Comment by corywatilo

3 years ago

Italy is the 4th in a string of recent decisions across the EU.

(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)

Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.

84 comments

corywatilo

Reply
stingraycharles  3 years ago

That is an extremely important nuance which is not obvious from the title.

  • tut-urut-utut  3 years ago

    Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.

    Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.

    • throwaway2037  3 years ago

      I agree 100% with your second paragraph. I also hope they introduce massive "percent of revenue" fines when Google "forgets" to ban illegal activity on their (near-monopoly) advertising platform. Massive fines has genuinely changed the behaviour of sales & trading at global investment banks. We can do the same for FAANG and friends.

digitalengineer  3 years ago

Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.

  • kixiQu  3 years ago

    if anyone is curious about why that gives the govt. access:

    https://en.wikipedia.org/wiki/CLOUD_Act

    (God willing they repeal it, even if only for the international commerce implications...)

    • toyg  3 years ago

      This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.

      If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.

      1 reply →

    • DyslexicAtheist  3 years ago

      something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.

      So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).

      CloudAct would (or should) in this case also apply here or what am I missing?

      7 replies →

    • godshatter  3 years ago

      Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.

    • concordDance  3 years ago

      > (God willing they repeal it, even if only for the international commerce implications...)

      It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...

      1 reply →

  • googlryas  3 years ago

    Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?

  • y42  3 years ago

    Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?

  • cavisne  3 years ago

    The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.

    The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.

  • sebazzz  3 years ago

    On the last point: how does that work with cloud computing providers, as all the big ones are US-based?

minsc_and_boo  3 years ago

Isn't it already against Google Analytics' policy to put PII in the platform to begin with?

https://support.google.com/analytics/answer/6366371?hl=en#zi...

  • rgbrenner  3 years ago

    Gdpr uses a more expansive definition of personal data, and it includes the IP address and geolocation data, for example.

    • dudus  3 years ago

      And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.

      Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.

      IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.

      3 replies →

lmkg  3 years ago

> just illegal to use in its default state which transmits PII to the US

As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.

  • closewith  3 years ago

    That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.

  • naet  3 years ago

    My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.

    For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.

    I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.

    ref: https://support.google.com/analytics/answer/2763052?hl=en

    • jeroenhd  3 years ago

      I'm not so sure your take on IP address anonymization. The source states:

          The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.

      The Google documentation says:

          The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.

      IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.

      As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.

      5 replies →

    • majewsky  3 years ago

      > For many clients I have set up a cookie compliance tool like Onetrust

      Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?

      2 replies →

remram  3 years ago

I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:

> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.

At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183

1vuio0pswjnm7  3 years ago

Here are the URLs for those who disable Javascript (from https://github.com/PostHog/isgoogleanalyticsillegal.com)

https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...

https://www.cnil.fr/en/use-google-analytics-and-data-transfe...

https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...

https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.

As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.

Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.

ricardobayes  3 years ago

Forget anonimized GA, I wonder what regulators would say to the likes of Hotjar which even records your screen and can be played back.