For who needs a summary of what is happening in the EU [1]
1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. Now, the Data Protection Authority of France (CNIL) followed
This is a sound decision, but not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact.
PS: I'm the founder of Simple Analytics [5] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
Don't be coy. Call it what it is - an analytics service.
And as such it falls largerly in the same bucket as GA, because if someone's using Simple Analytics, my surfing data - against my wishes - is being shared with some random third party. Whether it's less, more or comparably evil as GA is secondary.
Yes, and when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party (the external company bookkeeper).
It's disingenuous to have problems with websites collecting entirely anonymous browsing data -- that goes beyond any arguments for privacy and just steers into "yelling at clouds" territory.
That’s bad too. There are also things happening in the world that are much worse, like people getting murdered. All these things can be bad at the same time.
In what way? I agree that personally tracking an individual and using psychology tricks and whatnot to trick them into buying stuff is bad, but if it's just a company knowing what works well for them, I don't see the argument.
> when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party
Retail stores also use your shopping data to target you with ads. Credit cards also obviously sell your purchase data to anyone willing to pay for it. I wouldn't be surprised if retail stores even sell your cash purchase data to any third party willing to pay for it.
The other replies are missing what analytics is really comparable to. With a standard purchase, we have an exchange of the minimum necessary information at the point of engaging in a mutual financial transaction. The bookkeeper can examine that transaction after. They can look for patterns in what receipts have. That's fine.
Analytics isn't that. Analytics is tracking a customer walking into the store and looking for which store they came from. Analytics is noting down how long a customer spent holding a blue item, if they looked at a big red item, and noting it down because it might matter. Analytics is seeing how the customer went back and forth between one aisle and another. Whether looking at one item made them less inclined to look at the next. Analytics is hoarding all of that information and keeping it even if the customer doesn't make a purchase.
Of course stores have been looking at how and why and when customers shop for years, but through consensual studies. They learnt to put the fruit at the entrance and the sweets at the exit. They learnt to put their high value items at eye level. And they didn't do it through spying and analysing the behaviours of everyone walking through their doors. They didn't keep years of CCTV with the sole excuse that they might want to see how long you lingered between deciding on diaper brands.
>Yes, and when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party (the external company bookkeeper).
How, you don't enter your name when you pay with cash.
Also in EU is illegal to share any personal info in physical world too, say you go and make a subscription to a gym they can't share your data with a third party unless they make you sign a paper first.
>"Oh, it's that one privacy nut again who always wears sunglasses and a hoodie and only pays in cash"
And the store person will then what? Open excel wnd write "a dude with glasses was ehre at 12:51"? and then send the file to 100+ partners?
>You don't need to be identified by name, just by a "fingerprint". If you go there regularly you will be identified by your "fingerprint".
So the physical stores have some shady dudes attempting to lift fingerprints from money then some statistics guy try to put probabilities on which fingerprint matches which anonymous guy?
here in my country you still pay with cash and the store people put it in a machine combine it with money from other people, it will be a lot of work and risk for some shitty nano reward.
And the GDPR forbids them from writing that information (e.g. "the privacy nut bought apple juice") down or passing it to a third party without your explicit consent.
On the other hand, it's perfectly legal (and usual practice) to contract out the operation of people counting devices that just tally up how many persons go through a door.
(By the way, a gym can and usually does share contract data including personal information with numerous third-parties such as external bookkeepers. This is legal under the GDPR without explicit consent.)
>By the way, a gym can and usually does share contract data with numerous third-parties such as external bookkeepers. This is perfectly legal under the GDPR)
Why is it legal, does the gym need those 100 contractors to know my data for it to work? What are those for 100 different accountants? How did gyms or other businesses worked before the internet, did a guy walked to 100 different locations with papers in hand so those "partners" take a quick look?
Yes, before there was electronic bookkeeping businesses hauled stacks of paper to their accountant. This is standard business practice since literally centuries.
If they want to send you a letter, they have to give your data to the postal service. Again, no consent needed.
This is legal because our whole economy is based on devision of labor. Privacy laws account for that.
Maybe you are referring to required data.
I can buy some bread and the store does not need my ID for accounting purposes, so not sure what exceptional stores or gym need to send a copy of my ID and my activities to their accountant.
My problem is with the 100+ partners that are OBVIOUSLy not partners and not required to have my data.
Ok, now what's the difference between sharing "1 bread sold" (with no identifying information about the customer) with a third-party and "1 page visited" (with no identifying information about the visitor) with a third-party?
"1 page visited" (with no identifying information about the visitor) with a third-party?
False equivalence, no online stalking company actually works like that (that would require a server-side hook). They all make the visitor go to the third party's desk and increase the tally themselves (via http request), giving the tracker company access to all the contact details of the visitor.
"Why is it legal" is the wrong question. There is nothing wrong with freedom. You already know this. The problem is the lack of competition. You should be asking why is the competition so small for this particular service with bad terms that you can't find a better place around you that provides a better service.
The bookkeeper literally needs access to receipts and invoices to do their job. No bookkeeper is going to work from an anonymous list of payments; that's how you get swept up in a money laundering raid.
Before the internet, the owner took a shoe box of receipts to their bookkeeper every month. Those receipts had your name, date, etc. on them.
How, when I buy stuff in real world and pay with cash I don't ask for an Id Card, so why do you think the store needs names on the receipts? Is this something that happens in your country? For buying cars,land you need an Id, if I buy even an expensive electronics no Id is needed I just return the product and the receipt that has no name on it back.
I remember when my grandfather was doing accounting for a bar before Internet days, they papers were about the stuff not about people, like how many bear was bought, how much was sold stuff like that.
>your shopping habits are being shared against your wishes with a random third party (the external company bookkeeper).
GDPR requires data sharing to be done for a defined purpose.
The purpose of sharing data with an external company bookkeeper for bookkeeping is not remotely connected to any purpose an analytics service fulfills. So while the shared data is capable of the same insights, it's explicitly illegal for it to be processed that way without a defined purpose (which is it's own can of worms).
>entirely anonymous browsing data
It's never entirely anonymous, because how useful data is, is inversely related to how anonymous it is.
ergo it would only be truly anonymous if it was truly useless.
It's still legal to ask your bookkeeper to go through the books and give you a list of your 10 best selling products broken down by season (given you have all the right paperwork in place with them etc. but no consent of the customers needed).
Well, it's not necessary to process any personal data in order to calculate that.
Can you ask your bookkeeper to tell you the top 3 best selling products for your top 5 customers without declaring that the purpose of the data transfer to the external bookkeeper is also to run sales analytics?
It is necessary to process personal information for that purpose. That's what the sales records are.
> top 5 customers
You probably have to declare that the data is processed for that purpose in general terms but I don't see why consent would be necessary. Anyway, this analytics service claims it doesn't do this kind of analysis.
Obviously it depends on the system involved, but there should be no need to touch any column containing personally identifying information in order to calculate aggregate sales statistics for each of your products.
Nope, the external company bookkeeper doesn't know which of the hundreds or thousands transactions are done by me. He doesn't even know how often I bought something.
And even if, that knowledge is nothing compared to the millions of data points of services like google analytics.
If it were true as AdriaanvRossum said above that Simple Analytics data has "no identifiers" (taking that at face value for now) then that seems exactly analogous to those cash transactions someotherperson describes.
Simple Analytics absolutely does receive identifies (namely IP address). They claim they do not store these address, but that depends entirely on trusting them and their closed source software.
This is very unlike the accounting firm, which never receives any identifying for cash transactions and thus couldn't store it even if they wanted to.
I think you are wrong. What they receive is a set of purchases in a given period of time that allow them to make many important decisions (when people buy most, what purchases are more likely on a given date etc.) but there is no way of finding out my shopping habits.
no - the analysis is done on receipts, not just total products sold. They don't care what you bought, they care to know that people who buy diapers also buy wipes, and people who buy soy milk don't buy butter, etc. The analysis of anonymous receipts still yields very interesting and actionable results in aggregate. Your privacy has nothing to do with how a company analyzes its sales data as long as they don't include your identity and drill down into analyzing your receipt alone.
Yes, I understand that they see patterns and trends and a lot of valuable data: my point is that they have no way of tracking shopping habits of any individual purchaser unless they trick them into some loyalty program, coupons etc.
I think we agree. If the average search advertiser gave me the same benefits that some loyalty programs do, I'd feel a lot better about them. I.e. if I got points for the data I provided in my browsing habits that translated into actual dollars, I'd be game to let them have it. If I wanted to "not swipe my loyalty card for this purchase" to leave it out of my history, I'd appreciate the granular control.
The issue with all the tracking is that most consumers have no choice, no functional UI to interact with the tracking systems, and no clear idea of who they are ultimately transacting with.
With enough good data (so probably not in all sectors) you can also identify people out of the system.
Sure, it's technically possible. But if you would actually do that, you run afoul of the GDPR requirements for informed consent: retroactively identifying people in a dataset requires the same consent as targeted data hoovering, so if an individual has only consented to being included in anonymized statistics that practice is sure to get flagged down as unlawful.
Yes, that's definitely possible, but humans being human I doubt it can be 100% foolproof. If I go to the grocery store every Saturday at 11am and purchase a similar set of items, you can probably single me out and assign some UID to me. However, if I unexpectedly pop in Wednesday evening to just buy a bottle of wine, it would be difficult to assign the purchase to the same UID.
GDPR also applies to the real world. That store is definitely not allowed to share data about your shopping habits with some third party without your explicit consent. For example government departments in Germany have to aks for your explicit permission beforehand if they need to request/share data with a different department.
This is in general not true and German government departments share data with different departments all the time without explicit consent of the affected citizen. This is also not a good example as there are additional legal restrictions for government departments which businesses don't need to obey.
If the sharing is not required by any law they have to ask. Sometimes they do. I'm sure there are cases where they share without either of the precondition met.
GDPR is a standardisation of pre-existing national rules within the EU member states, at the time including the UK’s Data Protection Act. When I was at university, one of the examples of the scope of the Data Protection Act was a barbershop which kept hand-written (no computer involved) records of customers, and one customer used the DPA to demand to see their records and then to have those records destroyed.
GDPR has an exception for things that are necessary for the service the customer asked for. If you ordered something to be shipped to your home then the provider can share your address with the shipping company - that's required to fulfill their end of the deal. Sending your personal information to some 3rd party advertising company? Not so much.
If the seller can subcontract the delivery service, is there any reason they can't subcontract their accounts receivable?
I think the element you're missing is - of course this is OK, it happens all the time. What the comment you were responding to before wasn't making clear is that when it's done, there must be contractual provisions limiting the service provider's use of the data, so they can't use it for their own purposes.
You're within your rights to create and offer whatever kind of service you want. As an end-user, however, any data what-so-ever sent to a 3rd party without my knowledge or consent is too much. There is no such thing as "the right amount."
I'm OK with websites using self-hosted tools such as Matomo as long as the data never leaves their servers. Analytics is important to any business. But I choose to do business with said business, not with Shopify, not with Google, not with Facebook or Twitter (I'm looking at those "sign in with" widgets that run social media code in my browser) or whatever 3rd party "SaaS" service the website is outsourcing my data to for ease of development or convenience. I don't consent to my data being shared with people I don't know about and did not consent to give a single shred of my information to.
This seems very impractical given the way the internet currently works. Most startups use dozens of SaaS products, let alone more basic/foundational things like global CDNs. You're being logged at every step of the process if only to prevent spam/DDoS/etc.
What you're asking for would require a fundamental restructuring of the internet, and of software business models, and a lot of other stuff. I can't see that happening any time soon.
In the meantime you can try using Tor, but good luck not getting blocked on half the websites you want to visit - and you can't blame the website for that (they need DDoS/spam defence).
Not only the internet, this is impractical given how any business works. Even a brick and mortar store is sharing aggregate customer buying habits with its supplier based upon products it buys from them.
When I visit a website of some business, I provide them with an IP address for use during the session (because of the way TCP/IP works). I'm okay with said site using some kind of load-balancer, DDoS protection or what not, as long as the business takes full responsibility to keep my personal information private unless I specifically indicate otherwise (opt-in[1]), for example using a form on the landing page. I believe that this is the true intent of the GDPR in this matter.
No, it's not. Using Matomo on my own servers has nothing to do with the way GA etc. operates - it's an equivalent of going through my own Nginx logs and parsing them to generate diagrams and so on. Of course if I share personally identifiable data with a third party, it's a completely different thing - in this case it does not matter if it comes from Matomo or web server logs.
But I agree with your conclusion: what matters is how it's being used. In this case - whether you share/sell it to others or not.*
[*] But not only: it also matters if you take adequate care in protecting personally identifiable information or not.
In general, under the GDPR it doesn't matter much whether you process data yourself on your own server or contract that same task out to a third-party. Either that processing is legal or it isn't - ownership of the server doesn't play a role.
The problem with Google Analytics here is not that it's a third-party but that it's under US control.
> we want to load JS from a CDN like literally everyone does
Well, carry on and load it, it's your server.
Oh, wait, you mean you want ME to load it, into MY browser? That's a problem - my browser only loads JS from the origin server, and only if I give it explicit permission.
As a developer, I deplore the use of CDNs to serve javascript libraries; you don't know what the CDN is going to serve to your users, it could change without warning and break your site.
You’re just illustrating why this isn’t an issue requiring legislation - anyone can block requests to whatever origin they like. No need for heavy handed gov’t getting involved in technical matters.
So maybe the legislation should be that you have to pass a "internet operator" test to get a license that ensures you have the awareness and the skill. Because even if the current law protects you from GA, there are tons of other companies doing the same things and have no intention of stopping.
Better to protect the people from all the bad companies, not just the ones who do business in the EU, right?
Sounds like protecting the people by leaving it to them, and (somehow) restricting their internet access if they haven't passed a course in internet jiu-jitsu.
And no: the GDPR isn't just about GA, and it isn't just about the internet; it's about any personal information.
Ad-blockers and JS-blockers are essentially technical solutions; but you have to know to install them. If they were integrated into browsers (and defaulted to "on"), that would make privacy less of a technical matter.
Maybe because the two crimes here are (1) breaking and entering (you have to actually break something) and (2) theft. If the window isn't locked, then you don't have to break in; you can just open the window.
It's not against the law to just walk in; or rather, it's the civil offence of trespass - you can sue the trespasser for damages, e.g. causing wear on your expensive carpet (but you'd have to produce evidence of monetary damages). And you can physically remove them, perhaps with the help of a bailiff. But the police won't help with common trespass - it's not a crime.
[Edit] At least, that's how I understand the law here. IANAL.
> The internet is just not designed for privacy at a technical level.
The Internet is A-Ok.
The issue lies with various slimy companies that exploit web developers ignorance, laziness and negligence with free and easy shortcuts in exchange for the private data of said developers' clients.
No one's forcing you to use CDNs in place of a properly setup caching. No one's stuffing Google Fonts down your designer's throat, they are just lazy to add local resources. An analytics service is not required and there are simple self-hosted options. And so on and so forth.
And the most infuriating part is that these companies, Google being the offender, know perfectly well that they are exploiting the ignorance and they are willingly facilitating and encouraging the spread of practices that would've been viewed as wildly unethical not 10-15 years ago.
Just look at the level of general erosion of privacy and nearly universal lack of concern for it in general population. If you reflect on it for a moment, it is plain fucking scary.
> I'm looking at those "sign in with" widgets that run social media code in my browser
Arguably, they provide code that can be run in your browser, but your browser chooses to run it. And since your browser is a user agent, you choose to run the code by way of installing and configuring a browser that makes that choice by default.
> I'm OK with websites using self-hosted tools such as Matomo as long as the data never leaves their servers.
You might never know that they backfeed data into external analytics services. Under this assumption, wouldn't you need to stop using _any_ website, at all?
It's not an "also" analytics service. It _is_ an analytics service.
If a website poped a question saying "Do you consent to your visit data being passed to Simple Analytics for processing?", how many people would say Yes? Close to zero. Just look at the stats on 3rd party cookie refusals - when done easily, the refusal rates are in high 90%. People may be lazy, but they sure as heck know they don't want to be tracked IF it's actually mentioned.
So what you offer is a GA alternative that makes website operators feel better about themselves for not using the GA. The situation with the visitors remains exactly the same - the still getting shafted with something that none of them wants.
The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
This is an argument taken to a naive extreme. You can't expect every business to also be in the business of analytics, it's not realistic. There's a reason companies have business partners who specialize in certain services.
It's why you have accountants, lawyers, marketers, etc.. Not every company can afford to have all these specialists on payroll, so you work with a service provider that lets you afford the services in a fractional way. You give them access to your data, including customer data sometimes, and in return they provide you with insights and information from that data.
Analytics is just another service provider like that.
You should of course work with a reliable and trusted partner that treats your customer data appropriately and has strong privacy guarantees.
The problem with GA is not "third party", it's "third party that uses my data for its own purposes" because that's the actual cost of using a free service.
Saying "no third parties at all" is not how businesses have operated since forever.
Privacy-respecting analytics should be self-hosted. No one's arguing against an average business using an analytics service, but that shouldn't be bundled with any "privacy" monickers.
If Simple Analytics were pitched as "not a Google Analytics", this would've been perfectly fine. But they insist on the privacy angle and it just demonstrates they don't grok what tracking concerns are about.
Oh no I get the context just fine. What you're missing is that "should be self-hosted" is outside the realm of the average business, and it's not realistic to put this as some arbitrary requirement to check the "privacy" box.
You're clearly a tech person so maybe it feels self-evident or easy for you to do that, just like taxes and law seem self-evident to accountants and lawyers, but the average business owner doesn't have time or money - or the skills - to figure all that out on their own, so they hire a service provider.
Do you think accountants and lawyers come to the business and work on their computers exclusively? No, they receive copies of the confidential business data and work on it within their own business environment.
And do you think accountants and lawyers don't include "privacy" in their pitch?
How is that different from analytics saying "we will keep any data you share with us private, and for your use only".
Based on your argument, as a business owner I should purchase and co-locate my own server, because even if I self-hosted my analytics, I'm storing that data on a third party server owned by my hosting provider!
Do accountants and lawyers routinely use or sell their customers' aggregated data for commercial purposes?
Does US law require accountants and lawyers to give the NSA access to their customers' data upon request, with an automatic gag order attached? If it did, would it still be OK for non-American companies to a US-based accountant or lawyer?
> OP was claiming that any third-party analytics are unacceptable
Don't put words in my mouth. I was not claiming that.
Third-party analytics _that bill themselves "privacy-first"_ are still not what any user would consent to voluntarily, so the "privacy" angle is largely irrelevant. What they should be billing themselves as is "not Google Analytics", which will be factually correct and somewhat relevant.
>> OP was claiming that any third-party analytics are unacceptable
> Don't put words in my mouth. I was not claiming that.
You stated that only self-hosted analytics were acceptable. Your exact words were:
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
This implies - to me - that in your view all third-party analytics are unacceptable from privacy perspective.
I'm not sure how else I was supposed to parse that statement?
Either way, I disagreed with that, and said it's certainly possible to work with third-party service providers, of many kinds including analytics, while still respecting your customers' privacy.
I think the big difference here is that this platform sells a product to website owners who want to see how their visitors generally behave on their site, e.g which pages are most popular. That is a legitimate need.
The difference with GA is that GA offers to fill this need of website owners for free while it actually processes and sells the visitors data for immoral ends. The whole "the customer is the product" deal.
I don't understand why simply sending data from one server to another is seen as such a big deal, the problem with Google and Facebook and the rest is how they build extremely detailed personal profiles that they use to cause social harm. Surely that is very different from tracking which pages get the most views or how much time - on average - people spend on your website?
Did you read their docs? They aren’t setting cookies or collecting IP addresses. There’s no question to me that EU authorities would approve this method.
Visitors' IP addresses are provided to Simple Analytics in the course of loading their script and reporting back the results. That's all it took to get web sites using public Google Fonts resources in trouble—note that this didn't involve any actual analytics scripts or overt data collection, just some embedded CSS and font resources.
The only real advantage Simple Analytics has here is that they aren't Google, so they aren't as much of a political target and don't have deep pockets to attract legal predators on the lookout for an oversize payout—which is a pretty thin justification for treating them any differently.
The regional Google Fonts ruling was an odd one. It had to do with Google processing the IP address, not whether the website was loading from any external domain at all. It did appear to be based on the court's misunderstanding of an IP address contacting a server to be data processing, and perhaps we're going in that direction, and won't be able to use even an extremely privacy-focused CDN without a formal data processing agreement, but that is not currently the intent of GDPR.
The advantage of a service like Simple Analytics remains; it does not store or process any user data.
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
How is that more respectful? I can fingerprint you pretty much the same with server logs (IP, user-agent, ...), don't I? I can even use cookies without any JS.
You may have a good/decent/important broad point in general, but it's somewhat off-topic here. EU privacy directives and legislation are not particularly concerned (yet) with banning the sharing of data with third-parties, the focus at the moment is purely on regulating that sharing of data and ensuring it's only being shared with compliant third parties via compliant means.
In this case, Google is non-compliant but the gp's service/tool does appear to be. I think you're underplaying the distinction here quite severely.
TL;DR this is about what's illegal, not what's "evil".
If you walk into a grocery store, and cameras record which aisle you walk down, which items you stop to look at and which things you buy. Is that legal?
What if the cameras block out your face and all identifying features. Is that legal?
Do you own a blob of a person walking down an aisle? Does the grocery store?
> If you walk into a grocery store, and cameras record
In the EU, this would fall under the same data protection regulation as websites, and other local regulations regarding camera surveillance. In short, a store owner can't just secretly record customers.
If you walk into a shop and the cameras record what you do, then there has to be a mechanism in place to ensure that the data is only able to be used for the purpose it was collected for (that is, crime prevention and law enforcement), and that it is destroyed after a defined time-frame. That satisfies the GDPR, as you're collecting the data for a legitimate purpose (for which you don't need to seek consent) and preventing its use for any other purpose (which would need separate informed consent). The destruction time-limit also helps prevent its use for other purposes by reducing the opportunity for unauthorised access. You'd probably (IANAL) still have to have a "Smile, you're on camera" notice up though.
There's a HUGE important aspect that you're missing: The IP Address is NOT the only thing that makes this data into personal data.
Google Analytics generates a visitor ID by rolling a random number and storing it in a first-party cookie. This is how GA tells that two visits a week apart came from the same user. This value has been ruled to constitute Personal Data. This is a very big deal, and only a little bit surprising.
> The IP Address is NOT the only thing that makes this data into personal data.
Can you cite a reference for that? I fully believe that Google is using cookies for this, but that doesn't mean that the legal authority here isn't making the judgment on IP address alone. I believe a recent GDPR decision against Google Fonts was based on IP address alone. [0]
The Google Fonts case was decided based on the transmission of the full IP address in a jurisdiction (Germany) where there are ways to identify a user by means of that address. CNIL's press release follows a decision by the Austrian data protection authority where the Google Analytics cookies were at issue.
If you can read German, you can look at the Austrian decision directly, the complainant has uploaded it at [1] and the relevant section is D.2 b) starting at page 27.
> In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
This is an accurate description of GA's pseudonymous identifier. It is not accurate as a description of an IP address. And if CNIL meant the IP Address, they would have said so, as they did in other rulings.
> The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
Why are anonymised IP addresses still considered "Personal Data"?
Is it because Google is doing the anonymisation?
I believe the issue isn't specifically with anonymised IP addresses in GA. The problem is that the Google Analytics code is loaded from a third party server and, to do that, this server gets your IP address even if the data sent by the GA code itself contains an anonymised one.
I think it's personal data because you can track a visitor across multiple visits. Based on that identifier you can connect all the other data points from a visitor. I think that's not privacy-friendly at all.
I guess it depends what "anonymised IP address" means. If it's still possible to correlate data from visitors across different websites, they might as well log IP addresses directly.
The court disagreed on the basis that US federal law enforcement could force Google to stop anonymizing IP addresses at any moment, not that their IP anonymization[0] is inadequate.
Point 1 isn't true. You've been able to send personal data (PII being the specific US legal term) to the US no problem - as long as you had "standard contractual clauses" (SCCs) as part of your contract with them that the company meets GDPR requirements. This is the same agreement to send data to any country outside the EU where there isn't a pre-existing agreement. I believe this ruling is saying that it's not possible for a US company to comply with the SCCs because US law doesn't allow them to do so.
The original ruling was nuanced, and this ruling is clarifying some gray area inside of it.
The ruling on Schrems II (the court case that struck down Privacy Shield) did not state that SCCs on their own would be sufficient. It said that SCCs + "additional safeguards" would be allowable. There have been several rulings already that SCCs on their own are not sufficient.
The "additional safeguards" must include a risk analysis of US access to EU residents' data. Every court case I've seen from Schrems II onward identifies the US CLOUD Act as the privacy risk to address. CNIL is basically ruling that you cannot transfer data to a US company subject to the CLOUD Act, and an SCC cannot deal with that. This still leaves open the possibility of using US services that are not subject to the CLOUD Act. This is consistent with all rulings to date.
Wait, wouldn't that imply that EU startups can't host their infra on GCP, AWS or Azure? I'm not even talking about analytics - just about simple user email required to login would be problematic now.
Pretty much, it really sounds like Schrems II + this ruling mean that US corporations can't be involved with EU at all besides via licensing software to a completely independent EU corporation (which isn't a given either, though, since the US company could threaten withholding software updates/revoking the software license to pressure the EU corporation to hand over EU citizen data to US Law Enforcement).
> 1. Since 2020, it's illegal to send PII (personally identifiable) data to the US because of the removal of the Privacy Shield Framework [2]
Minor nit - "PII" really isn't the right term to use, because it suggests the info itself must be personally identifiable to an individual. The GDPR covers much more than this, and uses the term "Personal Data".
If I’m not mistaken, isn’t Google now using Google Ireland Limited as the corporation that houses EU-incoming data, and thus they keep the EU data in datacenters owned by that shell company (and physically within the EU)?
I don't think this judgement is about Google Analytics (or any implicit sharing of EU citizen/resident data with Google) being inherently illegal, but rather the current functioning of the Google Analytics service being specifically non-compliant.
e.g. Google could make Google Analytics compliant (likely by, as you say, housing EU data in Ireland), but it seems that currently they are not.
Also, beyond the physical colocation of data, there are ancillary issues around data being readily accessible (either by internal engineers/agents or external authorities) from outside the EU to consider as well.
Doesn't matter one single bit, they are still the 100% subsidiary of Alphabet which is legally bound to provide data at the request of US gov agencies.
Microsoft has seen this one - they have a subsidiary in the EU that holds the EU data. Yes, the US-based parent company is legally bound to provide the data at the request of the US gov agencies. However, the only way that they can get hold of that data is to ask the EU subsidiary nicely. The EU subsidiary is legally bound to not hand that data over.
I think it was set up beforehand. Also, I think nobody really wanted to go as far as setting any precedents, in case they ended up being precedents that they didn't want.
Is that really the only reason behind GA being 'banned'? If google broke off Ireland ltd into its own company and that company simply 'licensed' Google products for $1, would they be in the clear?
Unlikely. The EU courts would reasonably be expected to decide that, as Google Ireland is merely a sham corp for the purpose of operating a codebase that is wholly deferred to the same US control (just as before the sham corp), that this is equivalent to the prior arrangement and still illegal.
What matters is the US CLOUD Act, because that's the thing that lets US Intelligence have access to data stored in EU servers. If legal arrangement is covered by the CLOUD Act, it's a GDPR violation.
IANAL but I don't believe this commenter is correct. If they were, this would essentially prohibit any non-EU company from doing any online business with anyone within the EU.
I suspect the issue is rather that Google Ireland are not in fact exclusively housing EU data within Ireland (or the EU in general).
1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. Now, the Data Protection Authority of France (CNIL) followed
This is a sound decision, but not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact.
PS: I'm the founder of Simple Analytics [5] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
[1] https://blog.simpleanalytics.com/will-google-analytics-be-ba...
[2] https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-t...
[3] https://www.data-protection-authority.gv.at/
[4] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)
[5] https://simpleanalytics.com/
EDIT: changed "PII (personally identifiable)" to "Personal Data"