A lot of this seems to be coming due to US regulations that compel US registered companies to hand over data from subsidiaries in Europe markets if asked by US intelligence and law enforcement agencies.
With these various data locality regulations, i wonder if a standard operating approach could be to split tech companies into 3 legal entities, a technology licensing company, a US registered operations company and a Europe registered operations company and hand the shares in all three companies to the current shareholders. This would insulate the Europe entity.
Note that Wikimedia has been not using Google Analytics since forever because they're concerned about precisely the same privacy problems as the regulators.
This other post has more comments: https://news.ycombinator.com/item?id=30284820
I love that the plaintiff in this case is the "NOYB Association", as in None Of Your Fucking Business, Google.
If someone adds <img src="http://blah.us"> to their website, and that image is hosted in the United States, how does that not also violate French data protection?
The user's browser makes a request to a US server, including the user's IP address.
I legit do not understand how to make French people happy with these laws.
Just two weeks after Austria, another EU country has deemed current Google Analytics implementation illegal in EU.
From the article: > "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."
I am really looking forward to seeing how this will play out in the rest of the EU, and which practical consequences it will have.
And, as usual, fellow EU citizens, support NOYB work, if you care about data protection: https://noyb.eu/en/support-us
Is the CNIL actually starting to do its job? Since the early 2000's they were doing literally nothing against the many crimes against users committed by big tech. In the past few years though they started to distribute fines when the law was obviously and willingly broken (eg. Google)... did they suddenly start to care for users? or do they care that they can fill the pockets of the government (who doesn't dare to tax those evil multinationals) while making it look like they care for users?
I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data. For their defense, their budgets and prerogatives have been cut so many times they probably couldn't investigate/fine anyone if they wanted to.
Don't quite understand this at all.
Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
Also is it illegal because there is an anonymised id number created when you send data. If that's the case then it's not just GA that's a problem but any tracking system i.e. Plausable.
Furthermore given that a randomised unique id is personal data then there would appear no way to use any websites analytics on any website as you have to store this in a DB which will require a unique id per row by design.
What about other data for example a webserver log will contain similar data is that not allowed? If it's not allowed how can I ensure my site is protected as I need those logs to identify and ban hackers.
Taking this to the logical extreme:
A French website can not use any American service, right?
Because any American services "are not sufficient to exclude the accessibility of this data for US intelligence services".
If you think that launching your app in a another region is hard, there is currently a case being evaluated in Europe which is evaluating the argument that even if the data never leaves the EU and the provider is a European entity but affiliated with or a subsidiary of a US company, that this is stil considered a violation.
So unfortunately just moving hardware locations may be insufficient, even forming a new entity won't suffice.
In my humble opinion we are witnessing the nationalization of the Internet, in the name of good intent, but eventually the risk vs reward calculation of doing business across the Atlantic (for either side) will tilt in the direction of avoiding the risk.
Although it could be argued that "good, laws are made for people not for businesses" I'd counter that a great deal of the free information published by US companies and non-profits will become unavailable in the EEA.
I'm hopeful that the DPAs and courts in Europe will decide to balance these concerns.
FWIW: I run one of the more popular data privacy platforms, Osano, so this is an area we track very closely and which is near and dear to my heart. I built Osano as a Public Benefit (and certifeid B-Corp) to try and prevent the nationalization of the Internet by giving businesses an easy way to respect the rights of their customers & visitors.
Is anyone using an alternative that provides some basic analytics and isn't likely to get me in legal hot water in the future?
I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?
This is really good news for consumer privacy everywhere. I was just in a meeting with some marketers in my org and they were quite dismayed so I'm conversely quite happy. I've been saying for years that content is king and tracking will only be sustainable for so long. It's only a matter of time before laws like this are the norm rather than the exception globally.
Shouldn't Google etc. go after the draconian US laws making this an issue? I feel most of them try to attack EU or fight the courts there.
For those of you outside of the EU who would like to opt out of being tracked by Google analytics on web pages, install the browser add-on Ublock Origin.
Shameless plug: I have been building a self-hosted-only analytics platform for a long time: https://www.uxwizz.com. It looks like a good time to switch to self-hosted analytics.
Last night I finally pulled the trigger on becoming a Supporting Member of NOYB¹ (My Privacy is None of Your Business). Seeing this story on Hacker News tonight reaffirms that decision and I’d recommend that other Hacker News users who care about data privacy do the same. Technological solutions that we use (Firefox containers, uBlock, etc.) are band-aids that work for a technically adept minority of citizens. The real struggle is political – and legal when there’s data protection legislation isn’t being enforced.
For who needs a summary of what is happening in the EU [1]
1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. Now, the Data Protection Authority of France (CNIL) followed
This is a sound decision, but not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact.
PS: I'm the founder of Simple Analytics [5] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
[1] https://blog.simpleanalytics.com/will-google-analytics-be-ba...
[2] https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-t...
[3] https://www.data-protection-authority.gv.at/
[4] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)
[5] https://simpleanalytics.com/
EDIT: changed "PII (personally identifiable)" to "Personal Data"
"The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics. "
https://support.google.com/analytics/answer/2763052
I don't understand how this can be construed as tracking users.
Random thought, maybe totally off base. This is Europe, so not equivalent but there seems to be a lot of people in the US as well who want private companies to be compelled to respect your privacy (4th amendment) but also many people who don't think websites should or could be compelled to respect your freedom of speech (1st amendment), I wonder if there is an overlap in these groups...
One thing I find super crazy is that, while making a big fuss about IP addresses and cookies, the EU forces any website owner to publicly share his full name, address and phone number on the site’s imprint.
If you’re not a corporation or a professional who has an office address, you’ll have to supply your own personal data. Visible to anyone on the internet.
Amazing news. Practical consequences:
Huge opportunities for French tech entrepreneurs.
Huge opportunities for immigrant tech entrepreneurs to France.
Gets the ball rolling for other countries to implement this. And more advanced regulations.
Finally, once US big tech intl influence is on a steep decline, maybe, just maybe, Google will be policed by the US government.
AFAIK, this could be pretty disastrous for French businesses that funnel conversion data to Google Analytics, which is then used to optimize their Google Search ads.
Switching to another solution for analytics might be ok, but losing the ability to automatically optimize ads based on conversion data is a big pain.
The EU privacy regulations seem to have a side effect of creating a de facto EU internet, where EU competitors can become dominant because they pay closer attention to changes in law vs north american or chinese counterparts.
It’s almost like a more subtle version of china or russia’s firewall
I wonder if the user community on the web will ever adjust to a situation where they're not trading "free" services in exchange for their privacy.
Users on the web love / demand free and aren't willing to pay for a lot of this stuff...
Wondering if this will also apply to gmail, google drive and so on. Also wondering if there is a way to agree to storing my data in the us. Nonetheless it appears that this a good opportunity for an eu based alternative to google analytics.
Also what are the implications of cross eu-us chat apps where a person’s name is visible? Doesnt it mean that when a recipient in the us sees the name, the eu person’s data has been transferred to the us?
Apologies if this comment is ignorant, i am not well versed in the topic, but to me it sounds like this is quite an issue for us-eu chat and email apps.
Articles mention GA, but is Metrica[0] similarly affected? I guess their data is also stored outside the EU.
For those that missed it and are interested, there was a similar HN discussion around a German GDPR ruling last week. It already has quite a large debate and a lot of opinions on the matter:
There is a privacy-first alternative called: https://simpleanalytics.com/
For people interested in hosting their own Plausible analytics instance. Use this Ansible bundle[0] against your Debian 11 server.
It takes a few minutes to complete and you can start tracking visits in a privacy friendly manner quickly.
Question: Shouldn't it be quite possible to use GA without client-side requests, and without sending personal data to Google?
https://developers.google.com/analytics/devguides/collection...
Finally some good news
Good riddance, this is a win for giving people informed consent to be spied on via give hidden analytics.
Wait, I don't get it.
Big tech companies don't park servers in the EU. Is it THAT difficult? Of course it is not, and they just don't want to do it.
On the other hand, big tech companies are happy to park their IP in Ireland (a EU country) in a phony company, simply to avoid paying taxes.
What's the logic?
I have just posted this link for everyone on the Slack of the french web agency - specialized in Google/Facebook/Instagram campaigns - I work for. Not one reaction. I was left on seen.
For other French people here: there is a great privacy-friendly alternative: https://simpleanalytics.com
Luckily there is plenty to choose from.
We entered the market recently with Wide Angle Analytics https://wideangle.co. But there is plenty alternatives. Depending on your needs.
Some focus on visuals, we focus on filters and soon attribution. There is more on the list: https://european-alternatives.eu/category/web-analytics-serv...
Competition is a healthy thing. You DON'T HAVE TO use Google Analytics :)
And if you wonder, yes, the fines are real. Enforcement of GDPR is picking up the pace: https://wideangle.co/blog/you-might-be-facing-gdpr-fine
Finally, a little dent in Google's mass surveillance project.
Now if they could only declare GMail to be another kind of a racket we would really get somewhere :-)
This was the only sane decision they could come to. Google's evil practices are death to any free society and a threat to the national security of any country but the U.S. where the deep-state pimps are busy siphoning Google's data to use against its own citizens. Here in the US we live in what only appears to be a free country where sociopaths, pimps and whores rise to the top and are protected by the DOJ, DHS and the whole alphabet soup of criminal organizations that protect the wealthy and the powerful. The transformation of the country from 1970 to 2022 is stark. We are headed to a dystopia led by the whores at Google.
Is there a Europe-native company that could invest the tens of billions to spin up an EU-centric cloud to appease the regulators?
What if, say I’m using Microsoft to backend my user authentication and it’s keeping a record of ip/user here in the USA?
Be prepared to read similar measures from other supervisory authorities as well. They will arrive soon. Stay tuned!
As a side note: Secret services have been using GA to identify and track targets for years
How can French websites track conversions from Google Adwords without Google Analytics?
And billions of EUR of damages for the 'people farming'. Where is the money?
Sadly I don't see how this decision can be translated into practice, since I strongly doubt the CNIL will be able (or willing) to send formal notice, and fine after a grace period, all French companies that make use of Google Analytics on their website.
In my opinión analytics + android Should be the point of this talk.
By extension, is it illegal to use Cloudflare for DNS?
Do they somehow count the users browsers making a request to a US server as the website transferring data to the US? It is pretty clear that the users browser did that and not the website or Google.
Why is that? It's called analytics for a reason.
There are plenty of privacy respecting analytics out there - Plausible, Matomo or Simple Analytics. Depending on what your actual needs are, you can also just use something like GoAccess, logwatch, Splunk or multitail to check your logs and use those for analytics information.
In one of my previous jobs the marketing department complained about Google Analytics not working on one of our pages. GA hadn't been working for about 10 months when they raised the incident. It was such a low priority that it took another 4 months for someone to fix it.
While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
How many marketing teams/sales teams/etc actually use ALL the information provided by these tools. Aren't there other better ways to measure your campaign and product performance? Do you just want to see time on site/page? Abandon rate? I mean, most of these tools feel like they concentrate the Western mentality of "I need an SUV because I might have to put in more than 2 bags in my car".
/endRant
That means that Firefox is also illegal in France.
"The CJEU had highlighted the risk that American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated."
As an EU citizen: Thank you Mr. Snowden, sir! <3
undefined
Previous discussion: https://news.ycombinator.com/item?id=30284820
What is the balance of privacy and analytics when even privacy friendly tools like Plausible are blocked.
undefined
undefined
I don't like Google but seriously this whole GDPR thing is getting out of hand.
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
I suppose adsense is next? I think that would be total disaster to the already crippled european web
And what about Chrome?
CrUX data will be next. Using to be Chrome considered illegal in Germany.
For the french people on HN: There is a privacy-first alternative called: https://simpleanalytics.com/
I contacted them approximately 4 years ago to denounce the developers of TrackMania that don't hash passwords [1]. I have not received an answer since, and I bet they do not even care. I'm sure they are a bunch of hypocrites and now that they've realized they can make a lot of money randomly fining Big Tech, this is just what they're going to do.
[1]: If you clicked on "Password forgotten" on the log in page, they'd just send you your password unencrypted by email.
The onus is on Google to suspend or anonymize Analytics. Individual Website managers can't be expected to discriminate based on geographical origin, as the document seems to imply.
Google Analytics is the best analytics tool out there.
By getting their companies off GA, European governments are weakening their industry.
This probably holds true for many SAAS products. Many of the best are from the USA. Forbidding European companies to use them is a desaster for the European internet industry.
Google stock is already dropping: https://www.google.com/finance/quote/ABEA:ETR?sa=X&ved=2ahUK...
So I can take follow someone in public, take picture of them in public places from some distance, follow them into stores, see what they are spending and what they are using, etc. Store owners can have cameras, track the behaviour of customers, etc But if I use a service which anonymously tracks which pages they opened on a website they voluntarily visited and are exploring, then I'm in trouble?
While i think these rulings are interesting in the sense of providing an opening to EU-grown businesses (if not too late), it does have a comical dimension in it. "Private" information is everywhere, it's in your DNS queries, which also gets propagated to servers in the evil US empire. Are we going to legislate DNS out of existence too? The EU seems to like having a completely private internet, but that's not gonna be possible unless we build one ourselves (how?)
There is a load of hyperbole in the EU privacy business, and it s coming from the german side which is super sensitive to it. But germany is a worldwide exception, their laws for censorship and privacy exist for specific reasons, and they shouldn't be propagating them everywhere.
Specifically in the analytics space, i don't think a lot of people are going to pay for analytics. A free verson makes sense because a lot of websites dont make money. Google provides it for free because they have a monetary incentive to keep marketers in their ecosystem, other companies don't. (Unless the other companies choose to monetize them just as google did)
I think the biggest loser however is going to be the decentralized open web.
I think we (in the EU) will soon realise the bizarre consequences of these regulations. European startups will not be able to use standard SaaS or PaaS tools (like AWS, Azure, Mailchimp, PayPal etc) if they are based in the US (like most of them are). No cloud services, no Office 365 or Google Workspace.
It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.
There must be some reasonable middle ground before we fragment and destroy the entire Internet. Why not start by making a general exception for temporary storage of less sensitive data like IP-addresses for efficiently and cost effectively delivering a web service.
If there is one thing they could start looking in to it would be handling of personal information by governmental organisations. I work a little bit with a few municipalities, and the number of documents with deeply personal information that are just emailed around over unencrypted email is shocking.