Dutch municipalities are running on hot coals, but the Dutch Data Protection Authority has no reason to intervene.
Many municipalities unknowingly send personal data to the United States. It seems from Research From Ag Connect, Local Government and iGovernment.
Two out of five municipalities work with Analytics, while it is unclear whether website visitor data is anonymized. This is required by law. Analytics is not illegal by definition, but users need to know how the software works.
Problem with Analytics
The most popular version of Analytics is called Universal Analytics. Universal Analytics’ default settings ensure that the IP addresses of website visitors are stored. Google processes the data through Analytics in US data centers. US law requires intelligence agencies to access information stored in the US.
If a Dutch company uses Universal Analytics’ standard systems, US intelligence services can trace the identity of visitors. It is prohibited under AVG/GDPR. European personal data must be located in Europe. National privacy authorities monitor this, including the Dutch Data Protection Authority.
Officials are struggling to deal with the US and Google. Small and medium businesses are an easy target. So, the settings in AustriaItaly and France There have been lawsuits in recent months over the use of Analytics.
Google is currently phasing out Universal Analytics. from October 1, 2023 The software no longer works. The default settings of the new version, Google Analytics 4, do not store IP addresses. A user must expressly check for criminal activity in Europe.
The problem of municipalities
Two out of five Dutch municipalities use Analytics. It is not illegal. Users can change default settings to anonymize IP addresses, making the information useless to US authorities. Additionally, data sharing can be disabled manually. From that moment on, the software is AVG/GDPR compliant.
The problem is that users, including municipalities, rarely clarify how their Analytics environment works. Companies and governments are obligated to explain what is happening with visitor data. Failure to do this will result in fines from the Dutch Data Protection Authority. Only two of the fifty municipalities surveyed are transparent about the use of Analytics.
While privacy authorities in Austria, Italy and France have recently taken action against Analytics users, the Dutch data protection authority has remained neutral. In April 2022, the Commission issued A Guide to Privacy-Friendly Analytics Settings† In May 2022, the Commission investigated the use of Analytics on several websites. At that time it was ‘Too early to say anything about sanctions’†
The law is clear, enforcement is lacking
It is obvious that European users, including Dutch municipalities, may be penalized. On the other hand, the Dutch data protection authority is less likely to act.
Not every privacy breach has the same impact. It’s true that US intelligence services can access European personal data through Analytics, but the average Dutchman doesn’t lose sleep over it. There is a hot fire included Blacklisting from tax authorities And this Defense policy of the national government† The Dutch Data Protection Authority works with limited resources. The enforcer focuses on the most urgent situations.
Also, the source of the problem is already solved. The European Union and the United States are currently a Data Transfer Agreement between EU and US† Soon, cloud providers like Google will be able to exchange personal data between the EU and the US without breaking laws on either continent.
“Passionate analyst. Thinker. Devoted twitter evangelist. Wannabe music specialist.”