That's not true. Transfer to third countries is legal, as long as you _properly_ inform people of the risks that it poses, and it's completely voluntary:
> finally, if a transfer of personal data is envisaged to a third country that isn’t the subject of an Adequacy Decision and if appropriate safeguards are absent, a transfer can be made based on a number of derogations for specific situations for example, where an individual has explicitly consented to the proposed transfer after having been provided with all necessary information about the risks associated with the transfer.
GP said: "You are free to share any data with Google that you wish." That is not consistent with GDPR, and that's what I was saying. And the Austrian court has confirmed that.
The court has not said that it's illegal to use GA.
Both takes appear to be missing the entire privacy issue - you are free to share your data with the US if you wish. You are not free to share my data with the US.
GP is correct, they are not free to share "any data", where their right to share "any data" and my right to privacy conflict.
We all love our freedoms - but we have to respect that other people have freedoms too - and we don't have the freedom to take theirs.
> Both takes appear to be missing the entire privacy issue - you are free to share your data with the US if you wish. You are not free to share my data with the US.
That's an interesting way of putting it; you've phrased it in terms of your personal data and the sharer's personal data. But the context is analytics; single datapoints are irrelevant. This is all about sharing data about other people.
Anyway, EU companies are not allowed to even collect data, unless they can justify it. I don't know if that is supposed to also be extra-territorial, so it applies universally (I really hope not).
You don't understand. You can send all your data plus your dirty underwear to Google for them to analyze. What you can't do is send them data of other ppl without their consent.
Because corporations are deaf to constructive calls. Like, e.g. opt analytics in and not try to trick masses into it. An average person may or may not want to share, but they have no choice.
It might help to realize that it's not a "corporation" which is tone deaf, but a bunch of managers with names and salaries which are incentivized to be tone deaf to the masses.
It's an asymmetric relationship. You may think you are able to out-smart Google, and you might be one of the very few people who are, but society as a whole is not served well for the vast majority of people who even if they spent 24/7 researching and learning would still not stand a chance against multinational corporations.
It's absolutely not the same. You're not getting any personal info about google business secrets or employees in exchange.
As for the why, while you might want to share your data with the US agencies and want to have a choice, there are millions of people who don't want to, and didn't get a say before. Today, you're simply on the side which lost the battle.
Libertarianism is so silly. "My freedom to live would be best served if there weren't politicians micromanaging other people's right to murder me". It's like a parody.
Not a great comparison. This is about who gets to decide whether or not to take the risk to deal with U.S companies in spite of the fact that they may be forced to hand over data to the U.S government. Is that my decision or does the government of my country take that decision for me?
I think it's a question on which reasonable people can disagree.
Libertarianism is definitely against murder. And quite a few libertarians believe that the FDA and EPA do too much to protect corporations from lawsuits, basically, if it meets their guidelines doesn't matter if it kills you, the company is protected. Absurd reductionism isn't helpful.
Might I add, realistic libertarians do what you're saying
But there are extreme factions of libertarians who really question things like "Do mothers really have a duty to take care of their children?" or think that private tribunals would work in practice.
The CLOUD Act itself is the issue. Don't use MS Office 365 or any other US based service even if their servers are in Europe as they can not guarantee that your data is not accessible by the US.
Amazon and Cloudflare are all great service but your data is under US jurisdiction.
Can you think of a good alternative other than outlawing Microsoft 365? I want these services to be spread out however this particular idea would make the EU even more sluggish than it already is
Im not a legal scholar in any way, but perhaps a solution would be a fully independent Microsoft EU that licenses Microsoft US tech for deployment/use within Europe?
Interestingly, Google afaik did some funky business with SAP where they swap jurisdiction around so that when faced with US request they can at some point say "send it to SAP AG and see if they care" - or so it seemed few years ago (source: notification of contract change wrt GCP)
Obviously if the EU actually grew some fucking balls and start to enforce the rules corporations would take steps to comply.
But when was the last time a US CEO was dragged of a private jet?
So the entire EU is going to be forced to use Open Office or some other equivalent? Non tech people will hate this and it will cripple many businesses that rely on Microsoft Excel. You'd be surprised how much of the world economy is based on emailing Excel sheets back and forth
You can use MS Office without putting everything on the cloud. Excel doesn't need to go, and you can still use Excel online for calculations that don't include personal information, which should suffice for most businesses.
Just don't upload that CSV containing all of your customers to Microsoft, that shouldn't be too hard.
You are assuming that these businesses are using online versions of Excel (or whatever) that store the data under US jurisdiction. If they have committed to using online services that rely on US storage, then they have made a bad mistake - that is not allowed, and this case just reaffirms that.
The EU institutions (that came up with this crap) are so bad at managing their hard & software (2 years in to the pandemic, their employees are still WFH on MS tablets with VPN connections that are super unstable).
I can't wait to see the clusterfuck of them trying to migrate away from MS.
Why not now force the EU to heavily invest in libreoffice so that it becomes a drop replacement to excel? I'm sure the European union can spare some euros to make it possible and this isn't even a utopian dream that can't be achieved. It just needs a good push
> Why not now force the EU to heavily invest in libreoffice so that it becomes a drop replacement to excel?
The history of this strategy working, versus becoming a job/contract bank for cronies over time, is very poor in the long run. Regardless of the political system which attempts it.
if you were to be given a chance to decide if we want to stay proprietary, continue allowing crony companies to steal data while charging us money for that privilege, what would you do. i want to know what you think is the alternative
Nextcloud would be a solid European alternative for office365. It's a file sync, groupware, office and xhat solution all in one. It's open source, self hostable and has enterprise support.
Disclaimer: I work at Nextcloud so I'm a bit biased
Please do not email us from private mail addresses like gmail, gmx and the like. We only provide a trial to businesses > 50 employees. As a small business or private user, we recommend you simply try our demo or talk to one of our partners.
https://www.onlyoffice.com/saas.aspx - very decent compatibility with Office and speed; is a European company; much of the functionality is open source.
Technically maybe but in practice using zero-knowledge encrypted services if you want to calculate aggregates or do large-scale calculations isn't really technically feasible.
That's not strictly true - or at least - it's missing a piece.
When a company decides to use a product, it needs to ensure that product is legal to use in their jurisdiction(s).
If it gets to a court, it's likely that the consumer/client is the claimant and the Company who chose to use US Product X is the defendant. The company who makes US Product X is likely nowhere to be seen.
> When a company decides to use a product, it needs to ensure that product is legal to use in their jurisdiction(s)
This is the proximal decider. They’re predicting the decision of the ultimate decider, which remains the courts. Providers would have to make the proximal deciders comfortable that the ultimate deciders will accept their compromise.
The problem with EU legislation in that regard - or rather the current lack of pertinent agreements since the EU–US Privacy Shield has been declared invalid - is that it doesn't just apply to US-based services and US companies. Having a US subsidiary or even just a US-based supplier is enough for an entire company to theoretically be considered in violation of EU laws and GDPR in particular.
This means that as a business, theoretically you'd have to vet every single customer and supplier regarding their involvement with US-based companies.
Since realistically this would amount to most companies not being able to do any business at all anymore - and consequently the economy grinding to a halt - in most cases this doesn't have immediate repercussions.
However, such unpredictability caused by regulations such as GDPR is a huge problem because you can't ever be sure you won't be issued a - potentially crippling - fine simply because some local authority considered this a good idea.
The problem is USA jurisdiction outside of USA, I'm not a lawyer but how can this be legal under international laws? How is it possible that EU citizen data is under USA jurisdiction?
International law simply is what countries agree upon, either bilaterally or multilaterally. Even if countries disagree and international law indeed favours one party, in most circumstances there's hardly any recourse if that party is the weaker one.
Technically, the US can seize the assets of a US company that refuses to comply with these rules (or simply have their CEO arrested). That's what it comes down to: If a US company has a controlling stake in a subsidiary it's legally obligated to hand over any data that subsidiary controls.
The EU on the other hand could escalate this further and prohibit American citizens and organizations from owning a majority stake in EU-based companies because that's what this boils down to on the other hand: Running or even just doing business with a company that's controlled by a US entity technically is illegal for EU businesses and citizens right now.
This is not a pretty situation, but it's not one either where one side is clearly right and the other side is clearly wrong.
In principle, I agree with the EU point of view. Privacy is a fundamental right that should be upheld. However, de facto outlawing most economic activity and then washing one's hands of any responsibility to provide a reasonable alternative is no solution at all, but makes the problem worse: Businesses might establish legal entities outside the EU, where they're not affected by this. Others might try to host and run everything themselves, which will result in much less secure data and infrastructure because most SMBs simply aren't able to provide the same security standards as Microsoft, Amazon or Google.
It's on the EU und the US to provide a dependable legal framework for dealing with these types of situations. That's ultimately what entities like the EU are for, after all.
You can control locality for some parts of Cloudflare's offering [1], so I guess if you want to comply with the privacy shield stuff, you would have to ensure that the data is stored on a server within a EU country.
Doesn’t work that way. This issue is that CloudFlare is a US company and can be compelled to disclose information to US Govt regardless of where they hold the data.
I came here to say this. People should read at least the Wikipedia summary for CLOUD act. It's classic US legislation, 'we don't care about borders when it suits us' style.
It's not the same, because the GDPR only concerns itself with EU citizens ( based on which it claims jurisdiction). The US doesn't pretend to bother itself with such trivialities.
The same way that US sanctions are applied by the US and everyone everywhere should follow them or risk fines and sanctions. No other country does this - when France sanctions Iran, only French citizens and companies are concerned.
You can see very clearly what's most important for each one: USA cares about money, EU about people. I don't consider it a very slightly different rationale.
And it's the same abount health care, really two different ways of life.
I really hope this will have consequences that shake up ad tech, but the cynic in me says: They're just going to add another disclaimer in their cookie banner and exactly nothing will happen.
Well part of the ruling is that the "standard contractual clauses", basically an attempt to contract away the regulation is not valid. From the article, it seems to be just conceptually, which gels with my understanding of the GDPR, so it's not going to be just adjusting/appending the legal wording in the TOS to fix that.
This is only sort of a half-truth though. The SCC's are created by the European Data Protection Board, and it works for transfers to third countries because the companies legally say "ok we won't do anything shady with your data" - but you have to actually prove that they can't be compelled to do anything shady under local law - which you can in the US.
So the SCC's are a perfectly fine tool, but you just need more than that.
of course, companies will try their luck right up until somebody loses a meaningful amount of money. I assume this ruling is gearing up and posturing towards major judgements against google should they fail to follow through
Judgements against Google and Facebook have started, which I assume will get increased for being repeat offenders the more they try to weasel out of complying: https://news.ycombinator.com/item?id=29821386
That's what is great about the GDPR. Just adding another disclaimer in a cookie banner absolves them of nothing.
In fact, this whole case is exactly about that. Some Austrian website tried to use Google Analytics and just added another disclaimer in their cookie banner. Now they are facing the consequences.
What does it mean these days to be a “European website” (or a “Canadian website”, etc)? The server is located in Europe? The domain name is owned by a company registered in Europe? What if a CDN serves the site from another location? What if the site is served in an iframe on a site in another location?
As far as I understand the decision is about US being able to order companies inside the US, to give them any data, even when that data origins from overseas.
So regarding your question, I guess the answer would be: A European website makes use only of services, which are not in danger of the US (or other countries from outside Europe) ordering the company to grant them access to the data. I guess this means, that you cannot use any services, which are offered by companies, which store data in the US and possibly even if they store it elsewhere, but fall under US law.
Basically the GDPR considers anything that's accessible or marketed to EU residents (not citizens) under its jurisdiction. In practice this is (probably) pretty much every side that isn't a local business or specifically blocking visitors from the EU.
Looks great! But I feel that $9/month (up to 10k views) is a bit much for my personal website... I pay that much to Google now, but I get a whole suite of tools besides analyticsm, like email addresses (for my whole family under our surname as a domain, which is cool), my own domain (via GogoDaddy, but I got that via Google and pay Google only) and all the small business office tools they offer (though I think those are free?).
Are the any alternatives that offer the same kind of thing as Google?
For your personal webpage you can always use whatever piwik is called today. (I still can't remember after all these years.)
Or you can rely on server logs.
Luckily for everyone but simultaneously sadly for the curious ones among us I think the referer header is broken so the thing I always wanted to know - where users came from - is a lot less useful these days.
Oh, it seems they raised their prices. I think I'm still on the old plan, cause I pay $48/year.
Still, it looks like the cheapest option out there. Matomo costs €19/month, Fathom - $14/month (or $140/year), Piwik Pro has a free option, but they're very enterprise oriented, not sure if they're good for small sites
It's pretty ridiculous how much bloat there is in Google Analytics anyway. Their interface hasn't gotten any better over the years. Sorting through behavioral visits will sometimes crash the browser tab. A lot of open-source platforms can do super specific analytics while also remaining privacy-friendly.
Thank God we have very capable cloud providers in Europe that will rise to the challenge and offer a viable opportunity to the US major cloud providers!
We definitely do have all of those. For some reason, IT managers prefer to teach themselves the AWS/Azure/GCloud configuration clusterfuck rather than the portable OpenStack configuration clusterfuck, but that's suffering we're all bringing on ourselves.
Come on mate, you're likely listening to music via a EU service (Spotify) and you were calling people with a EU service (Skype) before a US corporation bought it and ruined it.
Hetzner is the best hosting provider for dedicated servers (if you care about price). Gridscale is pretty good. The original Skype was a very solid product. Spotify still owns the digital music market.
I once worked in a non-tech company and was tasked with finding new hosting infrastructure for their web apps / sites. I proposed two dedicated servers from Hetzner for about 350 EUR / month. Instead of being happy about the small cost, the CEO rather said "that's too cheap to be any good!" and asked me to specifically to move the apps to AWS because some golf buddy and his company were using that.
So now they're paying thousands instead of hundreds. But as long as the CEO is happy. I moved on because at the same time they were extremely stingy with salaries.
Can't confirm, have been running stuff on Hetzner for almost 10 years.
They will indeed auto-block you if any application is spamming the private subnet - happens e.g. with IPFS running in its default config.
But this always comes after warnings and with an exact explanation of what happened (log of IPs the server attempted to connect to, timestamps etc). I always found support responsive, even in the middle of the night.
It may be that I was lucky all the time, despite interacting with various support staff in various of their data centers. Or it may be that your issues had other reasons...
Ahah, of course during a period of time.
Look at DuckDuckGo https://duckduckgo.com/traffic they benefited a lot from the changes imposed on their competitors.
it is not so easy for Google. The US side will always demand stuff from them. At least for having the ability.
Microsoft once had the right™ offering: Deutsche Telekom running the Azure data center, so it's the same software etc., but legally fully separated. Didn't get many customers (I don't know what kind of restrictions there were)
It is just as easy as it is to run EU things in the US.
Google can run the same servers and stuff in Europe with European stuff in their own servers. They just disable things not allowed in EU and don't send user data to the US.
Cloudflare currently uses a similar arrangement with JD Cloud to offer service in China. It'd be pretty funny if they had to use the same approach in Europe.
If I'm understanding this correctly there is nothing google can actually do. The problem is the US Cloud Act as the linked article mentions, which is in direct violation of article 44 of GDPR.
Based on the results of GDPR, it'll probably just result in more annoying sites that users will avoid due to all of the pop up banners. Hopefully I'm wrong, I wish there was strong competition from Europe
An optimistic take would be that this forces European companies to think through their analytics/ad needs again, perhaps resulting in less invasive solutions and thus fewer popups/banners and improved privacy.
At least that is what I'm hoping for, however unrealistic it might be.
I am not aware of an automatic and immediate adoption of an EU member state's rulings for the whole EU. Headline seems wrong, but maybe what it means to say is that such an adoption is 100% sure?
This is true - but courts have been going in this direction for a while now, and noyb has filed 100+ similar suits. Expect most of the legal landscape to agree with this in the not-so-distant future.
I maybe in the minority here, but I believe that this is not good for the average European and definitely not good for the European tech scene. Europe is already a more complicated place to launch a new company as you have to support multiple languages, countries etc. just to get to the potential market size you have in the US. Strict regulations are that are complicated to implement means that more new companies will choose to launch and build themselves up in the US first. By the time they come to Europe they will already be big and established and can afford to implement the complicated infrastructure that is necessary to support cross continent data storage (or ignore the regulation and pay the fines) while eating up all the small startups that were trying to capture the EU market while dealing with masses amounts of regulation and red tape.
Now to be very clear! I am not against most of GDPR. But some of the interpretations of it have gone too far and it will hurt Europeans in the long run.
This is actually one of the best things that can happen to companies like google and Microsoft as they can afford to develop the infrastructure to support easy geo based cross continent data storage - and they can then sell it as part of their cloud offerings.
Geo-based cross continent data storage isn't enough. The fact that the parent company is a US entity still makes it illegal, no matter where the data is stored.
As someone 'on the ground' I see things moving in a much more uniform direction than where they were in the past, the differences are not large enough to make a fuss about. The thing to note is that the GDPR is a minimum set, local law is free to exceed the GDPR.
There is currently an EU member challenging the concept of European law’s primacy. Meanwhile, implementation of other courts’ rulings are delayed by years between jurisdictions.
There is zero chance, for instance, that anyone in Greece or Portugal or Ireland will be impacted, judicially, by this decision for several years. That’s better than before. But it’s far from e.g. a U.S. federal court ruling in California’s impact in New York, or a French court’s ruling in Paris in Marseille.
There is currently an EU member challenging the concept of European law’s primacy
That's a charitable phrasing. As per Protocol 2 on the functioning of the European Union, article 8 [2]:
The Court of Justice of the European Union shall have jurisdiction in actions on grounds of infringement of the principle of subsidiarity by a legislative act, brought in accordance with the rules laid down in Article 263 of the Treaty on the Functioning of the European Union by Member States
What Poland did was declare nationally (government, and then a national court) that the EC was infringing on its sovereignty (principle of subsidiarity). But as the above text says, national governments don't have jurisdiction when it comes to matters questioning the primacy of European law.
> as the above text says, national governments don't have jurisdiction when it comes to matters questioning the primacy of European law
This is the essence of a divergence of theory and practice. The text says one thing. In reality, something else plays out.
I think the text will prevail. But that delay (and uncertainty) is precisely what I’m talking about. And it happens everywhere, with active regulatory arbitrage an all-but-admitted strategy of a significant section of the SME space.
There is in practice no uncertainty. There is a member state where politicians have decided that they would like to make some waves to divert attention from their internal troubles but the impact on the rest of the EU is extremely small.
> There is zero chance, for instance, that anyone in Greece or Portugal or Ireland will be impacted, judicially, by this decision for several years.
I don't think this is true. The impact will be felt immediately all over Europe, in fact it is already in the news here and people are already discussing dropping GA from websites:
OK then it's a question if other EU members will use this as precedence. With the current frosty climate between the EU and US social media, I reckon it will.
The ruling which led to this conclusion was made back in July 2020.
From the article:
> This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.
This article is addressing a specific case which follows from a previous judgement (known as Schrems II) which determined that Facebook could not transfer data from Ireland to the US under the US 'Privacy Shield' framework, as it no longer meets the GDPR's adequacy requirement due to CLOUD Act.
This finding by the Austrian court just reaffirms that the Schrems judgement also applies to Google Analytics.
As the article mentions, this is the first of 101 cases ongoing brought by Schrems, and I expect them all to end in more or less the same outcome.
I think if you view it from this angle it becomes clearer:
The court has not arbitrarily declared GA illegal, it just follows what the GDPR mandates - and came to the (quite obvious) conclusion that GA is not compatible with the GDPR.
Consequently it is illegal everywhere where the GDPR applies. This doesn't mean that there are immediate consequences for those who use GA on their websites in any other country, but it is very likely that other EU countries' courts will decide the same way.
EU laws come in a couple of variants. The most common is a directive which is basically "Your country needs to pass a law to achieve X, Y, Z", and this is where you get larger country to country differences in interpretation. The GDPR is instead a regulation. That means it's literally the same law (and theoretically, the same standards) that applies EU wide. So the US equivalent would be a court in Texas finding something to be illegal under a federal law. What does that mean for the same action in california? It's probably illegal there too, but it could still be tested if someone wanted to try their luck.
So that means the current status is that's precedent a court in another EU country would strongly consider but technically could come to a different decision on and in either case the losing party has the option of appealing to the EU level.
That's not quite right. This ruling is not the precedent, the Schrems II ruling is the precedent. This is just a court determining that Schrems is in fact relevant precedent in this specific case, and finding based on that.
> Austrian Data Protection Authority strikes the same chord as the European court when declaring Privacy Shield as invalid: It has decided that the use of Google Analytics violates the General Data Protection Regulation (GDPR).
It seems Google was sued in Austria and they have found it to violate the GDPR so yes, it applies to the whole EU.
The legislation that is relevant here is GDPR which is EU wide (each country has it's own implementation but they should be overall similar).
In the article it points out that there are similar suits across the EU by the same organization, so it's not too unlikely that there will be similar reults in some or all of the cases.
The other way around: the GDPR was the precursor to this lawsuit, this is the implementation of the directive by a local court which found that, indeed, using GA violates the GDPR.
The writing's been on the wall about this for a long time, and anyone following the space has seen this coming. I'm glad that we're starting to see some judgements now, so people have something to point to when arguing to not send PII to america.
Great victory. I bet firebase crashlytics is illegal as well in EU.
The reason I uninstalled the hacker news app 'Materialistic' is because it regularly crashed and was probably unvoluntarily siphoning off pii data through the crashlytics module.
Maybe someone more knowledgable can provide some insight here? The problem seems to revolve around transmission of PII:
"Based on this data, Google was able to deduce who he or she was."
Presumably the PII didn't come from the data transmitted to GA by the site, more that GA was able to cross-reference the client ID from the cookie and determine the identity of the user.
So if one was to disable GA cookies and/or override the client ID being sent from one's own site, would that be a workaround?
Seems to raise a couple profound questions:
1. Is there a credible alternative (comparable ease of access and implementation)?
2. Does the absence of such a tool hinder business operating efficiency?
If the answer to #1 is no, then any assertions that Google is not operating as a monopoly in the space are undercut. If the answer is #2 is no, then there are quite a few BI/Analytics/Strategy personnel who might find their value more difficult to justify!
Well Microsoft just needs to found a company owned 51% by a European entity /shareholders and operated by Europeans. Like that, the cloud act cannot be enforced. MS licenses the Azure/Office/whatever to this company so it will grap the majority of revenue. They can make fancy auditing agreements making sure that this company never steals anything from them.
China is doing this model for years. Just with a different motive I guess.
They tried this also with Telekom Germany for the Azure cloud but stopped doing it
I've heard Google is working on a new cookie-less version of GA just like plausible and other privacy-focused GA alternatives. Wondering if this cookie-less GA would still come under the ban.
It almost certainly would. This isn't about cookies, this is about sending PII (which IP's are) to GA. I have a hard time imagining some safeguards that'll allow you to use GA, without ever hitting a GA server.
Even Google is not too big to fail and cutting off 40% of your income stream isn't a very wise thing to do for any executive that wants to hold on to the pluche.
Why? If you have a Google account, you have a direct business relationship with Google, and the data in that account doesn't violate the GDPR in any way.
(the data Google collects about you outside of your account activities still might, though).
I guess parent fears that Google will blanket-disable access to all Google services in the EU, as retaliation. Unlikely imho, but it's true that Analytics was a big loss - it's only one step down from their core product, Adsense, and if GDPR enforcement comes for Adsense then they will have to go nuclear.
Would they really throw the golden egg out with the bathwater though - even if the egg's not shining quite as bright anymore because targeting isn't as accurate? Seems like an overly risky move that stock holders shouldn't allow.
I'm as concerned as anyone about privacy issues but GDPR has just gone too far in the sense that nobody really understands it (I've undergone trainings with 2x previous employers and everyone just kind of shrugs that it doesn't make sense and we'll do our best bla bla bla ...) and that now they're trying to make an actual useful piece of software illegal? And that for reasons that the very people they're trying to protect will completely fail to understand.
So many marketing departments depend on it, how can they realistically enforce this law?
I'm saying this as someone who's not a fanboy, GA can be a pain to use and overly complex, maybe Matomo is even better.
Nobody understands this, apart from us techies. Try explain to the average user that storing his screen resolution on a server in the US could mean he's being profiled by the NSA. Reaction will be "oooo you spooky hacker". It frustrates me that people react like this, don't get me wrong.
Changes are always difficult, no matter how small or large they are.
As a European, I welcome this wholeheartedly! It makes my daily job harder (as a programmer), but it’s needed to stop this insane industry of using private information as a currency. Most people seem to don’t care, but that is mostly because they don’t understand the consequences of this.
GDPR isn’t really that hard to understand. If you need to gather PII, you need the proper approval from the end user to do so. If you don’t have the proper approval, you can’t store it. Also, don’t gather information you don’t need. If you only need page views, don’t store IP, resolution, localisation and all these things in addition. This is common sense, not science. In fact, you should be happy to have these restrictions, because it lowers the risks in case of data breaches.
The real problem with GDPR is that we’re so used to violate peoples rights that we have completely forgotten how we should behave.
As far as I understand it, it's not Google Analytics per se that is illegal, but the data transfer to the US. If Google Analytics would use servers on European ground it should be fine.
Or would that still violate GDPR as Google as an American company can still be coerced to give access to data stored on their servers outside the US? But I can't imagine that to be the case, as it would effectively mean that any business where an American company stores user data is illegal.
> Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned.
It would seem as though any EU company that can be compelled to transfer data to the US would be found not to be able to take adequate measures to guarantee the protection of the data. I'm not familiar enough with the law in the US to understand whether the US authorities can compel an EU subsidiary of a US company to transfer data out of the EU, but if so...
> I'm not familiar enough with the law in the US to understand whether the US authorities can compel an EU subsidiary of a US company to transfer data out of the EU, but if so...
They can. If I remember correctly Microsoft refused FBI request for some data that was stored in Ireland so the Cloud Act was created.
It’s slightly more nuanced. In the case the FBI compelled Microsoft’s US operations, with employees based in the US to access data stored on a server in Ireland and to hand them over.
GP is wondering if no US employees had access to the data directly if US law would have Microsoft US order Microsoft Ireland (which is a wholly owned subsidiary) to transfer the data to the US.
It’s an interesting question. My non-lawyer take, even if they can force Microsoft US to make the request ultimately Microsoft Ireland is an Irish company operating under Irish law. If the data transfer to Microsoft US is illegal, they mustn’t do it.
A situation where this already happens is technology transfers. If information is export controlled (mostly military related), a foreign non-EU/non-NATO owner of a German company can ask and demand as much as they want, non of their employees will ever see that information.
The various shields for EU->US datatransfer, agreed before and after GDPR, have been found incompatible with GDPR even if only potential. It's just that nobody has sued anybody yet, as the industry silently scrambles to look for alternatives.
There is the law, and then there is enforcement of the law, and the latter has not fully happened yet.
As far as I can tell this ruling means that transfering PII to any company/service controlled by an American company is illegal per the GDPR.
I work for a European company that is already being impacted by this ruling. Our first step is to replace Google Analytics, but I believe we are also looking through all cloud usage for any traces of PII.
I think this is a huge opportunity for European companies to get a foothold in the Analytics/Ads/Cloud/Office spaces. Perhaps also an opportunity for good open source alternatives, like Matomo Analytics, to get adopted.
> Or would that still violate GDPR as Google as an American company can still be coerced to give access to data stored on their servers outside the US?
Yes, because of CLOUD Act. If GA would create a deployable agent that proceses user data on your server before sending it in aggregate/anonymously to central GA, that would make it usable
IANAL, but the UK has kept (for now) an implementation of the GDPR, and judges may opt to take into account the GDPR their law was based upon when it was drafted. However, there's no guarantee they'll consider that with too much weight, because they're no longer bound by the EU legislation. For the UK, I'd say the current state is "probably just as illegal, until the law changes, but it's not been tested in court so you may risk it".
The GDPR covers the privacy of individuals residing in the EU. That means you don't need to track which user has which nationality, you can just make decisions based on the location of your users. If you're an American company targeting American customers then you don't need to worry about Europeans passing by on their holidays. If the request comes from the EU, don't load your personal data collection code, internal or external, if you're unsure about the legality.
That said, if you don't offer any services (free or paid) to the EU and one of your customers happens to use your service on a business trip, you don't need to worry either. This mostly applies to contracts and data procession, much less to actual websites and web services reachable from anywhere, but it's an exemption that'll save a lot of data hoarding companies that track Americans, Asians, etc. through indirect means.
> Therefore, the data of European citizens may not be transferred across the Atlantic.
That is different from the headline. GA is still legal; the judgement is that it remains illegal to transfer PII from the EU to the US. That's not new; that's GDPR. This judgement is just upholding GDPR.
It's just data traders grumbling about a law they don't like in a place they don't live in.
To be clear, the transfer of EU citizen's data to the US was deemed against the GDPR. This decision does not mean that Google Analytics itself is illegal.
But, due to American intelligence agencies explicit access to overseas data (Schrems II), any such service by an American company can't meet the requirements set forth by the EU, and thus can be considered illegal for any practical purpose.
As I understand the ruling though this pertains to the fact that data is transferred to the U.S, it may be that if they changed to just using servers in the EU it would still be declared illegal but a new case would have to go through to make this declaration?
No, the CLOUD act was created specifically because Microsoft previously denied to comply with a US court order on the basis that the data was stored in Ireland. The US chose to compel a national company to produce the data instead of using an international data request, and as a result no US-based company can comply with the GDPR.
I think the syllogism comes from the fact that currently GA does transfer EU data to the US by default (and probably currently there is no way to prevent that?). But I'm not a GA expert at any rate so I can be totally wrong.
As I understood it, data location is not even the problem, but the US CLOUD Act, that allows their authorities to request data from US companies no matter where it is stored. So even if Google Analytics would store data from EU citizens in Europe, they would still violate GDPR, because US authorities can access the data without the users consent.
Nope. I've heard some people talk about company constructions where you create a new officially unaffiliated company in the EU, that then just lends the IP to create a datacenter from the US-based companies, but I'm not sure if that's actually feasible.
If that company is entirely separate (but happens to have the same investors) and no more money flows between them than the cost of IP, then that may just work. You'll have to be careful not to let shares fall into the wrong hands, though because the two companies might eventually grow apart as a result of having different shareholders with different opinions.
Such a move might also be frowned upon by the American government, because you're essentially cutting them off from part of your company. I think this concept would work from an EU standpoint, but it wouldn't surprise me if the US government would prevent you from doing that, or even hold you personally accountable.
You'd also need to get a pretty good analysis of tax laws because suddenly the top owner of the company isn't foreign to the EU anymore, and that could be a problem for the tax evasion schemes big tech is such a fond of.
All in all, I doubt it's worth the hassle. As a customer of Google Analytics you'd need to have some logic to load either the European or the global analytics script, and the data cannot be combined into one overview without stripping a lot of important context (or breaking the law in the same way).
Yeah but I think this goes bigger than this. We might see Google Analytics now, but we're going to end up seeing problems with European companies using AWS, Azure etc. later on. _That_ might be big enough to warrant it.
In practice this construction does not exist for the big tech conglomerates. Perhaps they will exist one day, but I doubt it. These companies are fundamentally imperialistic artifacts and this proposed solution is about relinquishing control over a foreign asset: It does not mesh with their core culture.
