Comment by corywatilo
3 years ago
Italy is the 4th in a string of recent decisions across the EU.
(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)
Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.
That is an extremely important nuance which is not obvious from the title.
Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.
Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.
I agree 100% with your second paragraph. I also hope they introduce massive "percent of revenue" fines when Google "forgets" to ban illegal activity on their (near-monopoly) advertising platform. Massive fines has genuinely changed the behaviour of sales & trading at global investment banks. We can do the same for FAANG and friends.
It's not that bad: https://support.google.com/analytics/answer/6366371?hl=en#zi...
The most difficult aspect is dealing with URLs. But a company that is large enough to be customizing URLs per user, is large enough to make a few JS changes to ensure they aren't sending those details to GA.
Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
if anyone is curious about why that gives the govt. access:
https://en.wikipedia.org/wiki/CLOUD_Act
(God willing they repeal it, even if only for the international commerce implications...)
This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.
If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.
1 reply →
something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.
So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).
CloudAct would (or should) in this case also apply here or what am I missing?
7 replies →
Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.
> (God willing they repeal it, even if only for the international commerce implications...)
It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...
1 reply →
Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?
If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers
Italian laws do not apply to Google USA.
12 replies →
Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?
The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.
The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.
On the last point: how does that work with cloud computing providers, as all the big ones are US-based?
Isn't it already against Google Analytics' policy to put PII in the platform to begin with?
https://support.google.com/analytics/answer/6366371?hl=en#zi...
Gdpr uses a more expansive definition of personal data, and it includes the IP address and geolocation data, for example.
And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.
Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.
IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.
3 replies →
Yeah, it uses the definition of personal data that includes information that isn't personal.
> just illegal to use in its default state which transmits PII to the US
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.
If only ad clicks send back tracking parameters (and nothing else) it might actually fall into legitimate interest.
1 reply →
My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.
For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.
I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.
ref: https://support.google.com/analytics/answer/2763052?hl=en
I'm not so sure your take on IP address anonymization. The source states:
The Google documentation says:
IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.
As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.
5 replies →
> For many clients I have set up a cookie compliance tool like Onetrust
Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?
2 replies →
Is it illegal to use my website from Italy? I store PII (and everything else) in the US.
No. It's illegal for you to operate in the EU.
What does that mean? Europeans use my website.
5 replies →
I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
Here are the URLs for those who disable Javascript (from https://github.com/PostHog/isgoogleanalyticsillegal.com)
https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...
https://www.cnil.fr/en/use-google-analytics-and-data-transfe...
https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...
https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
Forget anonimized GA, I wonder what regulators would say to the likes of Hotjar which even records your screen and can be played back.
They aren't Google, so the anti-"American Big Tech" energy isn't as strong.
yeah, like 'swimming pools only bear a danger of drowning when wet'.
That analogy makes no sense at all.
Empty pools are probably more dangerous.
I hear they attract skaters.
1 reply →