Italy is the 4th in a string of recent decisions across the EU.
(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)
Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.
We are based in Europe and self-host our analytics exactly for this reason. I feel this is just the beginning.
Congrats. We also chose to do the analytics ourselves. No tracking, no cookie banners, and probably better stats as well. One thing that Google did very cleverly was to only give GA users the search terms that visitors used to end up on their site.
Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?
> Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?
You need consent for every kind of storage usage on client side if you create profiles to analyze the them for marketing goals. If not, and no PII is being processed, no consent is required. Eg you could easily aggregate your server logs without a consent.
You generally don't need a consent for gathering data that is required to run the site.
But if you use the data for analytics purposes, you do need the users' consent for that, even if it's the same data that you use for operational purposes.
But that means you shouldn't have IP or user-agent or any unique identifier in the path.
Just to be clear: PII is not the same as personal data as defined by the GDPR. The latter is generally much stricter as it also includes indirect data. Data which would be anonymous by itself but in a collection uniquely links to a single person would still be considered personal data under the GDPR.
> if you create profiles to analyze the them for marketing goals.
That's not correct; if you collect PII, even if you don't use it, you need consent. Actually, if you don't have a legitimate use for the data, you are prohibited from collecting it at all.
GDPR isn't an assault on online marketing; it's about privacy.
Isn't the search term in the Referer header?
Nope. They forward through an in-between that obscures it. They argue that because search results are personalized, being able to see the search terms can give you information about the visitor that can compromise their privacy. Google doesn't want anybody violating user privacy except for Google.
You can only see visitor numbers per search term, but not information like bounce rates or duration of visits. And that would be really helpful to judge if people may get the wrong impression of your page and bounce if they searched for specific topics.
Not for many years. The only way to get Google search term data now is through the Search Console product, which integrates with GA.
How are you tracking returning users without cookies? Also if it’s multi-lingual, how are you storing the language prefs?
> How are you tracking returning users without cookies?
We're not. And that's exactly the point, because we don't want to track. I make a distinction between tracking, analyzing and stats. What we do is guess who are the unique visitors (and who are not), and I say guess because it's guesswork since the browser can spew out any kind of info.
> Also if it’s multi-lingual, how are you storing the language prefs?
Cookies you require for functionality (ie. login cookies, language settings) require no consent, but do require to be laid out in a cookie policy.
Can you point to the part of the regulation which states this?
Why would you need that? All businsess that aren't online can't collect that data and we still have newspapers and supermarkets. If you are interested in that data just ask your users.
Very American opinion you have their. It does not hold up the world over though.
Supermarkets are a bad example here because they are a critical link in the distribution economy.
Google? Not so much
Same here. We’ve been using goaccess for years on a 300M hits a month. Self-host is the way to go for us.
Comparing goaccess to GA is like comparing an abacus to a MacBook Pro.
Unfortunately, you can't self-host the integration with Google Ads or Search Console, which locks anyone who relies on Google (or Facebook, Microsoft, etc) Ads into the use of Google Analytics/Ads tracking.
Why not? Can’t you still pass the campaign information via the url?
You can send campaign data that way, but to run any kind of effective campaign on Google Ads, you also need to send conversion data back if the user who clicks on your ad actually does the thing you want. You can either use GA or Google Ads own tracking option to set a cookie with a unique ID associated with that ad click and then send that to Google when they convert.
A privacy-conscious serverside GTM/GA implementation won't leak any personal data like IP address to Google, but there's no way to avoid sending the GCLID if you advertise.
A lot of companies are dependent on Google Ads for demand generation, so it's the reason they are sticking with GA even as the writing's on the wall.
Self-hosting does not automatically make your analytics legal, on the other hand.
Processing of your users' personal data is legal only in the few exceptional scenarios outlined in Article 6.
Our definition of "exceptional scenarios" is clearly not the same... The list of scenarios in article 6 are common business operations covering a huge range of legitimate activities where processing might need to occur; there is little exceptional about them.
Processing of personal information is unlawful except in the conditions listed in the article.
So "exceptional" in the sense that they are exceptions to a more general rule, as of opposed to the sense of being extraordinary.
Are you using a custom sotware or something like plausible.io?
I've heard about Plausible but haven't tried it yet. We are using Posthog which is a suite for product analytics.
Plausible et al all are a pale imitation of GA. They all offer a dashboard with some basic filtering. But they offer little in the way of true analytics features, that allow you to slice, dice, and compare data.
I'm working on an web analytics project that gives users more power over the way they slice/dice/compare analytics data. Would you be interested in giving it a try when the project launches in alpha?
Send me a hello email at the address listed on my profile, would be happy to send out an invite when ready.
Which is a good thing!
Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.
Maybe a race where the finish line is maximum exploitation of the digital population isn't a race worth running.
Yes, let's all marvel at the accomplishment of making everything funded by exploitative and intrusive but largely useless advertisements.
All digital startups are literally doomed without the indiscriminate collection of personal tracking data.
Side note: thank you modern adtech for consistently recommending me products I already bought days and weeks before. Very effective. Gullible companies just keep paying cold hard cash for these garbage recommendation systems because some sales rep talks fluffy about AI and machine learning, it's so mindblowing....
here I thought maximum exploitation would be selling someones identity on the dark web but I come to find on HN that it's actually hashed analytics data D: !!!
I wish the internet was purely an informational no bullshit interface/store instead of all this crap. I welcome these changes. Convert it back into a piece of furniture. Oh no we can't make a billion dollars for no reason.
So lets legalise child labour? Get rid of OSHA?
Where you draw the line is cultural and personal, so don’t dismiss things like this so easily.
Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?
It is. Most startups in the EU have to use more and more businesses in the EU. The selection is little, so way more changes to succeed if your EU based and serve both markets.
I run Simple Analytics [1], which is a privacy-first analytics business from the Netherlands. I see a lot of business from the EU just because we are from the EU as well.
Frankly, as a EU company (based in Germany no less) I'm steering clear of any US SaaS whenever possible. Even if they operate in the EU they're usually a legal headache because privacy compliance is added as an afterthought and they'll often carelessly transfer data to US servers based on assumptions that should have been abandoned when Privacy Shield was torn down in the courts.
Out of the big cloud providers only Azure feels even remotely safe to use (if only because of the privacy reputation of Google and Amazon).
Because their compliance is not an afterthought like the poster above said. You can't even assign an Office 365 licence to someone until you say what country they are in, so their data is kept in the right jurisdiction. I know someone will reply...blah blah no true scotsman...but compare that to most saas that doesnt even give the option
Google is an advertising company that is literally built on non-consensual data harvesting. AWS is an outgrowth of Amazon, which is likewise massively invested in data mining (though mostly on Amazon itself).
Microsoft's telemetry in end user products is known to tech savvy people but the company is mostly known for its operating system and office suite that most businesses already use. Additionally in Germany Microsoft used to offload its enterprise services to Deutsche Telekom (or T-Online I think) operating them for MS under the Microsoft brand, thus appearing even more trustworthy by effectively handing over control to a well-known German company. This changed but reputation sticks.
I can already see the taglines: "ConsentCo, tracking that's legal in the EU, unlike Google Analytics"
A little advantage for EU analytics startups, disadvantage for all other EU startups and SMBs who have less options for figuring out what users like about their website and offerings.
Assuming any of that actually helps to grow revenue, or that it is the only way to find out what your users want. Plus, GDPR isn't making tracking illegal in general, it is just heavily regulating it. If it was just properly enforced, the internet would be a much nicer place...
Side note, I'm slowly getting tired of people ignoring regulations and compliance simply out of laziness.
So due to this legislations it is more costly/less profitable for a company to have a European customer compared to US customer. Things like GDPR/lawsuits/bad PR etc. doesn't come for free for companies. So if some startup has more ratio of European users it is at a disadvantage.
GDPR is rarely enforced, we are still In a transition phase and many who start out choose to just ignore it to a degree.
I don't see how it's more costly or less profitable. Judging by the amount of lawsuits per capita I think it's way more likely to get sued in the US than Europe. And guess what's more expensive or complicated for a European company?
Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.
If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.
That decision is on the US, once the cloud act will be removed, those services will be legal again
Before the CLOUD Act there was the PATRIOT Act, which had effectively the same provisions.
These things have not been legal since the GDPR went into effect, and in some countries even before then.
Oh yeah sure, that also would not work with the patriot act.
To be compliant with the GDPR, the US needs data laws which only affects citizens on their own soil and not overreaching to EU citizens.
And we all know that this will never ever happen.
take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.
Google doesn't really sell user data.
No, it’s too valuable. They sell services using the data such as Google ads.
That seems to be a detail that a lot of people miss. Google, Facebook, etc. don't sell user data. What they do offer is services where they use that data to optimize ad delivery.
On my part, I'm not too concerned with that... they operate on a massive scale and no human is looking at my individual data. The result is me seeing fewer ads that are irrelevant, which is good for everyone (for example, no one benefits from showing me an ad for feminine hygiene products, and if Google and Facebook can make sure that doesn't happen, all the better).
or maybe EU is starring to rely on their own startups.
If I had to chose an analytics software for a customer's website, I'd chose someone in EU for the sole reason that it would be compliant in both EU and the rest of the World.
I am no EU citizen, however live in Europe and do tech startups. I welcome GDPR as well as this ruling.
It's unethical IMO to send personal data to countries that have weak privacy laws without making it absolutely clear to the user. Which is rarely the case with GA right now.
I switched most my projects to shynet, for me personally that's more than enough information and I have zero worries about tracking and know that some users appreciate my approach.
Edit:// even before GDPR became a thing I worked with several companies who had strict rules about hosting in Europe or even more explicit not hosting in the US.
Let me guess, you're from the US and user surveillance is beneficial to your business so naturally everyone with non-capitalist (read not $$$-centric) ideology is plain wrong. EU startups don't have to "catch up" or even compete with US start ups.
read this with a french accent for whatever reason >.<
Does this imply that the EU is "non-capitalist" or something?
"EU startups don't have to "catch up"..." then don't get surprised when EU talent is poached by US and Asian HRs for x2-x3 rates. And before you're gonna talk about all those "free" (taxpayer funded) services and how no European would ever move to Asia or NA, i'd like to remind you that we're in the remote work world now :)
Replying to a comment that states: "not everything revolves around money" with "but we make more money".
That's one way to read it, except it's more like "replying to a comment stating that EU startups (something that is about money) don't have to catch up to their US competitors with "sure, but don't get surprised when EU startups are going to be at a huge disadvantage when it comes to offering a worthy reward as a result of "not caring about money"".
As an EU citizen, I find it to be a huge improvement to detangle my data from US-American entities. Especially with the election of Trump and January 6th. Maybe Americans haven't fully realized what that meant for US-EU relations for the next hundreds of years. The US is just not a politically stable country until further notice.
Eh? Jan 6 wasn't very noteable (a bunch of disorganized protestors are let into congress, but the state was not meaningfully threatened), the US has long had political instabilities, the business plot was way worse, but who has heard of it now...
since when EU became politically stable? Last time i checked you were at war with Russia.
> since when EU became politically stable? Last time i checked you were at war with Russia.
Russia's attack on Ukraine has no relevance at all to whether the EU is or isn't politically stable.
There may be other reasons you can cite, in which case fair enough, but that example is a non-EU third party attacking a non-EU third party. And the EU is not at war with Russia.
Blockade and weapons are consequences of Russian invasion. Russia started this war.
And yes, unfortunately it can't be allowed to persist in its current shape.
Putin's disinformation really worked wonders on you.
You are demonstrating the level of geographical and political knowledge that people expect from americans. I hope this is satire.
Ukraine is, not the EU. The US is at least as involved in the war as the EU is.
But I wouldn't call many EU countries very stable either. It can still be a win to not send private data to the US though, tracking has become far too precise and omnipresent.
Actually, the cookie layers of Google have become a lot better in recent months. I doubt that is was Googles initiative, so I think that all this legal stuff is making a difference. Yes, it is a very slow process, but what would be an alternative?
Yes it doesn't solve the startup problem, but honestly there also also a ton of other laws and regulations outside of data protection which make it hard for startups to prosper. Web Analytics seems a relatively minor problem.
Yikes... Have you ever heard of some of the alternatives?
I self-host Plausible which is GDPR compliant and gives me all of the features that Google Analytics is actually good for. There is so much bloat in GA that provides absolutely no extra value.
I'm skeptical that this is a bad deal for EU citizens.
[EDIT] missing and
Nah. The problem here is Google, not analytics in general. You can still use analytics as long as you do it in a privacy-first approach.
These laws also apply to US companies offering their services to in the EU. Frankly, it's about time American companies get reigned in on their privacy abuses. US startup culture has been playing fast and loose with people's data for far too long to disastrous effects.
Perhaps those are start-ups that we don't need in the EU.
That's assuming a European GDPR-compliant alternative to Google analytics wouldn't arise. But of course it will. It's not even a very difficult product to build. If anything this is both sticking it to Google and creating opportunities for European startups to fill the void.
That's ok, that's our decision.
The EU hasn’t shaken off their roots in monarchy. Using the power of the state to go after a single private entity since they have a blood feud with said entity and are now finding all sorts of excuses to hit them economically.
I’ve been following the cases with regard to privacy in the EU and it’s a complete joke. You have all these onerous rules against any web technology making it near impossible for startups to function without an army of lawyers. Think I’m exaggerating? Look up the provisions under GDPR for any business, big or small, to set up a website and then process a single user request for their data even without sign in.
The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
You may be looking at this through a very narrow, heavily politicized lens.
First: GDPR is a compromise, so it's a bit uneven. That's partly due to lobbying by google and friends. Second, privacy very much needs protection. Even if you are perfectly fine giving up your privacy, other people aren't. Third: you can actually process user requests. Depending on how you do it, you don't even have to show a banner. Is that really too intrusive?
I mean, before accusing someone of looking at this politically, please read the comment fully.
You’re taking pains to explain why GDPR is a compromise? Why? If it’s bad law, it’s bad law.
Nothing you said invalidates the assertions I’ve made. Unless you’ve directly experienced the onerous system of regulations in places like Germany, I’d urge you to do more research before the armchair dismissal.
Bad law for the reasons above.
Ie, onerous toward regular businesses Ie, used to greatly expand bureaucracy and overhead Ie, used by unelected bureaucrats to wage battles of personal vendetta against specific companies instead of doing what laws do, which is set unambiguous standards for all
> The EU hasn’t shaken off their roots in monarchy.
I know, right. I mean obviously the world's most famous royal family (our British one) isn't really a monarchy so that doesn't count. And they certainly don't get previews and vetos on our laws, or given hundreds of millions from the licence fees for offshore wind farms, or own a notable percentage of the land.
As for GDPR, compliance is pretty straightforward provided you aren't being shady to begin with.
And the new UK proposals are much worse and if they go through as they stand will be a nightmare for anyone serving UK visitors.
Do you have a point, asshole? There's more in that comment above than the bait you took.
You are right that my point wasn't clear and I apologise for that.
Your comment started by saying that the EU (as a negative) has not shaken off monarchy and ended with a contrast with the UK (a positive comparison). My point was that the UK (I am British) is even more steeped in monarchy/tradition so that can't be the cause.
Then I addressed your complaints in the middle paragraph about the GDPR by pointing out that compliance is reasonably simple for sites already having good behaviour.
And finally as you started with the EU and ended with the UK I pointed out that the new UK proposals are more onerous than the GDPR ones (thanks to the verification requirement).
You're free to disagree, and again I apologise for not being clear enough, but those were my points.
> The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law. That is: the DPA is normal statute legislation, unlike the GDPR itself, which is a bureaucrat-made regulation. The DPA was passed by both houses of Parliament.
So what are these mysterious moves to ignore the law? The only such moves I'm aware of are some plans to remove the European Court of Human Rights from UK law (ain't gonna happen - the ECHR is written into the Good Friday Agreement), and the UK's decision to ignore the decision of the ICJ concerning the Chagos Islands.
>I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law.
This is wrong.
The Data Protection Act did not bring the GDPR in to UK law, GDPR became part of UK law as soon as it was passed because it's an EU regulation, and regulations have direct effect in all member states (which at the time it was passed included the UK).
The GDPR then became "retained EU law" by virtue of Section 3 of the European Union (Withdrawal) Act 2018, and was then modified (turning it in to the UK GDPR) by the The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These regulations also amended the Data Protection Act, fwiw.
Are you. . . For real in this thread? Can you please stop commenting about things you seem to have zero context in and zero interest in following even casually? https://www.itpro.co.uk/policy-legislation/data-protection/3...
Instead of resorting to abuse and name-calling, let's hear your proposal for the kind of data-protection legislation you favour. Surely you're not advocating the ideas of the terminally-dim Nadine Dorries?
The simple fact is that if you allow unrestricted export of personal data from Europe to the USA, then European law can no longer control what use is made of that data, because the US courts won't enforce European restrictions. Are you advocating for Europeans to submit to the wild-west regime in the USA?
By the way, if you don't care to read my posts, you can always just not read them; they are all tagged with my handle at the top.
While I should be happy with narrative (I run https://wideangle.co, GA alternative), let's be honest. It not banned. Nor is it illegal.
It is illegal to use it in such a way that results in Personal Data being siphoned to the US.
Is it hard? Yes. Outright illegal? Nah.
It is good to see a GA competitor not resort to FUD as a marketing tool.
But it's enough of a hurdle that many website owners may just decide to go with a EU-based competitor. Certainly a good ruling for the EU tech scene.
If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".
So this could also apply to any company that sends PII to the USA?
At present, there is no legal basis for a company covered by the GDPR to send personal data to the US or a US-owned company. The US needs to repeal the CLOUD Act, and maybe one or two other things, in order to make this situation work again.
Is that for US- or Italian-based users? What if this is an Italian company running a global website with data from non-GDPR country users?
You can find the scope of the GDPR in Article 3 of the GDPR: https://gdpr-info.eu/art-3-gdpr/
Read these as individual clauses; the Regulation applies if any one of them is met. An Italian company serving customers anywhere in the world is covered by the first clause.
GDPR covers EU citizens. I don't think it says anything about non-EU citizens.
If it is physical location, that is something you cannot possibly know for a user, due to VPNs. You might know that a person is logged in and registered with a US address, but you don't know if they are traveling (they might even VPN via the US because it is convenient for work).
So I guess you need to assume this applies for all visitors.
No such thing as a de facto citizen; a de facto citizen is also known as a refugee.
No, it covers companies and individuals operating within GDPR jurisdiction. A US company that trades in the EU is subject to the GDPR. This is no different from applying the UK Trades Descriptions Act to US companies that advertise in the UK.
Any company that sends personal data to the USA, yes.
What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?
I co-founded a company called Heap that competed against Google Analytics and we were quite successful. Amplitude, Mixpanel, and others have also done so. GA’s free pricing was not really a big issue for us and customers were very willing to pay 6- and 7-figures for a differentiated quality product.
Loved Heap (Analytics?). I advocated for it while working at my previous employer :) I think we were early customers. At the time, its automatic tracking of all events was a godsend compared to hooking up specific tracking after the fact using GA events.
One broad view is that anti-trust is supposed to protect consumers, not competitors.
If a competitor can't produce a quality product that people will pay for, consumers aren't being harmed by the prevalence of a free good-enough product.
In a consumer-protection world where a free and open source Linux had 98% market share in the OS market, Microsoft or Apple would have no leg to stand on to sue its developers over anti-trust. In a competitor-protection world, they would.
The US views anti-trust through a very consumer-focused lens[1], the EU sometimes views it through a more competitor-focused one.
[1] This doesn't mean I agree with it, and there are obvious problems with trying to prove harm in a court of law, if no alternative exists.
Doesn’t predatory pricing mean “we dropped our pricing below profitability in order to kill competitors (and presumably raise our own prices once they’re dead)”?
I think you’d have a very good case against Amazon, and probably Uber/Lyft, and I’ve long wondered why no one sued them over it. But in Google’s case, Analytics is profitable for the same reason Youtube is profitable—Google makes money off the data they gather.
I did hear this in about 2014, so it could well have changed, but I thought Youtube wasn't profitable, or at the very most barely profitable
As of 2019, I was still hearing it wasn't profitable. Though that may be starting to change: https://arstechnica.com/gadgets/2021/04/youtube-is-now-build...
Google Analytics has an enterprise paid version and it starts at 6 figures, Adobe has a very competitive product in the same space. So there's definitively room for a paid product in the market.
Lots of ways? Better features, better support, better performance.
If you can't beat the free offering, then go home.
"We've tried nothing and we're all out of ideas!"
- A French Ned Flanders, probably
If you can't beat the free offering, then go home.
In the real world of physical goods, there are laws against this. But Google's a tech company, so anything goes.
It's not illegal to give things away for free unless it's dumping.
> Google prices Analytics at $0 to prevent any competition from starting up.
It's not dumping because, in the absence of any competition, the price hasn't changed. It just turns out the market price for this service is $0.
Which real world country?
In the U.S. most antitrust law is based on protecting what's best for the consumer, not protecting the competition from a free alternative.
What a horrible law.
The market should just create a better solution or find investors to call the bluff of the offending company and make even more money
How many companies use GA as their only analytics system? It isn’t free. It has a free tier.
It's like with Cloudflare. The free Tier is what gets small companies and hobby developers in. And as they know your system but not the one of others, they'll recommend it to use when your company grows or their employer looks for an analytics system.
But I don't think it's predatory. It clearly worked for cloudflare and seems to work for Tailscale (they openly said they're using the same strategy). It would be predatory if others couldn't match that, but I'd argue many competitors could offer free plans for small websites if they wanted to.
If we enforced a law that said no product can be sold at a loss, we would get rid of almost every single startup and many recently IPOd former unicorns,
There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.
Yeah, it was another one of those trojan horse programs. Offer something incredibly useful to website owners; something so compelling that they literally can't say no. An oh, it just happens to track the activity of every web user anywhere in the world.
The alternative offerings at the time were fairly awful compared to what google released.
I also believe (no proof though!) that you don’t need all that micro detail about your users and it is a distraction for a business.
A rough “how many came” is useful. At least to diagnose if the site had problems. Just talk to people and make your thing good!
The reason we built Scale8.com - Time to replace Google Analytics and Google Tag Manager :)
I'm still a fan of Matomo. Very powerful, easy to self-host and you get full control over your data. Never tried their managed services though.
This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.
Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.
It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.
This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).
> meaning that Google itself does not violate GDPR, but only the websites that use it.
This is so baffling to me. Google has subsidiaries in the EU. The fact that it's ok to give a product to a EU client which can't be used in accordance with the law, and the client is responsible, is just idiotic.
To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.
No, they can't as far as I get it. The american cloud act entitles US law enforcement to serve orders to US companies and their foreign branches. So, if you are american with a company in the EU, the important part is that you are an american, not that the company is in a foreign jurisdiction.
Yes, specifically the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which was enacted following a case in 2014 where Microsoft refused to hand over emails stored in the EU (Ireland, in that case) on foot of a domestic US warrant.
The CLOUD Act expressly brings data stored by US-based companies anywhere in the world under the purview of US warrants and subpoenas.
This is an option. I saw somewhere a news that they might license the entire GCloud to a French provider but I can't remember where and when.
It really makes no difference where the data is stored once it's accessible by a US company:
"The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil."
As mentioned by other commentators, this is not enough. Schrems II ruling exposed the risk here. If servers are in EU but are undereffective control (even via proxy) of country with inadequate control (US, RU, CN), then you can't use data location as argument.
The problem is not only the geo location of the datacenters. As long as these subsidiaries are under the control of a USA corporation, this is illegal, since the USA corporation can be requested by the USA gov to share any data they may have not matter where it's stored. Only options are a 100% GDPR compliant solution (European or from a country with similar laws) or self-host. Hopefully another Privacy Shield like agreement will be in place soon.
> another Privacy Shield
its real name should have been privacy hole
Building out the infrastructure necessary for Cloud to be compliant with region-stored data was a multi-year project.
Huge swathes of Google's architecture (especially its legacy architecture) have deeply-ingrained location-agnosticism assumptions. It turns out to be extremely complex and expensive to remove those assumptions given the way Google handles data once it hits their datacenter fabric.
(Not impossible, mind, just that this assertion that it wouldn't be that hard to do is in "I could build Twitter in a weekend" territory).
Oh, no doubt. They've 100% been gambling that they could get away with it. The GDPR has deviated increasingly from what their leadership assumed would be a reasonable position (it continues to drift from the American centroid belief on who owns what data; for Americans, the notion that you can use other people's computers without them keeping records of how you used their computers is kinda weird, and Americans lack the direct historical experience to have the kinds of concerns about mass-citizen-tracking that Europe does).
My prediction is that as things move forward, they're going to find it isn't worth their money to offer Analytics for European customers if the GDPR continues to make that more onerous (especially since the monetization story of Analytics for Google is so threadbare) and just offer it for customers in other countries while Europe does its own thing. Win-win.
It wouldn't be hard for Googs to do this on their own so that they comply with the rules/laws in the markets they are operating vs giving it to the end user as an option in the configs. Most people using GA probably wouldn't know what any of that meant anyways. They just want the numbers so their marketing people can tell them what to do next. I'm talking the people running sites on Wix type sites vs having an actual dev team that can push back against a marketing department
I don’t find it idiotic. It was the client’s decision to spy on its users. I have no sympathy for companies who make that decision.
Why do you have to be sympathetic to the client in order to also condemn Google? If someone was selling bleach as a cure for autism through a network of distributors, do you have to be sympathetic to the distributors in order to condemn the manufacturer?
> It was the client’s decision to spy on its users.
Calling it spying is a little far-fetched I think, when the problem was the transfer ip addresses to US servers, not Analytics itself.
Oh, I think I wasn't clear. I meant saying that the client is deciding to spy is a bit far-fetched. Google of course.
It was the client’s decision to use the service.
Which is a decision to spy on the users.
What about Italian websites that serve customers outside of Italy?
If they serve customers outside the EU, then they should comply with those laws or not serve them at all.
The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).
There's nothing US companies can do to make themselfes legal to use here. The legal framework in the US allows dragnet spying on every non-american and american companies are forced to participate in that effort.
They're perfectly legal if they don't process any PII. If a US company serves static content there's no need to fear the EU; they'll just have to disable illegal external integrations like Google Analytics/Fonts/etc.
A company doing business with other companies might find themselves in a position where they can comply perfectly. Not every company needs to collect PII, though these days every company likes to pretend they do.
When PII includes IP addresses it's kind of hard not to process. How else are you supposed to group metrics over a session (since cookies are also forbidden)?
This seems to ban third-party analytics by any US company. The cynic in me feels this is a little convenient in how it advantages EU organizations over foreign ones...
You don't strictly need automated analytics to sell services to foreign customers.
Collecting most if not all analytics is forbidden, for sure, but analytics and metrics aren't inherently required for businesses.
The European Commission's official website[1]
[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...
The article says it:
“The Italian SA reiterated that an IP address is a personal data”
Session cookies are allowed if the user agrees. And if the user doesn't agree, you have no right to process PII to group metrics over a session. That's the big shift here, assuming you have a right to build a profile on a user (or even evaluate their behavior) without their consent is not legal under GDPR.
And as a European, I'm very glad that's the case. I know, we're still not close to compliance with GDPR, but it has changed the privacy discussion more than any other part.
> group metrics over a session
How is that something that is essential to providing a service?
I suppose that it's somehow "commercially advantageous", but there are many other commercially advantageous techniques that are simply illegal - such as taking a customer's money, but supplying zero in exchange.
A company's profit needs are not an end-run around consumer protection laws (which is what GDPR amounts to).
>They're perfectly legal if they don't process any PII.
Personal data, not PII. The GDPR does not care about PII (except to the extent that the set of things that are PII is a subset of things that are personal data).
So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?
Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?
There’s a bunch of steps, but jumping to the extreme, a foreign gov having access to the data is the awful part.
Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.
Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.
> how about a badge for links indicating whether it uses ga?
Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.
A bit individualist solution but you can block it with NoScript on your browser
I'm an American, but I occasionally use an EU VPN. I don't understand how EU residents can tolerate the number of cookie/privacy/GDPR/whatever popups every site has, even on the sites of EU companies.
We don't. Outside of a few greybeards the vast majority of the population would gladly send all of their data including dick pics and credit card numbers to remove those popups.
The law was absolutely useless because 99% of the websites have an illegal implementation and still added a major annoyance in the form of the popup / banner.
My impression is the lawmakers assumed that companies would do what they go on about in their blogs and marketing material all the time - ensure the best user experience for their customers, which they could do by properly complying with the GDPR.
Instead, the companies took their masks off and decided to beat us over the head with illegal consent popups to trick us into believing that a damaged user experience is the only possible outcome of the GDPR.
We Europeans are generally used to do whatever the government tell us.
We don't have the same culture as Americans.
Don't get me wrong, you had a pretty bad deal as well: without much fanfare, your government grew up so much in the last 200 years that it became the largest employer in the world. You pay loads of taxes (even more than several EU countries) and get very little benefits.
And yet, I'm sure that if we will get to a political solution to the ever-growing cancers that governments are, that solution is more likely to appear in the states than in Europe.
Europe is a hopeless - albeit beautiful - land. The people gave up change 50 years ago.
>We Europeans are generally used to do whatever the government tell us.
As opposed to those who used to do whatever the private companies tell them?
Err, just to avoid further misunderstanding: I'm pro-GDPR ;) and think it's right to confront users with the hydra behind the crap on the web. What I think has destroyed the web is attention economy, monopolies, the race to the bottom, and lack of incentive for quality content.
Agree though that Europeans could do with more libertarianism and less trust in state; it's something that's been a big issue for me since at least CoVid hysteria.
I've slowly started ripping Google Analytics out of my Rails projects and replacing it with https://github.com/ankane/ahoy.
It's so much better! I can just use SQL to see what's going in and not get overwhelmed with 100's of visualizations and complicated dashboards.
I use Ahoy too, but I don't have very good visibility into the data. I should spend more time building queries and creating charts. I should probably set up blazer as well: https://github.com/ankane/blazer It would be really nice if Ahoy came with a web UI that covered all the basics.
Agreed. It would be a really great open source project to have a dashboard with all the basics in addition to standard Ahoy event captures.
Regarding forbidden countries, it’s not forbidden in the Netherlands, yet. They will announce a verdict in a form of a report by the end of 2022 [1].
To give people an option and pink something else over Google Analytics, I have built an alternative, Simple Analytics [2].
It doesn’t use cookies or any form of tracking and you get still the useful data that 80% of the website owners need.
[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)
Worth mentioning that DPAs tend to work together to prevent conflicting laws across the EU. Following Austrian, French, and now Italian rulings, it's almost guaranteed that the Dutch authority will come to the same conclusion.
Yes, I think so too.
How do you track "visitors"?
With a referrer, see these docs [1]
[1] https://docs.simpleanalytics.com/explained/unique-visits
I'd be terrified if I was a EU company at this point. There is not logically way these same rules don't apply to using AWS, GCP, and Azure. There isn't enough other cloud hosting with nearly the same capabilities in Europe to handle that day.
GCP and Azure have options to keep all data within the EU, I'm sure AWS has something to at this point. In France GCP is approved for public business, so it seems to be working fine.
On your general point, we're way past the point where a company is allowed to blindly use any random SaaS without caring about what it does with the data or where it goes. The pendulum is clearly swinging back.
> GCP and Azure have options to keep all data within the EU
I wonder how much of a difference this makes, if the DCs still belong to these american companies and this thing exists: https://en.wikipedia.org/wiki/CLOUD_Act
GCP made a few adjustments to have something that is compatible with both US laws and the GDPR
https://cloud.google.com/blog/products/compliance/how-google...
From memory, gov entities also have deeper customizations, and data centers might be separate from customers and the standard Google operation altogether.
There seems to be a difference between "B2C" stuff like ad tech and tracking and "B2B" like AWS. The latter seems to be more eager to be compliant, I assume only to prevent local / regional competitors to fill a gap but still. Plus all the nice public contracts to be had.
I use NoScript and block Google analytics, facebook, etc. It's nice that they use a domain separate from google.com, making it easy to block.
Yes. I have all their analytics and ad network domains blocked in my hosts file.
Meanwhile, COVID-19 certificate app for Czech Republic citizen's uses Google Analytics. We are not the same. Good job Italy!
Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.
What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?
Am I also now breaking Italian law by using google analytics?
> Does this mean I’m now breaking the law serving them the website?
As the article specifically states:
The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
So, unless you are collecting EU citizens user data, transferring it to US and have the capabilities to enrich such data through additional information you hold, no.
IIRC, it basically only applies if you're actively doing business in the EU, or courting future business.
So, if you have a personal blog that grabs IPs? Not illegal. If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
> If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
And you do business in the EU. If you have a merch shop, but don't serve EU users (no EU shipping, not accepting EUR as a currency, no EU specific languages (German, French...), ...) there is no problem.
That is not how law, jurisdiction or sovereignty works.
If I run an export business from my own country, the only law I need to comply with are the export laws of my own country. It's the duty of whoever is buying it on the other end to make sure they are allowed to import and possess the goods.
The EU does not own the right to use languages. I can use German if I choose without ceeding an inch of soverignty to the EU.
The EU does not control what data I collect when running my website. I might be required by my home jurisdiction to collect details on controlled export goods, and I might be required not to tell the user.
The EU controls the Euro currency, but they cannot make it illegal to me to use it, or attach special conditions to its use. They could convince my own government to sanction me, or aid them in sanctioning me, but that would be my own government affecting me, not the EU.
Your countries laws stop at its borders. Stop trying to control other people who have no say or vote in the laws. It's anti-democratic.
https://en.m.wikipedia.org/wiki/HTTP_451
> After introduction of the GDPR in EEA it became common practice for websites located outside EEA to serve HTTP 451 errors to EEA visitors instead of trying to comply with this new privacy law. For instance, many regional U.S. news sites no longer serve web browsers from the EU.
As more and more country specific legal regulations are raised, I wonder who will be the ultimate gatekeepers of the general internet when certain actors behave against the "rules". The current landscape is a complex system of seeming contradictions straddling different levels of public and private, centralized and decentralized, anarchical and moderated, etc.
Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?
Nah, they’ll just slap them with a fine now again as a substitute for direct taxation and let them do what they do basically unchanged.
Once the Europeans have to use a foreign proxy to see the regular internet, like the Chinese, then we will have a real discussion on online privacy.
Have you tried to go to rt.com hany time recently?
Still works for me from the UK
We already do.
I'm actually just about to get rid of Google Analytics on DocSpring.com. I set up a self-hosted instance of Plausible Analytics on Render.com yesterday. I really like it so far. I set it up on a custom subdomain so it's not blocked by any ad blockers, so it's really nice to see analytics data that's almost 100% accurate (unless visitors disable JavaScript.) Especially since DocSpring is a developer tool, so most visitors are using an ad blocker extension. Also it doesn't use any cookies, so I don't need to show a cookie banner. It really feels like a breath of fresh air.
Hindsight is 20/20 but wasn't it clear that the company selling ads shouldn't be in charge of metrics for traffic and ads? Just like the TV channels had to rely on media rating firms.
Not sure an ad company should he in charge of a browser either
Oh and don't forget a major OS
From the article:
> A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.
> Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.
This follows similar decisions by France [1] and Austria [2].
[1] https://iapp.org/news/a/cnil-is-latest-authority-to-rule-goo...
[2] https://iapp.org/news/a/far-reaching-implications-anticipate...
2008-2018: Banking reform
2018-202?: Data privacy
I wonder what the next trendy thing government officials will pretend to care about/fix in order to garner media attention. Something crypto related, maybe?
The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
That gives you an indication of how invasive it is — that even Google doesn't want to handle the personal information, because it can't be made HIPAA-safe.
Naturally, the majority of healthcare web sites use Google Analytics, because nobody ever reads the Terms of Service.
> The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
You're missing a key part of the sentence you're remembering:
> If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
Healthcare companies can absolutely use GA on their websites as long as the website isn't involving PHI or ePHI.
I don't understand.
They can host locally the data and remotely query it.
What's important is the "intelligence" the data does provide: giving critical and unfair advantage for those who have the whole data.
For instance, microsoft has an unfair advantage almost anywhere because they have access to the whole linkedin database.
European companies are not allowed to share PII with American companies. That goes for companies with a headquarters in the USA or subsidiaries that may be forced to share data thanks to laws like the US Cloud Act.
Previously, the EU exempted the USA through an "adequacy decision". That was later deemed illegal under EU law as American laws could not guarantee the privacy of EU citizens to the extend the GDPR prescribes. Then the EU tried again, and again such a decision was also overturned in court. The EU is working on another attempt at letting the USA track PII of EU users, but until they do that again (probably for another few years) it's illegal to share PII with American companies in almost all situations.
This is the third time a data processing agency has declared the use of Google Analytics illegal so it shouldn't really come as a surprise to those following tech news.
What's important is that the data is PII and that it's going to a place that can't guarantee privacy to an acceptable standard. Business advantage is irrelevant. The intelligence the data provides is also irrelevant. European privacy laws serve people, not businesses.
That does not change the issue: EU microsoft has a local unfair advantage in EU because it has access to the whole database of linkedin (which they own).
Additionaly, denying remote access is almost impossible to enforce. It would require a efficient and permanent deep monitoring of their servers.
linkedin should be illegal since this data should not be privately own.
I’m supporting of privacy, but it’s amazing how heavy-handed European regulation can be, and how difficult it can make understanding even basic metrics about our business and how those metrics have shifted over time. I suppose their intentions are good though.
Suppose you had an internal tracking library, aggragating data fetch from your own site and mobile clients, all data saved in a data center managed by your country's most reliable provider. EU directives would be a no-brainer.
That scenario has always been an option, and would be the most common case if Google didn't provide their own service for free or at cost. What's happening with the EU feels disruptive only because Google had such an unatural position in the market.
All of that is because of the cloud act, non american companies won't have as much issues. The obvious solution is to remove this spying law breaching EU laws and common sense.
15 years ago Google Analytics was cool. But ar some point Google ditched the "Don't be evil" culture and tried to get as much out of Google Analytics for themselves, that it became unethical.
As long as they haven't died ...
I'm building my own open source analytics solution exactly for this reason.
At what point do operators just start blocking access from EU countries. It's hard to imagine its worth jumping through all the complexities here at some point.
Bring it on. Anything that disconnects people from the American tech industry and encourages domestic competition is a good thing.
Sure. Block access to 450 millions people because it is inconvenient to respect their privacy.
They already do. Example: https://www.tribpub.com/gdpr/baltimoresun.com/
Time to get off my arse and write a self hosted privacy oriented analytics tool. Whatever happened to awstats. The question is - how to monetise on it?
What is a watchdog in this case, isn't it a non-governmental organization?
in that case how can they ban anything and what does that mean?
This is an English translation from "Garante" which is actually a stronger word - more like Guarantor. It is an official authority with teeth.
Exactly. Just to clarify, this is the authority responsible for those multi-million dollars fines against faang
Certainly in UK English we use watchdog to mean any organisation that has an oversight role, frequently government ones. For example the Financial Services Authority might be described as “the banking watchdog”, it is very much a government agency.
Why do you think watchdogs have to be non-governmental?
For example:
https://www.theguardian.com/technology/2022/may/05/uk-watchd...
It's likely a bad translation.
The Italian SA is the Italian Data Protection Agency (DPA), one of the per-country European regulators https://ec.europa.eu/justice/article-29/structure/data-prote... . Which acts under the GDPR and predecessor data protection laws, and is very explicitly a governmental regulator.
Aren‘t there like about 100 google analytics clones available that do exactly the same thing?
I wonder what will happen with websites that use payments integration like PayPal or Stripe.
Man, wish we’d do that in the US. Not sure what else to insightfully add after all these years.
Google is sucking in so much data that at the end it will be outlawed everywhere.
anyone runs self hosted matomo/piwik instance for analytics?
These guys are my heros
Good. US citizens should be, at least, disappointed that their government is so bad at protecting their privacy, that US law is so far behind the times.
To those companies and people who find these EU decisions baffling or inconvenient: tough. If you had had respect for your users this would not be an issue. You would already not be spying on them.
To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
I'm not disappointed I'm infuriated. Because the US uses technology companies to get around the 4th amendment all the time: https://www.salon.com/2013/04/24/government_giving_att_other...
The US isn't "behind" it simply has no intention of moving in that direction, despite the 4th amendment making it really clear they're not allowed:
>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
There was a recent ACM article on this. They found there was a large number of sites that don't actually ask permission for anything, they are simply informing you of the spying. Not surprisingly, the ones that did allow modifying cookies were all setup in a predatory fashion which discouraged the disabling of tracking.
The whole system is broke at the moment.
It’s because they’re allowed to use the word “cookies” for it.
If they were required to use specific wording, like for instance “injecting surveillance artefacts” people would probably care a bit more.
Not necessarily. The team that wrote the ACM article did a small user-test using various versions of the "disable cookie" banner. In all cases they concluded that the user was indeed aware of the negative impact of cookies, however, the need to just "get back to the content" often overruled that distaste.
Not surprisingly, the most effective banner they found was the one which had a single "disable all cookies" button. It was something like an 80% hit rate. So, people care, but not enough to dig into another prompt to uncheck a bunch of boxes. This is what the ACM writers referred to as predatory (abusing human nature).
Hardly. It's like the requests for administrative rights in Windows Vista, or the installers with many browser addon bars...
Nice idea in theory, but if it's too frequent the awareness will, at some point, just disappear.
Pragmatically, to what extent do you believe the European laws have protected Europeans above and beyond how American laws have protected Americans?
Basically, what class of badness are Americans subjected to due to behind-the-times data protection laws, that Europeans are protected from?
It's possible for a company, which is seemingly providing you a service since you visited the site, to make money off a targeted ad in exchange for free video streaming/content/entertainment.
The whole thing has always seemed overblown to me. Websites make much more money off targeted ads, allowing them to do things like allow anyone to upload a video of any length and quality for free. And view other videos people upload. In most cases it seemed to me like a fair trade to make. Yet as people point out all the time, technically a website isn't allowed to deny access to someone who refuses targeted ads (through the cookie pop-up), so they're essentially being forced to provide that user content at a loss. Untargeted ads are often worth 90% less or more than their targeted equivalent.
Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.
> Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.
Part of the problem is that it seems more or less impossible to get large companies to keep their data secure. In fact Google stands out as maybe the only big tech company that has not been involved in a major breach.
Notwithstanding the legal and political issues that arise when (not if, but when) this data gets into the hands of law enforcement agencies.
And yes, there have been individual instances of employees misusing sensitive user data.
Privacy is security.
Generally I agree that content providers should be allowed to make money somehow, but this way has proven to be untenable and something needs to change.
Give me the option to pay more if it lets me get more privacy. Otherwise I keep using fake accounts, VPN, antifingerprinting methods, ad blockers, etc.
Some places do. Many German news sites have a "Pur" version you can subscribe to and not get ads.
You won't get a good answer to this because there isn't one. These no realistic, practical harm to people that this EU law is preventing.
Given your comment history, it’s clear that you’re driven by motivations that aren’t at all universal.
More bluntly, you’ve decided that consumer-surveillance-as-a-service is harmless. I’m thankful that the European regulatory apparatus disagrees. Now if only we could remind the American federal government why regulation is a worthwhile effort.
I believe a part of the data-privacy laws and sentiment in Europe comes both from the WWII and the civil wars/dictatorships/etc that happened across EU. When in our grandparents time (YMMV) the government was compiling list of citizens or checking what they were doing in their private lives, it was not to give them flowers. And while that still sounds pretty far from me, it was also fairly recent in the past so that there's some social residue of the sentiment.
BUT to answer the question directly, credit checks to the level they are performed in the USA sound like a horrifying thing and a total privacy breach for us EU citizens.
European laws are pushing to end Chat providers control over social interactions(which is something that shouldn't be done for profit any way) in the Digital markets act, which forces big apps to provide federation APIs.
The EU with the GDPR made an incentive to not use trackers, dont want that ugly tracker on your site ? Then stop selling data, that's why private analytics like Plausible and Umami have sprung to life. And also made it clear how much tracking is on the web.
There is also finally a movement to let the US host everything because really, the US isn't trust worthy.
So, the EU laws, gave better awareness about tracking, gave incentives to not use trackers, and is now working on improving the user experience by stopping the monopolization of social interactions.
Have you heard of Robo-calls? Basically there are no Robo-calls in EU, because you can just add yourself to a Government no-call list. If any company doesn’t respect that, they get a huge fine.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you.
Or you know...count how many unique visitors they have and how to make the site more useful. Do you avoid using cookies on this site but still manage to log in?
Cookies needed to properly provide user authentication, i.e. user session identification, are counted as "technical necessary" cookies and do not need a cookie banner. You only need to ask for cookie consent, if you track visitors with third-party services. And, to counter your unique visitors claim: you don't need cookies, or any third party service, for that. Everything can be done locally without disrespecting user privacy.
Exactly. HN doesn’t need a cookie banner because they’re not spying on their users. No barrier to keeping track of sessions.
> and, to counter your unique visitors claim: you don't need cookies, or any third party service, for that. Everything can be done locally without disrespecting user privacy.
how do track unique visitors without cookies, and how is that way less "disrespecting" of user privacy than a cookie?
IP and User Agent, for example. Goaccess[1], a tool to generate statistics from webserver logs, is capable of calculating unique users. Calculating unique views entirely on your own server without any of that data leaving it, is way more privacy friendly than urging your users into accepting cookies so that Google can harvest their data and send it to their US servers.
I wrote "disrespecting" because using GA is exactly this for me. Website owners give a f** about your user privacy just to save them some work, without caring about any of your users' data.
[1]: https://goaccess.io
Do you know the difference between cookies and a cookie banner? Do you understand why this site can have login sessions, and even keep track of the number of unique visitors, yet is not required to have a cookie banner?
What do you think the _ga attribute is in their cookie?
Isn't there an exception for authentication in the consent requirement, but not in the inform requirement?
Have you researched to know if this site is hosted on a US server? I wouldn't be surprised if it is and I also wouldn't be surprised if your IP address was additionally stored in a log somewhere for a period of time. In the US.
Yes but they are not tracking you with third party services, so regardless of where the server is they would not need a banner. The banner is a request for surveillance permission.
My buddy is a manager at a chemical plant, and your comment reminds me of a very astute statement he made recently.
“I don’t generally like unions. I’ve worked at both union and non-union plants. But anytime someone else complains about unions, I remind them that if they have a union at their plant, they earned it.“
When union plants are shuttered in favor of non-union plants, did they earn that too? Or does this logic only apply in one direction?
I think it's fair to say that most unions have been established as a sole result of proportional human effort, while the same cannot be said for the success of most businesses. There are many instances where an existing imbalance in power or resource ownership is a significant factor in a business' success.
His point is having a union established often means the problems were really bad.
Yes? Why wouldn't they?
Sounds like a manager's take on unions, at least he sounds somewhat reasonable. Good on him
Yeah, even as a very pro-union guy (film background) I couldn’t really take issue with that stance.
Yes “we care about privacy. But we also want a back door to all encrypted communications”.
https://appleinsider.com/articles/22/05/11/eu-plans-to-requi...
America is the LTS branch of Democracy.
Privacy improvements will be pulled in along with independent political parties in the next kernel update.
You guys are getting kernel updates? Our supreme court is taking us back to v0.1 from 1800
I think the support contract ended a while back
more like the archived repository on Github
More like the bitrotting prototype ;)
and global wealth.
If a modern democracy requires an ever-growing government I think I will stick to Democracy Stable.
Here in NH we have a group of people trying to compile their own. I never thought of them as distro hipsters, but it tracks.
My impression of these people is that they generally use very out-of-date versions, and they misunderstand/misuse configuration settings to the point that their builds are illogical for anyone's needs, despite their surface-level appeal upon skimming the manual & ancient mailing list messages. So the government performs efficiently for some very specific workloads, but generally lacks necessary features to run society at web scale.
Agreed i'm not interested in "ever-growing"...not for a distro nor a gov...but i am interested in an evolving one for the better - i.e. improve effectiveness, and reduce bloat if it adds nothing of value. ;-)
Thinking that the situation of the majority of Europeans is the same as the propaganda that you read is a big, big mistake.
The economy is pretty bad in the USA too if you aren't a white collar tech worker (or in a handful of other white collar fields). Maybe not as bad, but it's pretty rough for a lot of people, possibly a majority, and it's definitely unsustainable.
An equivalent regulation to the one banning GA in the US would not ban GA because the data centers are in the US.
No one is asking for exactly the same law, just the same results: more privacy.
If I thought the EU was doing this to protect privacy I'd be all for it. They really don't give a fuck as seen by ever bit of legislation they are pushing for. Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
The EU has both enacted the most promising and some of the most backwards, stupid and regressive privacy laws. I'm guessing that it depends on what representative guides it and forms it through the various processes, and what the courts do with it. Overall I think they have moved the needle towards more privacy.
> Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
That is absolutely not true, at least not by enough people for anyone to be able to make that sort of blanket statement. I'd also wonder what reasons you have for thinking that, it seems to me like all of the 5-eyes used each other to spy on themselves (besides all of the things done by normal police, various levels of federal police, etc.)
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
I'd love to see how often people do anything besides click okay anyway (I'd be very surprised if it wasn't 99%+).
Unless there is a very simple "reject" button, I click okay. Between Firefox's native protections, DNS-level blocking and uBlock, I have a lot more confidence in my own protections than I do in their honesty, and it's not worth it to me to uncheck a bunch of boxes.
Sometimes it's easier on mobile to just accept all the garbage cookies and then clear my cookies & site data after I'm done with the page.
But they are probably fingerprinting my phone anyway through other means.
Yeah clicking anything but okay or reject all (which I rarely ever come across) is usually a maze of options no one has time for except some tiny dedicated minority.
Really? I could have sworn the EU regulation requires dropping all non-essential cookies in 2 clicks or less - and that tracks with nearly every site I interact with that has a cookie banner.
Well I’m not an expert but I think the main issue is that American citizens have protections that non-Americans do not. The government cannot spy on Americans without a court order.
Unless they have an intelligence sharing agreement with a nation that happens to pick up signals from americans, from who they can request that data. And maybe there exists a network to share the raw data, wouldn't that be convenient? Or you could have a secret court system (FISA) to bypass most of the protections normally granted by due process?
> The government cannot spy on Americans without a court order.
Have I got news for you. Specifically at least 100 years of news.
The word "spy" is so loose these days. I'd consider the vast swaths of metadata other companies compile on me "spying" to an extent.
> You would already not be spying on them.
Can you point me to the part of the ban that says it's about protecting users from "spying in general" and not "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"?
> "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"
I want to quantify this quote. Each EU country can spy on its citizens to similar extent as 3 letter agencies from the US, but in a less analytical/big meta data way (part of it being the US brain draining EU countries for those working in tech).
However, if EU country A wants to have access to its citizens user date on website X located in EU country B, is not an easy process; involving a strict judicial system between those countries.
I think your logic may be a bit muddled, or I misunderstand your question (but, if I take it literally, my answer would be “no”.)
Not spying ⇒ not using GA ⇒ this ruling moot.
If you feel this way I hope you do research before visiting any website at all, because you might accidentally connect to a server in the US and your IP address will be in the TCIP stack of that server and probably the logs too. US servers that are intended to serve US customers have no obligations to you.
What about Australian citizens?
I've been using clicky on a few of my sites and even though they _assure_ me that it's totally compliant with gdpr I don't really believe them, does anyone have a decent alternative for analytics that respects people's privacy? I just want to see when I get new vs returning visitors on a page. Cloudflare's analytics are okay but I like how granular clicky can get, but if there's no good way to do that I think I'm just gonna ditch clicky and make do with the cdn analytics. Hell, I bet the cdn already does everything I need and I just don't know how to use it right, or I'm not paying for the right tier or something.
matomo is something you can self host
Note that you must make sure that your host is not in the US as well.
There's several self-hosted solutions, as well as several GDPR-compliant SaaS solutions. They generally work pretty well; I've seen people set up, for example, Plausible, in a couple of hours on a cheap VPS.
Google needs to do what apple is doing with PrivateRelay and putting double blind proxies in place so PII can be stripped before Google gets its hands on it.
This is why we built Scale8.com !
An open-source and privacy-friendly alternative to Google Analytics & Google Tag Manager :)
GA is simply not compliant...
i’d support any legislation that booted google, fb, ms, adobe, salesforce, and a whole host of other surveillance tech companies from any and all levels of government. it’s literally as important as the separation of church and state. in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones, in all facets of civic life (e.g., campaign finance).
This is just naive. Government offices/agencies are so tightly coupled with packages like office 365 that forcefully separating them would require home built solutions which would always be terrible, less secure, and more expensive to the tax payer. There’s a lot of good these products can provide, granted they are properly audited and have high security requirements.
Idk here in France there are cities and state-wide administrations with free/libre stacks based on Linux, LibreOffice, Zimbra and others and things seem to JustWork™. For instance the french Gendarmerie, the cities of Rennes and Arles...
Arles is getting suckered by Microsoft, sadly [1]. Unfortunately all it takes is one idiot to get in office once to kill this kind of successful initiative that has been running for almost two decades.
[1]: https://larlesienne.info/2022/02/22/la-municipalite-de-carol...
Are there any high functioning large companies that use Linux/LibreOffice/Zimbra? I suppose governments rarely aspire to be high functioning.
> Tom from IT needs a sign off from three separate people to get a new Office 365 license for Brenda in accounting
That's unlikely, and if so I doubt Libre Office would liberate Brenda. It may be the reverse. On-boarding or moving Brenda between functions would mean provisioning her for internal ID, identity, email/communication, security, network/group access and permissioning, physical device(s), etc. Various parts of Microsoft 365 would just be part of the checklist and deployment, an integral part.
Microsoft make the above very smooth. I don't think someone slapping Libre Office on a PC makes any of that a thing of the past. Any realistic alternative needs to be all the way down the stack.
"Using Libre Office rather than Office 365 is unlikely to be the limiting factor in how fast anything in a government office is going to run."
Depends. When odf would be the standard maybe, but it isn't. Standard is microsoft office, and libre office is not 100% compatible. But you will still have to deal with lots of microsoft documents, from all the other agencies, ordinary people, companies, ..
Meaning, when Munichs government tried to switch to oss a few years ago, they did indeed lost a lot of time with broken documents, templates, layouts etc. so they ultimately switched back (direct microsoft lobbying with even Bill Gates getting personally involved might have played a role, too).
So I am all for an open standard, but this easier said, than done.
> would require home built solutions which would always be terrible, less secure,
I disagree. It would be relatively straightforward to build such systems on Linux and open source.
> and more expensive to the tax payer
As a proportion of Italy's GDP, the cost would be negligible, especially given that this is a matter of national security, something governments tend to be keen to spend money on.
> As a proportion of Italy's GDP, the cost would be negligible
After how many failed rewrites that never deliver a working product?
The assumption here seems to be that the government would be writing the software, but it would go out to market. This would be a fantastic opportunity for a local software company to put out something in the space. I'm foreseeing more of this kind of thing as data sovereignty becomes a more considered issue by governments.
The other undertone I'm getting from this thread is that people think America has a monopoly on building software, and that's simply not the case. It's not hard to find companies doing really good work outside of the US. There is also nothing special about Office 365, it doesn't have a technology moat, it just has a surmountable interoperability moat and a social moat.
Zero. Start off with using the latest Ubuntu LTS. Then add stuff as needed.
I didn’t read it as government can’t use commercial products. Just that the corps couldn’t influence politics. But I’m not the OP, so I can’t speak to what was intended.
More around the storing of data. This is why Scale8.com is on EU servers...
> are so tightly coupled with packages like office 365
Are they though? Do you know this for a fact? I mean, sure, MS Office is very popular in government settings, but does this really go beyond the possibility of just replacing it with LibreOffice if they so decided?
Sharing a link to a document that others can edit in the cloud is much more convenient than emailing around a _final_v3(2).docx document.
Well... there's Collabora online:
https://www.youtube.com/watch?v=xbQFTkFaYlo
or Box/DropBox/other cloud storage services, which is less convenient than proper collaborative in-pace editing, but you can still get the file at the link, edit it and upload it.
I obviously can’t speak for all, even most, but back in my consulting days I can say the many US federal and state agencies use Azure AD and a litany of AWS services that are core to vital work streams. Enough that having to shut them down would neuter the department.
> Enough that having to shut them down would neuter the department.
You've just identified one very good reason that they shouldn't be dependent on a single, proprietary vendor.
Really, I was surprised to find your original comment on Hacker News, especially with you ironically fronting it with calling other people naive.
Most developed countries have several offices/agencies that already run 'home built' solutions, they just don't get talked about much.
They get talked about incessantly at the local Microsoft HQ.
your whole argument is based on the assumption that proprietary software is superior in every single metric. thats just patently false.
ah, the ad hominem, never a good sign for the proceeding argument.
there are a number of other office suites that are entirely adequate for bureaucratic organizations to build methodical processes around (which is what bureaucracies do). the capabilities of the underlying tools don’t matter much in this regard.
also, audits aren’t meant to prove anything (like security), but instead to shift liability.
> ah, the ad hominem, never a good sign for the proceeding argument.
An ad hominem means using an insult as the basis for rejecting an argument, e.g. 'that is wrong because you are [attack]'. Saying an argument is naive and then explaining why is not an ad hominem.
None of the lines of reasoning were an ad hominem. From your other comment[1], it seems like you think "ad hominem" just means "being rude to someone". I recommend reading the GP comment's description of ad hominem again: it means making a logical argument that depends on the speaker's personal characteristics.
"You're European, so your argument is biased and wrong" is an ad hominem. "Your argument is naive, here's why I think that" is not. The latter is logically downstream of the argument, while the former is upstream.
A car has multiple parts, but it’s still difficult to use if you only use/look at each one separately
None of it was ad hominem.
> ah, the ad hominem, never a good sign for the proceeding argument.
GP never says that you’re naive, but the comment was.
>, ... it signals a triggered response
This is, at best, a stretch.
I have no idea what it is you're trying to say but I did laugh that your username is clarity! :)
The average large organization uses over 100 SaaS products
https://www.statista.com/statistics/1233538/average-number-s...
I would love to see you replace all 100 of those with open source software.
Have you ever dealt with large technology migrations?
Are you going to also train staff to use the new open source software? Where is the open source SalesForce equivalent? Workday? Concur? Device management? Email service? ServiceNow? Time tracking? Photoshop? Are you going to also force every employee to use Linux instead of Mac and Windows? Are you going to tell them to rewrite all of their software and business processes written on top of Oracle and SQL Server? Should they also rewrite all of their bespoke mobile apps to support open source mobile operating systems? Are you going to migrate all of their Office documents and SharePoint? Are they going to move all of their project management processes from Microsoft Azure DevOps (aka Visual Studio Online)? Are they going to move all of their call center software to open source? For school systems are they going to move their fuel procurement software? Many education systems are partially funded by the lottery. Are they going to move their backend systems from GTech? Their lunch programs payment systems for students use a third party, are they going to move that too? Their ATS? LMS? Grade tracking software?
You migrated a product. Were you involved in migrating the entire infrastructure of an entire state?
Yes, I speak from experience, migrations and modernizations are kind of my job.
100 SaaS products in one org sounds like a security and logistics nightmare.
So do you think open source or the government producing their own software will be better?
Russia has that. Just typewriters and stationary.
Sounds like it would create jobs too, that's a plus not a minus lol
"Creating jobs" to inefficiently solve a solved task is not a good thing, it is society burning it's tax income. It is only good to create jobs when the output of those jobs is increased value.
> . And capitalism loves competition. You can't have competition under a monopoly.
And the govt. is the biggest monopoly of all.
Somehow, restrictions against US firms are praised but if US imposes restrictions that is condemned (e.g. TikTok).
If there isn't anything generally available that doesn't have telemetry, then productivity software w/o telemetry isn't a solved task. If you accept LibreOffice and the like, then it's a solved task but you'll still need someone to manage it, hence job creation.
less secure? can it get worse than ms, outlook and active directory foo? they incepted their own industry around their unsecurity, lol.
terrible and more expensive is also a joke, but not as big, you still could got to ibm or oracle if you want to pay more for less, admitted
The legal and moral question is one of data sovereignty, not tools vendor. I suggest the GP comment be read with that context in mind.
Rubbish, there has been a concertive effort by the US to undermine other countries including so called NATO allies in order to dominate the world, its been going of for decades.
I refuse to use the NHS here in the UK because of the widespread use of Microsoft everywhere.
> in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones
I don't think you comprehend the scope of what you're suggesting.
I work for a school district and I'm currently migrating our system from using one commercial bus routing service to another... using Windows, SQL Server, Teams, etc. from Microsoft... using a laptop, dock, three monitors, keyboard, and mouse from HP... and today the elevator was broken so we called a repair company to come fix it... oh, and some company makes the school buses, and the networked phone on my desk, and the printer around the corner, and all of the paper in it... the fluorescent bulbs above me don't grow on trees...
you can't just expect governments, even at the national level, to roll their own everything without interfacing with corporations in any way—this is a hopelessly naïve view of the world. I am just as uncomfortable as you are with data being shared with corporations, but you're going to have to figure out a more realistic set of political goals than what you've outlined here.
it's not really aimed at governments, so much as corporations that feel entitled to sneak in ancillary interests into their products, like surveilling the public. basically, it's to force companies like microsoft to remove all that other shit and provide just the core software, if they want access to government largess. this has beneficial externalities for us, the residents of said governments.
sure, and like I said, I agree completely. but you can't just say "i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones", unless you're proposing that all corporations should be state-owned and -operated, and that's not really a viable solution, plus it introduces a whole host of other problems.
but even if you just mean to say "government should not share citizens' data with corporations", well, there are presently two (until our license with one is up at the end of summer) separate corporations that both know where every kid in my school district lives, what their special ed needs are, what their parents names are, what their parents' contact information is, if they live between multiple households, and so forth, because that is the explicit purchase of their business, and that why we purchased their software. the same goes for another piece of SaaS we recently purchased a license to involving food service management for the school system. when designing the data export we opted to not follow the part of the schema that wants SSNs for the students (because why would they need that?!), but that might not be the case for other districts using the same software.
my point is there are a lot more interconnected corporate software services sharing citizen data at play in contemporary government systems than you probably think, and, once again, even though I agree with your position with regards to sharing citizen data with corporations... I think that ship might've pretty much sailed sometime in the past few decades.
> a lot of data sharing is driven by the misguided desire to control (that is, to centralize power), whether it be teachers, students, or administrators, not for actual educational outcomes, despite the latter being the nominal impetus.
I have yet to see this occur. instead, it's all about bureaucratic convenience. why hire more people for Student Transportation to keep bus routes straight, and deal with printing out & distributing paper passenger lists to bus drivers, etc. etc., when you could use a piece of software to handle it all for you? nobody at the bureaucratic levels we're talking about here care about hoarding personal information for power or centralization or anything like that, it's purely for convenience and streamlining of bureaucracy.
one might say, ok, sure, but why does it have to be a third-party SaaS that you're SFTPing data back and forth with, why can't it just be a traditional piece of software that you install and manage locally? again: convenience, for all involved. that's one less thing for our sysadmins to worry about dealing with, and when you get enough of these things then you'll need to hire and retain more sysadmins (who we're frequently cycling through as is due to failure to compete with corporate salaries). the software developers of the third-party bus routing software don't have to worry about platform compatibility if the platform they're targeting is the web. parents can easily log into the website to see their child's bus routes and if they're delayed or whatever (apparently this is a real thing real parents demand...). but also, hey, we're already using Office 365, so "what's a few more SaaS solutions to problems we have, at this point?"
what I'm getting at here is the rise of SaaS and the fall of self-hosted solutions to things like this is pervasive everywhere in the corporate world, so if you don't want your tax money "wasted" on even keeping school district student data in-house and secure, this is the world we have to live with now. I'm not saying it doesn't suck ass, another piece of software we replaced is all web-based (albeit locally-hosted) and strictly inferior to the end-of-life Java-based software it is replacing. software kinda just keeps getting worse, and the further stratification of everything into SaaS is definitely not good in the long run. but... that's the current state of things everywhere, so why should government be any different?
if this bothers you about public schooling in particular, then the solution (which I'll likely be doing, but not for this reason) is homeschooling your kids. then their data is only stored in the district database and only transmitted to and from the state and local governments, for reporting purposes.
but more broadly speaking, what's the use in calling out governments transmitting personal information to corporations when corporations are already taking so much of your data themselves? I bought my fiancée a hat with a soda logo on it last week and she was getting ads for that specific soda the next day. how it happened, I have no idea. shortly after I moved back to my hometown, I picked up some groceries for my mom using her credit card, including a can of Red Bull I got for myself, the first I'd had in months. later that day, ad for Red Bull on my social feeds, first I'd seen... in months. whenever I buy booze, I get (different) booze ads on Twitter for days—when I don't buy any booze for awhile, the ads stop.
there's already so much personal information being trafficked between corporations everywhere without our consent, what makes the government sending it to corporations for legitimate purposes so specifically offensive? maybe I'm being too cynical but it seems like the genie's just kind of out of the bottle now for personal data in general. TFA is sticking a finger in one of many finger-sized holes in the hull of a ship which is sinking mostly not due to the finger-sized holes but to the person-sized ones that we're just kinda ignoring.
How far does "separating corporate interests from governmental ones" go?
Can the government purchase a car? Hire a private corporation to build a road? Hire a consulting company to check the security of their (now-free-and-without-a-support-contract FOSS?) computer setup?
It's actually quite simple. The government can buy things services from specific providers, but it cannot force you to buy services from specific providers. In other words, it can buy BMWs for government use, but it cannot say "you have to buy a BMW to enter the municipal office".
The same applies to websites. If a government website uses Google analytics, it is essentially requiring you to do business with a specific company (in this case Google) in order to use a government service.
And if the government uses Cloudflare or GoDaddy or aws it’s requiring you to do business with those companies. This goal is impossible to achieve with any government run service.
It's easy. You just need the government to run fiber to every citizens house so that the can connect directly to the government data center.
Of course some citizens are living over seas so we can provide a satellite uplink for them.
No, those do not see any benefit from me visiting the site beyond what the government is paying them for. Analytics does, they get my data.
> cannot force you to buy services from specific providers
But government can impose requirements, like TAA compliance (1) and SHB requirements (2) on its service vendors, forcing those vendors to purchase from a fairly constrained number of hardware providers.
https://www.dtra.mil/Portals/61/Documents/Business%20Docs/ev...
https://www.afcea.org/site/sites/default/files/files/2-ColLi...
If the government takes your data and runs an analysis on an old IBM mainframe, are they forcing you to do business with IBM?
Is this a bad faith argument? I can't see how the difference of google having the data vs the government (or whatever entity you interacted directly with) is so easy to miss.
Could you expand on the definition of "doing business with" an entity that you're using here? It seems quite non-standard.
If you open the door to a govt office, are you doing business with the company who installed the doors? If you use the toilet, are you doing business with the company that janitorial services are contracted out to?
I see, I think framing it as "doing business" threw me off. Semantics aside, this distinction is meaningful.
This analogy does not apply.
The gov. is using some service and therefore some citizen data is subject to the T&C's and that's it.
If Google were a German or UK company it would be the same thing - everyone subject to those T&C's.
The gov is forcing me to pay the crony corporations through taxing me
Can the government own a BMW bus?
The issue (per original article) is one of data sovereignty, and I’d identify a sibling concern of adopting open data formats.
If those are sacrosanct, the choice of tools vendor matters far less.
where to draw the line is a fair question in any policy debate, and one i'd expect to draw plenty of lively discussion. it's pretty clear to me that surveillance tech is on the outside of that line, but i'm open to reasonable arguments otherwise.
They tried with the church and did not succeed. Why do you think they can succeed with SW.
FWIW I think the "church and state" analogy is genius, it totally resonated with me. I'm going to steal that!
Not only state... I see absolutely 0 reason for my swiss ebanking in the secured web interface to se google analytics and similar trackers. I can clearly see them being blocked by the likes of ublock origin and ghostery in my firefox. Why the f*k should google know where I go in such private matters (and there are tons more, ie if you are lgbtq+ in one of the many restrictive locations, have some less mainstream political preferences etc.). The data once acquired have no reason to be deleted, ever. Too juicy info, and 7 billion humans is not that large group to aspire to track.
I get why google et al want it for their growth/sales, but they are a private entity not owning internet in any way, extremely foreign to Europe with no clear friendly intentions. One of few times I can say I am proud to be living on old continent.
exactly, we need to decentralize power, and knowledge (information) is power. it seems innocuous when we each leak a little here and there, but surveillance tech is vacuuming up every tiny bit of it.
living in europe doesn't much matter, given the reach of these companies and their interweaving into government systems, along with reciprocal surveillance agreements (however-many-eyes countries).
I agree 100%. I have nearly all google domains blocked in my hosts file and was frustrated to find out google captcha was required on a few government websites. I understand rolling your own can be difficult or expensive but it's the government we're talking about here. They're no strangers to spending.
> i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones
How is that possible, since corporations are, by definition, creations of government through law?
i mean, that's like asking how is it possible to compartmentalize anything. as elaborated elsewhere, it isn't about literally separating all interests, just those that harm the public. it's about removing the negative externalies that companies like google impose on us via such government contracts.
> just those that harm the public
But it’s not that simple. What harms the public? Many would argue being able to use data google collects (legally through subpoenas or grey-legally through any of the number reports that have come out since Snowden) helps government agencies by increasing public security—thus the opposite of harm. Being
in that case, it's pretty simple. the snowden leaks elucidated the government's desire to create a surveillance state with the help of corporations, not that a surveillance state would be a net-good for society.
I understand the feeling, but that's not possible, and moreover, after reflection, why should it be so?
If government can literally fine/shutdown your business arbitrarily (as they do for lockdowns, permits, etc.), then they should have a voice in the government that could treat them so terribly.
Unless you mean to say that government should be so much smaller that it doesn't impose separate business taxes, import/export controls, require permitting and licensing and follow arbitrary regulations on those businesses, which I could get behind. Ideally, if there's no advantage or penalty to avoid by petitioning government, won't everyone stop paying attention to government? No gaming the game can happen then!
The problem is that we can't have it both ways, can't restrict a group from petitioning and then pose rules they MUST follow, without a say. That's not democracy at all.
Companies are just groups of individuals after all, and should have just as much voice as an activist group does, like ACLU or Americans for Tax Reform or whatever.
The government of Italy makes rules that apply to Italians and those doing business with them.
If you’re Italian, you do have a say, and if you’re doing international business in Italy then you accept the sovereign risk of dealing with a foreign state.
you seem to be arguing from the corporate personhood stance. corporations still have an outsized voice via their rich owners. they shouldn't, however, be privileged with extra voice unaccorded the ordinary citizenry.
this is the start of the unbundling of alphabet
ottime notizie. vietare google e monetizzare le bellissime spiagge, e mangiare pasta autentica.
I don’t think you’re really Italian ahahah
e w la fica
You do maybe
The US should economically retaliate.
GDPR and these other regulations in the EU exist because EU cannot stomach the fact that they got beat on tech and instead of innovating they are regulating to try and even the playing field.
> the fact that they got beat on tech
What tech is the EU missing out on?
All the recent "tech" I see from the US is all about novel ways to screw & exploit people for profit, at the expense of turning society into a dangerous wasteland full of outrage and saturated by advertising.
No thanks.
Hmmm, or maybe they exist because EU has a little bit more respect for privacy of its citizens than US?
I wish GDPR compliance would have been opt-in. For example, a GDPR compliant website could have sent a custom header indicating compliance, which the browser could have displayed in the address bar (a bit like HTTPS). Consumers would then have been free make the decision to not use websites which aren't GDPR compliant. Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.
Bizarre idea. Should websites be allowed to opt out of anti-fraud legislation? Anti-money laundering? Human rights protections?
Yes? ...this was the original dream of non-national cyberspace and we almost had a hope at getting it. Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.
A parallel anonymous-and-free-for-all-but-with-payments-included, smth. like Tor-but-powered-by-IPFSv9-and-Etherv7, will probably emerge in a couple decades done right after a couple failed iterations. Some techs need hardware to catch up to be cheap enough, and only after a few failed attempts they manage to grow a trend... and it will probably will last until it's used to finance a proper starting of WW3 and by then banning it will be too late.
Anyway, we'll enjoy the hell out of ourselves on the new patreons-but-for-snuff-p03n, so it will all have been worth it :)
> Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.
Maybe the laws & regulations you complain about are actually necessary because otherwise people will keep being greedy & nasty and eventually outnumber honest people?
I believe your argument simply boils down to "laws shouldn't apply to people". Am I mistaken?
Thanks for clarifying your position.
> this was the original dream of non-national cyberspace
cyberspace was about freeing the people and the flow of information between people, not the corporations that silo the data in their data centers for ptofit.
No, just GDPR? I don't see any valid reason a user might want to "opt out" of anti-fraud legislation but I do see a reason why a user might want to access the non-GDPR web.
How would you write such a law?
You can't make exceptions based on what's convenient for some business.
Why should GDPR be opt-in but not the consumer minimum 2-year guarantee against faulty products?
> ? I don't see any valid reason a user might want to "opt out" of anti-fraud legislation
To commit frauds, for example?
> I also believe that should be opt-in.
But that is irrelevant, we European citizens are happy to have it.
And actually fought to have it.
It's a consumer protection law, what you want is consumers with less or no protections.
> Fraud implies an unwilling party, a victim. Not comparable at all to what I'm suggesting.
I'm quite sure the majority of users visiting a website that hosts GA are giving away their data unwillingly.
Would you opt-in theft too?
The Venn diagramm of the websites that have a Cookie-Popup right now and the websites that would choose to not be GDPR-compliant is a circle.
This change would mean most website couldn't be used by privacy concious people anymore and that the websites in turn are free to track the sh*t out of everyone else. From my perspective that sounds a lot worse.
The web is a mandatory part of public live for most people by now and it's good and healthy that corporations get push back for not respecting privacy.
> This change would mean most website couldn't be used by privacy concious people anymore
wouldn’t the market react?
The market would only react if people were actually aware of the privacy violations. This is what the GDPR is trying to address by making data processing require informed consent.
The vast majority of people (some even on HN) have absolutely no clue how advanced the stalking actually is. You hear every so often these anecdotes about people suspecting Facebook of listening to them; it's actually more creepy that the tracking is advanced enough to successfully infer conversations without actually listening in.
> Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.
It may not be your intent, but defaults matter and what you're wishing for here is de-facto scuttling of the GDPR.
Are you implying that the vast majority of consumers aren't concerned with their privacy and would keep using GDPR-compliant websites? If that's the case, isn't the regulation somewhat against the spirit of democracy?
> Are you implying that the vast majority of consumers aren't concerned with their privacy and would keep using GDPR-compliant websites?
False premise.
Users simply aren't aware, but once they learn about it, they become concerned,
> If that's the case, isn't the regulation somewhat against the spirit of democracy?
That's a really weird argument.
Anyway, that's not the case.
This kind of ridiculous laws do not understand the boundless nature of internet. If you want to protect privacy of netizens simply make a universal law instead of having different laws in different countries.
Since the Internet is not a fiefdom, universal law is moot. Nation states will draft tracking laws that are only only enforceable through tracking in an attempt to gain their slice of authoritarian pie. Pointing to the Google or US is typical strawman BS and gives people a false sense of security because they should assume everyone, not just the Google, is tracking them. Getting people to own their data is an uphill climb, but is ultimately what will curb the negative behavior we're witnessing.
We need a RFC for protecting the internet.
I’m afraid it does understand the boundless nature of the internet, and it wants the owner of the server to do something about it.
Other countries may not want to protect privacy at all. Italians are making rules to protect Italians.
We need RFC’s , We do not need stupid laws written hundreds of years ago.
How does one "simply make a universal law"?
By publishing a RFC.
An RFC won't compel people or companies in the way you hope. An RFC is a request and nothing more. A law is driven by the legal authority of a state and is backed by corporate & financial penalties, prisons, and guns.
Those decisions are good in theory, but in practice they will kill the free web.
The only people that have the work power to put equivalent alternatives in place are the big corporations, that will anyway find a loophole.
I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution. I won't even start talking about self-hosting an analytics solution which would probably double my monthly server cost for a website on which I earn 0€.
In 2030, if we continue on that trend, websites will be in two categories: belonging to huge companies, or running illegally. It's baffling that people are applauding the end of the free web.
Why does your small blog need an "analytics solution" in the first place, if you earn $0?
Because I want to know where my readers come from, which Google terms they searched, etc.? There's a million reasons to want to know stats like this without earning money...
As a user, I don't want to give this info. I'm glad the EU is giving folks an avenue to express this preference.
That's the problem with GDPR. A lot of people are fine with this arrangement, but the GDPR is basically making it unlawful. GDPR is basically imposing the preferences of other people (e.g. progman32) on us.
Then it's not really free content is it? Put your content behind a "paywall" where the payment is whatever information you're (illegally) collecting from GA and see how it goes; at least then the "payment" you're expecting from it will be clear and users can make their own decision.
> which Google terms they searched, etc.
GA doesn't tell you which terms they searched. They mostly stopped doing this in 2013.
Google Search Console _does_ tell you the search terms, and without any tracking on your website.
Honestly, at this stage the "free web" can fuck right off. The "free web" you speak of generates a lot of negative externalities everyone else has to put up with. If your "free" web needs to attack everyone with spyware for it to exist then it's not really "free".
> I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution.
tail -f /var/log/nginx/access.log
That is an extremely important nuance which is not obvious from the title.
Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.
Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.
I agree 100% with your second paragraph. I also hope they introduce massive "percent of revenue" fines when Google "forgets" to ban illegal activity on their (near-monopoly) advertising platform. Massive fines has genuinely changed the behaviour of sales & trading at global investment banks. We can do the same for FAANG and friends.
It's not that bad: https://support.google.com/analytics/answer/6366371?hl=en#zi...
The most difficult aspect is dealing with URLs. But a company that is large enough to be customizing URLs per user, is large enough to make a few JS changes to ensure they aren't sending those details to GA.
Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
if anyone is curious about why that gives the govt. access:
https://en.wikipedia.org/wiki/CLOUD_Act
(God willing they repeal it, even if only for the international commerce implications...)
This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.
If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.
No one said "quietly" -- but there has to be some threshold of backlash that would knock it back. My guess is that European privacy law could combine with it to do enough impact to large American businesses that they'd use their political weight to do something, whether or not it were to improve matters from the perspective of privacy/sovereignty.
something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.
So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).
CloudAct would (or should) in this case also apply here or what am I missing?
You're not missing anything. A lot of companies just have no idea of the legal landscape, or simply ignore it in the name of convenience. That's because consumers are even more ignorant of their rights around technology and don't sue them. It will take a lot of civil litigation for this to change.
They routinely refuse new accounts if something looks fishy (to them). They don't provide extra information or even accept payment in advance.
The watchdogs are extremely slow and have a huge backlog. You’re right that storing that data in the US or without transferring ownership to an EU subsidiary would not be legal.
> what other options are there LOL
This blogpost lists a few :
https://news.ycombinator.com/item?id=27393854
Also, even if no options were available, it's not like the law would care - the illegality of it has been advertised for years...
(what other options are there LOL)
It is a hot topic, here are a few: IONOS - https://cloud.ionos.com/ Onep Telekom Cloud - https://open-telekom-cloud.com/en
But if you want to do scale in Europe you have to go for OVH: https://www.ovhcloud.com/en/
> every company I know operating in this market uses US based clouds (what other options are there LOL)
Alibaba has a sizeable cloud offering and has for years.
Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.
> (God willing they repeal it, even if only for the international commerce implications...)
It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...
This then comes down to whether you think the US govt. these past few decades is better at self-perpetuating power or toadying up to the demands of capital. Cynicism vs. cynicism!
Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?
If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers
Italian laws do not apply to Google USA.
First time I've heard of China projecting "global power". Are there cases of it happening?
Oh yes they do. GA is part of a company that also sells services in Italy. They should follow the law if they want to keep earning that non-US Adwords money that allows GA to remain free.
Yes, the Italian law that prohibits sending data abroad applies to Google Italia, but Google USA is submitted to the USA law, that says that the USA government can request any data from Google Italia and they are required to get it.
So the existence of Google USA makes Google Italia operation illegal.
But someone will have to foot the bill when their branch in Italy is fined by the government for violating Italian law
Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?
The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.
The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.
On the last point: how does that work with cloud computing providers, as all the big ones are US-based?
Isn't it already against Google Analytics' policy to put PII in the platform to begin with?
https://support.google.com/analytics/answer/6366371?hl=en#zi...
Gdpr uses a more expansive definition of personal data, and it includes the IP address and geolocation data, for example.
And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.
Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.
IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.
The press release mentions that partial truncation is not considered good enough as google has enough ancillary metadata to reverse it.
I guess the difference here is, that I want to visit a website in the US versus a tracking request, that happens in the background.
The GDPR is a product of the Snowden revealed pervasive surveillance done by US TLAs. Keeping the data in EU vs sending it over to US under assurances is a big hair.
Yeah, it uses the definition of personal data that includes information that isn't personal.
> just illegal to use in its default state which transmits PII to the US
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.
If only ad clicks send back tracking parameters (and nothing else) it might actually fall into legitimate interest.
The current issue isn't the lawful basis for the processing, as compliant companies already only use Google Analytics once they have consent. The issue is that without an adequacy decision from the EU to allow data transfers to the US, and with the global reach of US authorities thanks to the CLOUD Act, there's no way to keep personal data safe from US law enforcement.
My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.
For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.
I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.
ref: https://support.google.com/analytics/answer/2763052?hl=en
I'm not so sure your take on IP address anonymization. The source states:
The Google documentation says: IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.
> Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.
So if I go to a website and it has me load code from Google's servers it's still got to send my IP address to them. I'm not sure why we'd take them at their word that they won't keep that data around (I'd like to see that independently verified). but it'll be sent to the server logs if nothing else. What does not storing the IP address even mean? Do they hash it and store that instead? Do they do a quick lookup and just flag your dossier logging the connection and when it happened before dropping the IP info?
If people care about their privacy I think it's probably best not to send information to Google in the first place. There are alternatives to google analytics after all.
> Google Analytics 4, its successor, does not log or store IP address at all.
The fact that it receives the IP address at all renders it illegal in Italy, and probably anywhere GDPR is in force. And IP address truncation doesn't get you anywhere; it's Google that does the truncating, so the whole address is actually sent to Goo, by which time it has departed from GDPR jurisdiction.
> For many clients I have set up a cookie compliance tool like Onetrust
Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?
I'd love to see this result in a company-ending lawsuit against OneTrust.
Is it illegal to use my website from Italy? I store PII (and everything else) in the US.
No. It's illegal for you to operate in the EU.
What does that mean? Europeans use my website.
My website does not care where you live.
What exactly will happen me if I do not block Europeans from using my website?
I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
Here are the URLs for those who disable Javascript (from https://github.com/PostHog/isgoogleanalyticsillegal.com)
https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...
https://www.cnil.fr/en/use-google-analytics-and-data-transfe...
https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...
https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
Forget anonimized GA, I wonder what regulators would say to the likes of Hotjar which even records your screen and can be played back.
They aren't Google, so the anti-"American Big Tech" energy isn't as strong.
yeah, like 'swimming pools only bear a danger of drowning when wet'.
That analogy makes no sense at all.
Empty pools are probably more dangerous.
I hear they attract skaters.
Those pools don't have sharp drops and are rather safe I guess. I wonder if that is the reason some pools are built like that ...