.
The product is working on a few sites of my own and is hosted on a raspberry pi in my home office. I’d need to do some work to make it available for others, but I don’t want to invest more into it unless there’s any interest.
Yes, you are right that there is another part of the definition about large scale, regular and "systematic monitoring" of individuals. Apologies for not including that in the answer above.
Quoting from WP 243 Annex provided by the EU:
"The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment."
2. We agree it is not GDPR compliant to transmit IP address data to the US. This is why we salt and hash all PII data so no IP address data is sent to the US. Please see our data policy.
Can you share more detail on this? On this page[1], I see this:
hash(pepper(salt(ip address + user agent data))) = anonymized hashed data
Both the ipv4 space and typical user agent possibilities are pretty small, so it feels like you could easily de-anonymize it when you want to. That is, assuming the "salt" and "pepper" are stored somewhere. I assume you do store them, otherwise it's not helpful to identify repeat visits.
IANAL but as I understand it there is, currently, no way to legally use a service for personal data handling that falls under the US CLOUD act.
In theory Amazon could license their brand and software to an independent (!) European company to offer a EU-AWS.
Basically if an American judge/agency can order Amazon to hand over European private data and they have the ability to comply without involving a European court the service is not GDPR compliment.
Now in practice this isn't how things are done but to the best of my knowledge the law hasn't changed (yet) and national dpas are starting to tighten the screws (slowly).
If I recall correctly there are EU-US talks to create Privacy Shield #3.
I suspect the UK is planning a number of changes that may change this, so even though I'm British, for the avoidance of doubt I prefer companies actually hosted in the EU and that will agree to conduct business in Europe (and thus under EU courts, rather than GB ones).
> 3. On the Data Protection Officer, I think one is only needed if sensitive data on a large scale is processed.
I was linked to this post by a friend regarding the comments you made about Fathom's GDPR compliance.
1. The GDPR is regulation from the European Union
2. PIPEDA has an Exemption order for BC (British Columbia, Canada) and applies "in respect of the collection, use and disclosure of personal information that occurs within the Province of British Columbia".
Firstly, the Exemption order states "Whereas the Governor in Council is satisfied that the Personal Information Protection Act, S.B.C. 2003, c. 63, of the Province of British Columbia, which is substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act, applies to the organizations described in the annexed Order;"
Secondly, which part of BC's Personal Information Protection Act would undermine it's adequacy ruling under the GDPR?
Finally, let's get into Fathom's pageview/event collection script and explain how it works:
1. There is no collection, use and disclosure of personal information that occurs within the Province of British Columbia
2. EU traffic is automatically routed via EU Isolation and processed on German-owned servers. This allows us to stop US government snooping on EU traffic
3. Fathom Analytics is incorporated in BC. But nobody in BC has access to our EU Isolation infrastructure. I'm the CTO of Fathom Analytics and I have access to our EU Isolation infrastructure. I'm not in BC. Additional access to EU Isolation is from Germany only. Heck, not even GitHub Actions has access to EU Isolation, we self-host GitLab to keep things completely isolated. We put a lot of time and effort into this.
I'll wait back to hear back from you on which parts of the BC's PIPA undermine the adequacy ruling. Our lawyer here in Canada is incredibly well versed in Canadian privacy law, so we can definitely loop her in if there's any confusion here.
I hope that addresses your point and helps inform other people who may be reading this.
> To date, Alberta, British Columbia, and Quebec have privacy legislation that takes commercial activities in those provinces out of the federal jurisdiction through the "substantial similarity" exemption to PIPEDA. Federal privacy law defers to provincial law if a province meets the substantial similarity test, providing a baseline of privacy regulation across Canada. This division of authority is important, because for provinces recognized as substantially similar, their laws have not been given the stamp of "adequacy."
I might have framed my statement too strongly. Fathom can be GDPR compliant assuming additional contractual clauses are in place. That is what is mentioned in the linked IAPP assessment.
> 3. Fathom Analytics is incorporated in BC. But nobody in BC has access to our EU Isolation infrastructure. I'm the CTO of Fathom Analytics and I have access to our EU Isolation infrastructure. I'm not in BC. Additional access to EU Isolation is from Germany only. Heck, not even GitHub Actions has access to EU Isolation, we self-host GitLab to keep things completely isolated. We put a lot of time and effort into this.
The same could be said about Amazon, Google, and Azure employees and their data centre employees in Europe. What matters is effective control. You are not in BC but the company, and your position and responsibilities are governed by the laws of the province of British Columbia.
Although, in the case of Canada, SCCs will be actually effective as there are no surveillance laws similar to the US.
1. I understand the piece about "stamp" of adequacy. But when the Schrems II ruling happened, the world learned that we cannot always rely on "stamps" and need to look into the laws. At this moment in time, the European Commission says that Canada has adequacy ruling as a whole and there is no note about it not apply to British Columbia.
So my question to you is: Which part of the Personal Information Protection Act in BC would undermine the EU's adequacy decision towards BC? The reason I'm pushing on this question is because the "stamp" occurs for a reason. Please let me know where the PIPA would lead to the European Commission labelling BC as inadequate.
2. We're mixing things up here with Amazon, Google and Azure. Those companies are subject to FISA 702[1] and EO12333[2]. We are not subject to these surveillance laws here in Canada. I've spoken at length about this before, about how the US government could compel one of these companies to secretly spy on people using their EU infrastructure. So our company is not in the same position.
Disclaimer: I am not a Privacy Lawyer, I am basing what I wrote here on the text of IAPP. I was looking for a reviewed PIPEDA adequacy decision. I saw references about it coming in 2020, then 2021, then 2022. Can't really find anything specific.
I will take one example: the Right to be forgotten. I don't see provision that satisfies the right to be forgotten: https://gdpr.eu/right-to-be-forgotten/
You seem to have a more in-depth understanding of PIPA. Can you point me towards a similar requirement in PIPA?
Looking at C-27, it appears that even PIPEDA is playing catch-up. But that was CPPA.
Btw. I am not suggesting Adequacy is always decided on privacy laws being EXACTLY like GDPR. Given the only reference to adequacy I found thus far was based on a 2001 review, I am not sure what would be appropriate criteria here beyond access to "an appropriate" level of legal protection.
The text in IAPP article refers to the adequacy of PIPEDA. Not Canada. It is actually interesting that there is no adequacy with Canada, but only with Canadian PIPEDA.
RE 2:
Right, I was referring to the fact that customers of Fathom sign contract/get into agreement with a company in British Columbia under its laws. It is mostly irrelevant where their CTO resides (it would be relevant if you resided in a non-adequate country, as your privacy policy would have to account for relevant data transfers).
Fathom's script forgets everybody by default, it's literally built into the tech. No EU personal data is touching Canada.
The background of Schrems II was that the US government can compel US companies to track foreign nationals and it would be lawful under US law. This is where the argument of "company in X under Y laws" comes into play. For example, Amazon is a US company. An EU subsidiary is still subject to it's parents control. If that parent is a US company, it's subject to US surveillance laws. Hello Schrems II.
So I'm not fully following why we're having a discussion around processing happening in Canada when personal data (IP Address) hits our EU Isolation infrastructure.
If you have any sources you can cite where the European Commission states BC as an exemption to Canada's adequacy ruling, please throw it back to me. I've not seen that.
GDPR compliance is not to be confused with privacy.
You don't have Data Protection Officer (even if you have one, you ought to publish their details). Neither does Plausible.
Your privacy policy lacks details, e.g.: where you process data and what is data retention.
You are incorporated in not an Adequate Country, meaning you face challenges becoming GDPR-compliant without additional measures that span beyond SCCs. Similarly to Fathom (BC is not under PIPEDA, hence is not adequate).
Privacy-friendly? Probably. GDPR-compliant? No.