Comment by lmkg
3 years ago
This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.
Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.
It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.
This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).
> meaning that Google itself does not violate GDPR, but only the websites that use it.
This is so baffling to me. Google has subsidiaries in the EU. The fact that it's ok to give a product to a EU client which can't be used in accordance with the law, and the client is responsible, is just idiotic.
To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.
No, they can't as far as I get it. The american cloud act entitles US law enforcement to serve orders to US companies and their foreign branches. So, if you are american with a company in the EU, the important part is that you are an american, not that the company is in a foreign jurisdiction.
4 replies →
It really makes no difference where the data is stored once it's accessible by a US company:
"The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil."
from https://en.wikipedia.org/wiki/CLOUD_Act
As mentioned by other commentators, this is not enough. Schrems II ruling exposed the risk here. If servers are in EU but are undereffective control (even via proxy) of country with inadequate control (US, RU, CN), then you can't use data location as argument.
The problem is not only the geo location of the datacenters. As long as these subsidiaries are under the control of a USA corporation, this is illegal, since the USA corporation can be requested by the USA gov to share any data they may have not matter where it's stored. Only options are a 100% GDPR compliant solution (European or from a country with similar laws) or self-host. Hopefully another Privacy Shield like agreement will be in place soon.
1 reply →
Building out the infrastructure necessary for Cloud to be compliant with region-stored data was a multi-year project.
Huge swathes of Google's architecture (especially its legacy architecture) have deeply-ingrained location-agnosticism assumptions. It turns out to be extremely complex and expensive to remove those assumptions given the way Google handles data once it hits their datacenter fabric.
(Not impossible, mind, just that this assertion that it wouldn't be that hard to do is in "I could build Twitter in a weekend" territory).
2 replies →
It wouldn't be hard for Googs to do this on their own so that they comply with the rules/laws in the markets they are operating vs giving it to the end user as an option in the configs. Most people using GA probably wouldn't know what any of that meant anyways. They just want the numbers so their marketing people can tell them what to do next. I'm talking the people running sites on Wix type sites vs having an actual dev team that can push back against a marketing department
I don’t find it idiotic. It was the client’s decision to spy on its users. I have no sympathy for companies who make that decision.
Why do you have to be sympathetic to the client in order to also condemn Google? If someone was selling bleach as a cure for autism through a network of distributors, do you have to be sympathetic to the distributors in order to condemn the manufacturer?
> It was the client’s decision to spy on its users.
Calling it spying is a little far-fetched I think, when the problem was the transfer ip addresses to US servers, not Analytics itself.
2 replies →
It was the client’s decision to use the service.
1 reply →
What about Italian websites that serve customers outside of Italy?
If they serve customers outside the EU, then they should comply with those laws or not serve them at all.