Deputy Data Protection Ombudsman issues reprimand for conveying library search information to US-based Google
The Deputy Data Protection Ombudsman has issued a reprimand to the libraries of the cities of Helsinki, Espoo, Vantaa and Kauniainen for infringements of data protection legislation in the processing of personal data. The websites of the Capital Region's Helmet libraries have used tracking technologies that may have conveyed data on, for example, the books and other materials searched for by users to third parties. Personal data has also been unlawfully transferred to the United States.
The Capital Region's libraries' Helmet.fi website has used cookies and other tracking technologies in a manner that may have conveyed data on, for example, website visitors and the works they have searched for to Google, a company based in the US. For example, Helmet libraries have used the Google Analytics tool and Google Tag Manager service on the Helmet.fi website.
In its 'Schrems II' judgment (C-311/18) issued in the summer of 2020, the Court of Justice of the European Union found the Privacy Shield arrangement between the EU and the US to be invalid because a sufficient level of data protection had not been ensured in data transfers between the EU and the United States. The judgment stipulates that controllers must cease transferring personal data to third countries if they cannot implement sufficient supplementary safeguards to ensure the protection of personal data.
Personal data collected on the Helmet.fi website has been transferred to the United States without sufficient supplementary safeguards. Neither were the data subjects informed appropriately of the transfers of personal data. The Helmet libraries have stated that they will take immediate measures to remove the tracking technologies from the Helmet.fi website.
The Deputy Data Protection Ombudsman ordered the Helmet libraries to erase the personal data collected with the tracking technologies if the data subject's personal data has been stored or used unlawfully after collection. In addition, the Deputy Data Protection Ombudsman ordered the Helmet libraries to inform data subjects of the processing of their personal data as required by data protection legislation.
The Deputy Data Protection Ombudsman reminds authorities that they need to carefully consider what types of tracking technologies are necessary on their websites and whether the authority's online service could be provided with only the cookies necessary for the functioning of the site. The Deputy Data Protection Ombudsman stresses that users should be able to use online services provided by authorities without data on their website visits ending up in commercial use, for example.
The Deputy Data Protection Ombudsman points out that the websites of authorities are also used by groups such as children and the elderly, who may not have the required digital skills and data protection competence to understand the processing of personal data with tracking technologies and the purposes for which that data may be used.
Decisions of the Deputy Data Protection Ombudsman on Finlex (in Finnish)
Further information:
Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa, helja-tuulia.pihamaa(at)om.fi, puh. +358 29 566 6787