Category: Privacy and Data Protection

The news of the Safe Harbour bashing by the European Court of Justice is hardly a news since the EU directive 95/46 already affirmed the possibility of a local jurisdiction over transnational data-exchange.

The actual issue is that the data protection authorities didn’t have the courage to state it clearly before, leaving ISPs and Telcos without actual guidance and, more important, exposed to fines and sanctions.

As a matter of fact, the EUCJ decision doesn’t invalidate the core of the safe-harbour, unless for “safe harbour” we mean a way to export overseas personal data, claiming that EU data-protection authorities lost their jurisdiction.

From a corporate perspective, an issue to be dealt with in the EU toward USA personal data exchange, is to check whether the current agreements/policies actually comply with the directive.

From a concerned citizen perspective, the question to ask is: where were the data protection authorities until this decision was issued?

Once again, the inertia of the public services led to industry damages and low citizen’s right protection.

According to Webcookies.org, Google.it only collects 2 persistent cookies, while Repubblica.it, the most read online newspaper, collects 31 third parties cookies, 83 persistent cookies and 8 session cookies.

This is how I amended the data-protection information page on my street-photography website to meet this stupid “cookie law”;

A plain wrong Italian enforcement of the EU “cookie” directive makes mandatory to obtain a prior consent to allow the use of Google Analytics, even if – as in this case – the personal identity of a user is unknown by me and Google only “might” be able to exploit the anonymous information collected through this website. So, in case you want to know if Google is able to identify you by means of this website’s access, please send me your identity together with your IP and I will forward your request to Google… or you might better do it on your own, without telling ME who you are.

And this is the Italian translation:

Un’applicazione semplicemente sbagliata della direttiva europea sui cookie impone di ottenere il consenso preventivo per usare Google Analytics anche se, come in questo caso, ignoro l’identit?? personale di chi accede al mio sito e solo Google “potrebbe” essere capace di usare le informazioni raccolte per fornirmi le statistiche. Dunque, se volete sapere se Google ? in grado di identificarvi tramite l’accesso a questo sito, per favore inviatemi le vostre generalit?? e l’IP che avete usato, e girer? la vostra richiesta a Google… oppure, meglio, potreste farlo direttamente voi, senza dire A ME chi siete.

There is a lot of hype in Italy about this “cookie law” put into force since June, 2 that makes mandatory to obtain the consent of a user accessing a website to allow his “profiling” through the use of cookies.As always, a ? fleet of ? “advisers” kept, full steam, pushing companies to comply with this regulation, foreseeing dire consequences for the non-abiding companies, especially those using Google’s Analytics.

This is not entirely correct, so it is better to clarify a few points:

First of all: “cookie law” is not a “law”, but just an order issued by the Data Protection Authority under its “peculiar” view of the EU Data Protection Directive(s),

Second: the data protection directive (and its local enforcements) work only with “personal data”, i.e. data that identify or made possible to identify a natural person,

Third: a user that access anonymously a website doesn’t reveal his identity, thus the data protection act doesn’t come into play,

It comes from above that a website using Google Analytics without looking of the identity of the user is not subjected this stupid “cookie law”.

Simple as that.