It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.
There must be some reasonable middle ground before we fragment and destroy the entire Internet. Why not start by making a general exception for temporary storage of less sensitive data like IP-addresses for efficiently and cost effectively delivering a web service.
If there is one thing they could start looking in to it would be handling of personal information by governmental organisations. I work a little bit with a few municipalities, and the number of documents with deeply personal information that are just emailed around over unencrypted email is shocking.
We're not fragmenting the internet by looking after our own interests. This wouldn't be an issue if Americans viewed rights (and in this case privacy rights) as belonging to human being as opposed to Americans citizens. The US's policy is what led to this:
> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information
Maybe an unpopular opinion, but imho AWS, GCP and Azure are popular with startups because of their generous free credits, not because they are good tools for startups. As a startup you are typically better served by a DigitalOcean-level of complexity, and there are plenty of such offers in the EU (Hetzner Cloud, Gridscale, OVH, etc)
For Mailchimp you have plenty of competition, some of it in the EU (SendInBlue and Mailjet come to mind).
For payment processing there are also plenty of offers, Adyen is probably the biggest European alternative but there are countless smaller ones.
Microsoft Office 365 can be replaced by (shocker) Microsoft Office (the offline version). But most of your documents probably don't even contain PII and would be fine in Office 365 or Google Workplace. The exception is obviously email, but the market is flooded with E-Mail services from any country you like (and your preferred Hoster probably offers an email package too).
So I'm not really sure what part of the ecosystem we are missing here? European companies often have the smaller advertising budget and mindshare, but it isn't like they don't exist.
I would call fragmenting these things rebuilding the internet. Not sure how consolidating everyone on a few Mailchimp type services is in anyone's interest.
Could this not also be said about US regulations such as CLOUD act, Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333.
I don't think it's accurate to solely blame the EU when this is in response to legislation that gives/gave the US access to all types of personal data on European citizens.
I would argue that the Americans getting better privacy protections and working with other countries instead of forcing American companies to behave illegally abroad would be a much better solution than the Europeans watering down their privacy laws.
American companies will set up independent shell companies or subsidiaries to serve European customers anyway. Microsoft and Amazon are never going to voluntary leave a market of 400M customers. Doing so would leave too much room for a competitor to grow and then threaten them. So if fragmenting the web means that Europeans get the same services as Americans, but with better privacy, then I am all for it.
Europeans are to blame for the flaws in the GDPR, not for doing their thing without the blessing of the Americans.
I’m Danish and as we’re a notorious Microsoft country I have the most experience with everything Azure, but the fact that Amazon was so quick to ensure that 100% of the workers who ever come near the services they sell within the EU are EU citizens is something that we still looks somewhat envious toward. It’s actually an area where Microsoft might eventually run into some trouble if they don’t work on their compliance but I can certainly understand how it’s hard when one of their key selling points to Enterprise is that we can call Redmund.
I don’t think the EU will get into much trouble over this, however, and I don’t think it will have too much of an impact on our tech industry. I do agree that it’s not likely to help European alternatives to Microsoft or Amazon, but that’s not exactly the point or the legalisation is it? It’s there to prevent EU citizens and our personal information from becoming the primary commodity that is sold between giant companies.
Advertisement companies like Google will no doubt struggle with this going forward, but is that really a loss for anyone?
Building satisfactory alternatives to Office, Workspaces etc. isn't a monumental task by any stretch. With the sudden demand that you predict, they'll spring up like weeds.
This might be ham-fisted and crude, but in the end I see a lot of positives.
Elsewhere "fragmentation" is called diversity and competition. It's sad that it has to come about due to regulation, but it's a good outcome nonetheless.
The familiarity and precedence of current offerings becomes a kind of Stockholm syndrome for people. More options mean more chance of valuable improvements, and geographical diversity means different mentalities and points of view, instead of more "me too" options.
I'm so looking forward to that.
We can create a middle ground. When ever information about a EU citizen that get transferred to the US, a similar information about a US citizen get transferred to the EU as hostage in case there is a data violation. A list of IP-addresses accessing usa.gov in return for a list of IP-addresses that accessed europa.eu. Surely a deal can be made that give both sides equal power.
Privacy abuse on such a massive scale, never before seen in human history, requires action.
And it does not matter how normalised this has become for the people in the valley of the clueless.
Popular video conferencing solutions weren't allowed due to privacy issues. The official "Lernraum" platform that have been used for this did not work most of the time.
I understand where these laws come from, but it's sad that there often is no European alternative
The EU can build it itself when the US player are not able to not send data to their US data centres.
I think you are overestimating the problem. Before Facebook decided that it wanted the European market we had hundreds of similar services. We will have local replacements the moment these US companies with their near unlimited war chests finally fuck off and give European companies room to breathe again.
That's not exactly a great argument here, given that this French court has objectively made the right legal decision here in terms of EU privacy law, and the rights of their citizens.
Will this enable them to comply with the requirements?
For quite a lot of business data, the "do not export data out of region" thing is nothing new. Which is why it is not actually unusual to be able to select where the servers are located.
That being said, if this made Microsoft Teams impossible to use, it would made a lot of us happy. That thing is crap.
It is also silly to tolerate techs incessant fuckery.
If these companies end up banned in Europe, that's not really a problem from Europe's PoV. Europe may end up deciding that US companies not coming is a problem in itself, but that is already the case imo.
Honestly, if this policy is actually enforced, it's very hard to imagine how the landscape would shift. Maybe Europe would be brought to its heels, and be forced to remove the law. On the other hand, maybe the US would be forced to renounce their cloud act, which is a large part of Europe's privacy issues with US companies. A third path could be companies reverse-incorporating in some place that would let them keep in business.
It's a bit hard to predict honestly.
These regulations are the only way to dismantle US big tech monopolies. The US government won't do anything about it on its own accord because it's too profitable. Other countries need to neuter the influence of US big tech first. Then the US can police their own better to encourage intl competition if they want to.
The EU combined is the largest economic region in the world. With backdrop the other huge one China where doing business has become increasingly difficult and volatile.
Tech giants cannot afford to pull out of the EU. Call their bluff, they won't. They can't even if they wanted to, as shareholders will skin them alive.
[1] https://blogs.microsoft.com/eupolicy/2021/12/16/eu-data-boun...
It is crazy to me so few realize it is really not much, if at all, harder to run a business without involving US surveillance capitalism corporations.
Tools like Nextcloud, Matrix, Jitsi, have turn-key SaaS providers or you can self-host them easily as well. Same for many many analytics solutions.
I honestly think every company would be better off having more sovereignty in their tech stacks and data, and it is much better for consumers who may not realize they are -also- sharing their data with third parties like Google who use it sell targeted behavior changes to the highest bidder.
PaaS and IaaS providers all have a presence in the EU or is that still not good enough to pass the regulation that's in place?
SaaS I get it, they'd have to create a presence in the EU but I don't think that's a bad thing. They will, at least the big ones you mentioned. And if that's a problem for smaller SaaS providers then the market will have a solution for that emerge over time.
Wait until you see the result of the green revolution: you'll pay your energy 3 times more than now.
We'll need decades to recover (if we recover) from this ideological move from people that lives in la la land and have no idea of the consequences of their acts.
It already has started with natural gas prices skyrocketing. The Russians are holding us by the balls and our politicians are spitting at their faces...
I wish!
I still don't think laws against specific software is helpful though.
And then they will not be able to serve the european market, nor profit off the european economy. Good luck competing with each other for that US market.
And even then it seems risky the EU will deem the business model entirely in violation of privacy laws. It's very chilling
When the EU finally completes their utopian/dystopian ideas of privacy from foreign Internet services, the great firewall of Europe, perhaps then EU regulators will look inward and do the same things?
But for now it all has the appearance of disfavoring International Internet services, as if to encourage regional tech companies to advance.
Which seems reasonable, Europe seems to have lost most of it's Tech companies, and that's a problem that needs to be fixed. It's just weird to go about the problem by claiming International companies are in violation.
This is what you are wrong about. It would be true if you were from a small country like Sri Lanka or similar but for EU many European companies will smell an opportunity to fill the void.
I support their work to protect the privacy of EU citizens. But I'm also aware that their goal is to replace Microsoft, Google, Facebook etc. with state-owned European enterprises.
European state enterprises can be surprisingly efficient. However keep the Germans out of it. German government IT is still in the Middle Ages. Let countries like Denmark and Estonia build the future of European IT.
With these various data locality regulations, i wonder if a standard operating approach could be to split tech companies into 3 legal entities, a technology licensing company, a US registered operations company and a Europe registered operations company and hand the shares in all three companies to the current shareholders. This would insulate the Europe entity.
In fact this is how most of the companies operate already to cheat on taxes.
The way microsoft did it for a while here in Norway was to license azure cloud stuff to a sub operator (EVRY) that is completely insulated except for the licensing agreement.
As it stands, the US part can be owned by a EU company. Or, probably more realistically, both EU and US parts could be owned by a mail box in the Caimans.
Is this true for ownership by individuals too?
If I, an American citizen & resident, owned and operated a company registered to a European nation to serve my European customers (with European hosting), does that make me compliant? Does an American solo founder have a path to compliance at all, or would I be required to collaborate with a completely separate workforce that has no ties to America?
[1]: https://nextcloud.com/blog/microsoft-and-telekom-no-longer-o...
E.g. Amazon already bills me through some Norwegian entity of some kind, to get VAT done right etc.
If they had servers in Norway, I suppose it would have been possible to proxy everything - not just billing - in AWS Norway through this sub operator?
Yes, this is what will happen with a setup of 3 entities, b/c FANG will not want to miss EU revenue.
And let's be explicit here: The entire purpose of the CLOUD Act is to bypass EU data protection laws. The incident that led to the creation of this law is that Microsoft didn't hand data over to the FBI because the data was on a server in Ireland. This isn't an unintended consequence, this is what the law is supposed to do.
If you make it a EU based public company and give control to your own shareholders, it's no longer a subsidiary and your shareholders are holding shares in a European company.
If someone is running a global web site and wants analytics, which of the 2 entities, or both, would he reference in HTML? Even if we're going to region-lock Europe to the European Analytics servers, analytics today often involves some computation done over the entire data set, including both US and the EU, done on the backend. Which backend would that be?
The privacy aspect has become something of a "think of the children" reason for a sort of "Internet xenophobia", as well as creating huge barriers to entry for small companies which cannot comply.
It's easy to do things online as a company of any size, post-GDPR: Don't scrape user data. Done - no compliance required, because the law is not about you in that case.
They gain big benefits by having a single pool of datacenters able to serve users from anywhere in the world. If they needed to guarantee that an EU user would always be served with a machine in the EU, I can imagine it would add at least 20% to their operating costs.
They'd need more equipment both inside and outside the EU to handle failover, maintanance, etc. They'd also have more complexity slowing development down (they can no longer have small services 'mastered' in just one region). And there is substantial extra complexity in application design (what when a tweet from an EU user is retweeted by a US user, but then replied to by an EU user. Where will the text of the tweet be stored? How will deletion be handled?).
For example, will HN have to have seperate databases for "comments by EU users" and "comments by US users"? And will they need a process to migrate your account from one to the other?
"It would be so easy if companies could just pay their taxes in one country. Think of how much they could scale their finance department."
The same applies for start ups : "book keeping is such a hassle for start ups, why impose that on them? All these financial regulations are really anti business".
Why is everybody working on the assumption that all this data has to sit in the US?
Keep it in a country with the strict-est possible privacy laws, say Switzerland, and noone would complain.
Yes but they are even more reluctant to lose all EU revenue.
This other post has more comments: https://news.ycombinator.com/item?id=30284820
I love that the plaintiff in this case is the "NOYB Association", as in None Of Your Fucking Business, Google.
The organisation has been involved in nearly all of the last privacy related rulings in the EU and is a real blessing for consumer rights.
0: https://meta.wikimedia.org/wiki/Data_retention_guidelines
The user's browser makes a request to a US server, including the user's IP address.
I legit do not understand how to make French people happy with these laws.
The regulations don't ban collecting IPs (nor any PII). They just regulate it to the point that it must be deemed necessary according to certain criteria. I would imagine linking an image may be fine in 95% of cases, but what it would mainly depend on is the logging practices of the image hosting company. Their business would be bound by EU regulation if they are choosing to sell service to an EU-based website, and it's likely that image host that would be liable for compliance.
It's worth adding quite a lot of the regulation here is tied to company size, revenue and scale of data sharing in general, so if you are for example a small business/non-profit you're very likely to be fine either way.
From the article: > "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."
I am really looking forward to seeing how this will play out in the rest of the EU, and which practical consequences it will have.
And, as usual, fellow EU citizens, support NOYB work, if you care about data protection: https://noyb.eu/en/support-us
I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data. For their defense, their budgets and prerogatives have been cut so many times they probably couldn't investigate/fine anyone if they wanted to.
We have a very different view of the CNIL.
Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity, eg: https://www.vie-publique.fr/en-bref/278140-drones-de-surveil...
They don't have political power in itself, but they do use what power they have enthusiastically.
Yes, now think about all the times we don't hear from/about them. It seems that they are doing more as time goes, but they have done little to stop dragnet surveillance, racial/religious/political profiling by the authorities, the deployment of CCTV all across France, (il)legal ⁽⁰⁾ obligations for ISPs to track their users, school restaurants requiring fingerprints to get a meal (yes that's a thing), public services using Google Analytics / Zoom / Microsoft / Doctolib, stingrays operated by police for political repression, and the list goes on and on...
In "digital freedom" (LQDN, FFDN, April, Framasoft, etc) the CNIL is (or at least used to be) rightly regarded as a joke when it comes to human/user freedom, despite having very noble goals. The fact that the press only talks about them when they're doing their job doesn't change that they've clearly failed their mission to protect civil rights in the computer era, despite very good and reasonable legal guidelines dating from 1978.
⁽⁰⁾ French data retention laws are illegal by european standards.
IIRC, They got massive funding with GDPR
Quite the contrary, those associations have to survive on 'donations', and probably not very high salaries for their staff.
Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
Also is it illegal because there is an anonymised id number created when you send data. If that's the case then it's not just GA that's a problem but any tracking system i.e. Plausable.
Furthermore given that a randomised unique id is personal data then there would appear no way to use any websites analytics on any website as you have to store this in a DB which will require a unique id per row by design.
What about other data for example a webserver log will contain similar data is that not allowed? If it's not allowed how can I ensure my site is protected as I need those logs to identify and ban hackers.
Yes, because you're still passing personal data to the USA, which means US intelligence services can access it.
If this doesn't cut the internet in two, I don't get where the line goes.
So if I hosted my servers in any of the AWS US regions that too would be illegal if they have any personal data in them. In this case personal data is a randomised unique id. So say I have a table of users and all I have is a username and a password and a unique id for the record that's personal data and the customer is not allowed to give their permission for me to store that in a US data center ?
This is incompatible with your data being kept by a US business in the US, which is not subject to that law.
Server logs are allowed as "technically necessary" as long as you show "good will" (I'd call it that way) in keeping the saved data to a minimum. 14 days of log keeping? Fine, that's cool for technical reasons. 14 weeks of log keeping? That's excessive and could get you in trouble.
You can also collect that identifier if 1) you have a legitimate reasons to do so and 2) don't share it with third parties.
If you've sought the visitors consent then yes it's legal
From what I can tell: If you ask your users for permisssion ("informed consent"), then no, it is not illegal. The way I understood the court case in Austria, the disputed point was whether or not the use of GA falls under the GDPR. If it does fall under it, then you are obliged to ask your users for consent ("opt-in"). If it does not, you can use it freely without consent.
Because analytics data isn't worth that much if you collect only part of the data, most collectors of data do not want to ask users for their consent, because most users would reject this.
But IANAL. In any case, please stop using Google Analytics, and self-host your analytics using Matomo, Plausible, or something similar. Matomo can also be configured to use server-side analytics, in which case your analytics become both less invasive (no client-side JS needed) and more complete (can't be blocked by ad-blockers).
I've heard that if you do a non-modal cookie banner, 75% of people just ignore it rather than go into it to deny cookies. About 12% (half of remaining) click accept all cookies. The rest close it again without taking action if they can.
I realize there are folks who go into things and customize everything on every website - most users I think don't care enough.
What's funny -> your ISP might be selling your browsing history. Your TV is selling your watching history and no one cares. But cookie pop-ups everywhere is all these privacy idiots can think about. It's performative privacy, that annoys the heck out of a lot of users and wastes a ton of time.
The basis of regulations is that citizens are too stupid to consent to things even if they are fully informed. Whether that is a good or bad approach is up for debate.
* Is there a list of these "things" if not how is anyone to know?
* Who is policing this ?
* How do you get advice in your own language (not French google translate does a terrible job at translating lawyer speak)?
* What are the consequences if you don't comply ?
A French website can not use any American service, right?
Because any American services "are not sufficient to exclude the accessibility of this data for US intelligence services".
For instance, any service that handles health data absolutely cannot have the data be accessible in a way, shape or form by american-owned entities, for any reason.
It's not hard to imagine that, as time goes on, these same limitations will be expanded to other types of decreasingly sensitive data.
And honestly, that's perfectly reasonable. The US government gives itself the right to systematically spy on everything going through US cloud companies. Precedent has shown it can and will use that data against the interests of its supposed allies, even for industrial espionage.
If the US says "every US company must give over european data to the government", then at some point europeans have to say "US companies can't have european data".
That is irrespective of any legislation or court rulings, it's just common sense.
So unfortunately just moving hardware locations may be insufficient, even forming a new entity won't suffice.
In my humble opinion we are witnessing the nationalization of the Internet, in the name of good intent, but eventually the risk vs reward calculation of doing business across the Atlantic (for either side) will tilt in the direction of avoiding the risk.
Although it could be argued that "good, laws are made for people not for businesses" I'd counter that a great deal of the free information published by US companies and non-profits will become unavailable in the EEA.
I'm hopeful that the DPAs and courts in Europe will decide to balance these concerns.
FWIW: I run one of the more popular data privacy platforms, Osano, so this is an area we track very closely and which is near and dear to my heart. I built Osano as a Public Benefit (and certifeid B-Corp) to try and prevent the nationalization of the Internet by giving businesses an easy way to respect the rights of their customers & visitors.
We aren't in this mess because the EU somehow wants to nationalize the internet, we are because with current legislation, US companies can be forced to hand over whatever data they posess, no matter where it's stored.
Not a lawyer, but my current understanding of the current events is more or less the EU saying "if it's subject to the CLOUD act, it violates the GDPR". That's a pretty clear indication of what's wrong.
I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?
We even disabled the cookie based tracking inside Matomo at the cost of not linking different visit sessions. Same session visits are fully tracked though. Saves us a cookie warning.
They're a US company, so you can't use their cloud service, but it's designed to be self-hosted and they have a list of EU cloud providers so you can do 100% EU-based self-hosting if you want: https://posthog.com/docs/self-host/deploy/hosting-in-eu
Based on an open issue[0], it's suggested to run a server with 32GB+ of memory to handle hosting Clickhouse but that would mean self hosting Plausible would end up being $160 / month on DigitalOcean which would make it 10x more expensive than hosting my custom app that I want to see analytics for.
I know you can use less memory but it sounds like using less can result in an unpredictable environment where everything can stop working at any given moment depending on what Clickhouse wants to do. This happened to someone who replied in that issue. Their production set up stopped working because it ran out of memory.
Someone else wrote about it using close to 8GB of disk space to track ~8k page views at https://cyberhost.uk/plausible-3-month-review/. That was only written back in March 2021 too. They said they are going to look for an alternative solution because the the storage costs are too high.
1: https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-anal...
(I wonder why they need to collect analytics information for this page at all.)
People don't have to opt in for you to keep the data for technical reasons, for instance if you keep IP addresses for while to find and block abuse, but you can't keep data longer than strictly necessary and can't use the data for other purposes than you declared beforehand.
Write down your policies and put them in an (again, easy to read, understand and find) privacy statement and you should be pretty much GDPR-proof.
I track page view counts as simple sums, and it's not feasible to drop an individual user's page counts because I don't have enough info to identify a unique user. In fact, I put no cookies on the user's machine (but that means I have no way to identify a specific user for opt-out purposes for these aggregated page counts).
It doesn't have the goal conversion metrics and other advanced features of GA, so obviously not a drop-in replacement for all use cases.
No privacy issues to worry about using trackers.
It is not really a replacement for GA though, it collects much less data. We've decided it is enough for us.
[0] - https://umami.is/
Is the EU going to drag them all into court?
This is like saying you never jay walk because you want to avoid the legal hot water. The water isn’t even lukewarm!
Why would they need to? Just hand out fines, like you do with traffic tickets, no courts required.
I'm now wondering if I can scale this for profit.
Not the EU itself... but your competitors, who can not just complain at your respective data protection agency but also file for c&d letters, court injunction orders or penalties.
Well... if you self-host Piwik or Matomo, you're relatively safe and you can avoid a lot of the bureaucracy bullshit that you'd have with external services.
However, check with a lawyer before setting it up, and definitely get user consent for detailed tracking. There are basically two camps of thought how much is allowed without explicit user consent: the more strict camp (which I belong to) believes that it is illegal to even use technically required data (like IP address, browser agent, date/time of visit, URL/query parameters) for analytics of any kind. The other camp is more relaxed and believes that it is OK to conduct basic analytics on that data (justified as "legitimate interest" of the site operator to provide a good experience to the user), but don't set anything like cookies or localStorage that could allow detailed tracking.
It is not yet clear by a supreme court decision which school of thought is going to win out - personally, I follow the requirement of data minimization per Art. 5 Nr. 1 lit c) EU-GDPR. Data that you do not have cannot be stolen, seized, abused or used as justification for fines, after all.
If the web-page's javascript ONLY stores and processes data stored in the client's localStorage to generate the local page, and sends nothing back to the server, so the web-site operator never sees that data, then is the web-site operator processing that data, or is it only the user-agent's operator ?
The web-site operator certainly wouldn't be a "data controller" since it isn't collecting or storing the data. And it's hard to see how the web-site operator would be a "data processor" in that circumstance.
From my experience, there are several thousands of people/companies using UXWizz and so far no one has requested this feature yet.
But now that you mentioned, it seems like a pretty useful feature, especially if you can see top performing pages/articles.
I think one reason why people don't care about the specific analytics for a page is that they usually write pages/articles for SEO purposes. To see how well a page is performing SEO-wise, you usually go to Google Search Console (or Bing Webmasters) and see search terms/click-through-rates for that page.
Also, time spent on a specific page is not that useful, typically you want to see: if people are buying stuff, where do people that buy stuff come from and what page do they land on.
To give a concrete example, a such query would be, which would show all pages and the average time-on-page, ordered descending by time:
SELECT MIN(page), AVG(TIME_TO_SEC(timediff(last_activity, date))) as avg_time
FROM ust_clientpage
GROUP by page_hash
ORDER BY avg_time DESC;1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. Now, the Data Protection Authority of France (CNIL) followed
This is a sound decision, but not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact.
PS: I'm the founder of Simple Analytics [5] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
[1] https://blog.simpleanalytics.com/will-google-analytics-be-ba...
[2] https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-t...
[3] https://www.data-protection-authority.gv.at/
[4] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)
[5] https://simpleanalytics.com/
EDIT: changed "PII (personally identifiable)" to "Personal Data"
Don't be coy. Call it what it is - an analytics service.
And as such it falls largerly in the same bucket as GA, because if someone's using Simple Analytics, my surfing data - against my wishes - is being shared with some random third party. Whether it's less, more or comparably evil as GA is secondary.
It's disingenuous to have problems with websites collecting entirely anonymous browsing data -- that goes beyond any arguments for privacy and just steers into "yelling at clouds" territory.
There is a big difference between "a person's surfing data" or "surfing data of all visitors combined". That's what we promise with Simple Analytics.
[1] https://blog.simpleanalytics.com/why-simple-analytics-is-a-g...
In this case, Google is non-compliant but the gp's service/tool does appear to be. I think you're underplaying the distinction here quite severely.
TL;DR this is about what's illegal, not what's "evil".
Matomo is the privacy-friendly analytics tool that comes to my mind anyway.
(I have nothing to do with Matomo other than I used PhpMyVisites a few years ago. It had time to change its name twice since then)
If you walk into a grocery store, and cameras record which aisle you walk down, which items you stop to look at and which things you buy. Is that legal?
What if the cameras block out your face and all identifying features. Is that legal?
Do you own a blob of a person walking down an aisle? Does the grocery store?
Google Analytics generates a visitor ID by rolling a random number and storing it in a first-party cookie. This is how GA tells that two visits a week apart came from the same user. This value has been ruled to constitute Personal Data. This is a very big deal, and only a little bit surprising.
Can you cite a reference for that? I fully believe that Google is using cookies for this, but that doesn't mean that the legal authority here isn't making the judgment on IP address alone. I believe a recent GDPR decision against Google Fonts was based on IP address alone. [0]
This sounds like some great politicized naming. Removal of the "Privacy Shield" seems to be increasing privacy in this case.
Peace mission.
Why are anonymised IP addresses still considered "Personal Data"? Is it because Google is doing the anonymisation?
The ruling on Schrems II (the court case that struck down Privacy Shield) did not state that SCCs on their own would be sufficient. It said that SCCs + "additional safeguards" would be allowable. There have been several rulings already that SCCs on their own are not sufficient.
The "additional safeguards" must include a risk analysis of US access to EU residents' data. Every court case I've seen from Schrems II onward identifies the US CLOUD Act as the privacy risk to address. CNIL is basically ruling that you cannot transfer data to a US company subject to the CLOUD Act, and an SCC cannot deal with that. This still leaves open the possibility of using US services that are not subject to the CLOUD Act. This is consistent with all rulings to date.
Minor nit - "PII" really isn't the right term to use, because it suggests the info itself must be personally identifiable to an individual. The GDPR covers much more than this, and uses the term "Personal Data".
e.g. Google could make Google Analytics compliant (likely by, as you say, housing EU data in Ireland), but it seems that currently they are not.
Also, beyond the physical colocation of data, there are ancillary issues around data being readily accessible (either by internal engineers/agents or external authorities) from outside the EU to consider as well.
https://support.google.com/analytics/answer/2763052
I don't understand how this can be construed as tracking users.
I'm not exactly sure what the right way to go about it is (obviously we shouldn't and cannot force every company online to publish whatever anyone wants to say), but fact is that right now you are at the mercy of private companies if you want to communicate online, and restricting freedom of speech to the proverbial "free speech zone" where discussion isn't actually happening is not a healthy state of affairs.
I'd probably at least advocate for something like net neutrality.. ISPs and hosting providers should not work as censors and arbiters of good taste. They should be more like utilities; as long as you're not doing anything illegal, what you do or say is none of their business. Unfortunately this isn't a solution for the common person whose communications are limited to platforms like facebook and twitter.
My Fourth Amendment rights could absolutely be violated by a private website, as they could hand my potentially incriminating private data over to the US authorities, without a warrant and without my consent, and there's literally no opt-out or recourse for me if that data is then used against me by the government.
If you’re not a corporation or a professional who has an office address, you’ll have to supply your own personal data. Visible to anyone on the internet.
Huge opportunities for French tech entrepreneurs.
Huge opportunities for immigrant tech entrepreneurs to France.
Gets the ball rolling for other countries to implement this. And more advanced regulations.
Finally, once US big tech intl influence is on a steep decline, maybe, just maybe, Google will be policed by the US government.
Switching to another solution for analytics might be ok, but losing the ability to automatically optimize ads based on conversion data is a big pain.
Targeted ads pay loads more than untargeted, and you're essentially saying all those companies paying more are in the wrong. Some campaigns even manage 10-25% click through conversions, when well enough targeted.
It’s almost like a more subtle version of china or russia’s firewall
Within EU government and diplomatic circles, there's actually a term for this: the "Brussels Effect". People who use the term "Brussels Effect" believe that by imposing aggressive rules first, the EU software industry will have a first-mover advantage and a kind of partial "firewall" against some foreign competitors.
In my experience, the potential downsides of the "Brussels Effect" are rarely considered by these people (e.g., reduced competition within the EU, leading to increased costs for other businesses; overseas web service providers being forced to block EU customers, leading to reduced availability of services, etc.).
Another area where you see the same "Brussels Effect" in EU policy/legislative circles are recent moves towards rather aggressvie regulation of "artificial intelligence". Not just the recent proposal that was tabled, but also the CAHAI work towards a binding international instrument.
Users on the web love / demand free and aren't willing to pay for a lot of this stuff...
Also what are the implications of cross eu-us chat apps where a person’s name is visible? Doesnt it mean that when a recipient in the us sees the name, the eu person’s data has been transferred to the us?
Apologies if this comment is ignorant, i am not well versed in the topic, but to me it sounds like this is quite an issue for us-eu chat and email apps.
Consent is always a valid legal basis for the processing, or transfer, of data. But it has to be freely given, specific, informed and unambiguous.
Each jurisdiction is going to be slightly different, depending on what the law regarding data protection is like in each place.
Russia hasn't been deemed adequate by the Commission under the GDPR, but it is a member of the Council of Europe (and is thus bound by the ECHR) and it has ratified Convention 108 (and has signed, but not ratified, the modernised Convention 108).
Of course Russia is a deeply authoritarian regime which has no problem violating human rights and international treaties at will so...
If your needs exceed the data analyzed by it then you should consider rethinking your "analytics model".
I don't have analytics yet on my site (it's a very recent side project). I didn't want to go the Google route because ethics, now I don't even have the choice (I'm French).
I looked at the self-hosted options but it seems overly complicated (I'm afraid installing them on my VPS will kill perfs), so now I'm considering just writing a script to parse Apache's logs.
It takes a few minutes to complete and you can start tracking visits in a privacy friendly manner quickly.
https://developers.google.com/analytics/devguides/collection...
Big tech companies don't park servers in the EU. Is it THAT difficult? Of course it is not, and they just don't want to do it.
On the other hand, big tech companies are happy to park their IP in Ireland (a EU country) in a phony company, simply to avoid paying taxes.
What's the logic?
The issue isn't where the servers are. The issue is what parties can compell them to hand over information. As far as I've read on it at least. And if there is US ownership you have US courts that can demand information they aren't legally allowed to hand over according to EU law.
We entered the market recently with Wide Angle Analytics https://wideangle.co. But there is plenty alternatives. Depending on your needs.
Some focus on visuals, we focus on filters and soon attribution. There is more on the list: https://european-alternatives.eu/category/web-analytics-serv...
Competition is a healthy thing. You DON'T HAVE TO use Google Analytics :)
And if you wonder, yes, the fines are real. Enforcement of GDPR is picking up the pace: https://wideangle.co/blog/you-might-be-facing-gdpr-fine
You mention you store anonymised IP's "Unlike some other vendors, our anonymization process is not reversible.", what is the methodology here?
Now if they could only declare GMail to be another kind of a racket we would really get somewhere :-)
Send you ad traffic to a unique form per campaign so you know what campaign is generating leads.
This isn't rocket science.
Also, Google Adwords counts conversions for visits for 30 days. Which means on the 1st visit from the ad campaign, there can be no immediate conversion (and that's OK). But if the same person returns to the website (not from the ad) and downloads/signs up that would be counted as conversion attributed to the ad.
It also happens that the CNIL is notoriously more and more lenient on a lot of things.
[1] https://news.google.com/search?q=Cnil&hl=fr&gl=FR&ceid=FR%3A...
Yes I'm a bit pessimistic about this. Let's all hope I'm wrong.
In one of my previous jobs the marketing department complained about Google Analytics not working on one of our pages. GA hadn't been working for about 10 months when they raised the incident. It was such a low priority that it took another 4 months for someone to fix it.
While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
How many marketing teams/sales teams/etc actually use ALL the information provided by these tools. Aren't there other better ways to measure your campaign and product performance? Do you just want to see time on site/page? Abandon rate? I mean, most of these tools feel like they concentrate the Western mentality of "I need an SUV because I might have to put in more than 2 bags in my car".
/endRant
Who are these people foaming about GDPR?
I'll be the one: can you please expand on your statement?
As an EU citizen: Thank you Mr. Snowden, sir! <3
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
Yes, that's happening, and it's a good one. Privacy Shield was cancelled because of Schrems II. The US simply don't care (intentionally?) to protected any data of people not living in the US. With FISA (Foreign Intelligence Surveillance Act) or "Executive Order 12333" they can get every data they want, even silently. Disclosing that a company had to handover any data will get them prison time.
This is against the intention and protection the EU set for european people. So if a company is violating these terms, it's good to take action.
If Google can't protect user's tracking data (and they can't - the US law won't let them) then they shouldn't be allowed to hold it.
No, Germany is a big leader in the EU. They are very sensitive to issues around privacy, from the DDR era.
They don't want private corporations having DDR-like folders of information on citizens.
Well, of course, tech companies, especially Google, Facebook, Amazon (and this one doesn't even respect basic work and union regulations and rights) are getting out of hand, making their life harder (if not dismantling them) is the legislator's job.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies.
Again, yes, of course, so what ? The US (tech and government) has been prying on the rest of the world with its tech advance and has been using it to spy and gather data it could not get otherwise. France, the EU, are just defending their citizens' rights and their interests, especially economical, against another threat to civil liberties.
Anyone who's concerned about salmonella, hormone levels or animal welfare, can just not buy any products that could potentially contain animal products from countries with weak animal welfare or sanitary laws. The rest is just making life of farmers/shops/wholesalers harder.
Especially with these European intentions, I frankly believe that one single country's laws should be universal and no other country may implement or enforce laws that protect their consumers. The onus to protect themselves from harm must lie with the individuals and governments should not dare inconvenience anyone just to protect their citizens' interests.
What percentage of the general population do you estimate a) will know enough to want to do this and b) will know how to do it?
This requires a level of access and technical skill which most people don’t have. If you have ever tried doing this, think about how many sites break because they have code which assumes GA calls always succeed and then ask what percentage of the population would be able to identify and work around those problems.
So what ? The right to privacy is more important than a select few having an easier time doing business, end of story.
Seriously? People spend tons money and time to track users. If you want to be GDPR-compliant, simply don't save unnecessary userdata and if you still feel the urge to do so, give users the option to control it. It's that easy. Any problems you get from it are of your own making.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies
We created the GDPR, but then knee-capped it with safe harbor. Then Schrems sued and the courts dropped it, but the EU simply reinstated it under the name privacy shield. Then Shrems sued again and after having to have a legal battle again, it unsurprisingly turns out that it's still illegal. I can't see how you think of the EU as anything but overly lenient.
I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
It's not GDPR making life harder for companies, it's the shadowy practices of businesses that are finally being brought to light.
Source: US Citizen, living in EU.
It didn't go that far. But when I saw people plastering Facebook like button everywhere I knew exactly what that meant. That one random corp now can know everything about everybody's behaviour everywhere.
Then Google put out Google analytics and I just switched my sites to this thing. I didn't mind all that much because it was Google and do no evil was still a thing.
But GDPR is something that reminds me of how ridiculous things we accepted as if they were normal just because they were technically feasible.
Imagine going into a travel agent to inquire about a flight. The moment you step through the door 50 people attach themselves to you. Some start recording your every action in a notebook, others flash torches in your eyes, two of them start showing you a video at the same time. And the rest follow you around holding up large ads. And they carry on following you around even after you leave the store!
You might say that it's up to the UK government to fix that, and I agree, but as an individual with no direct influence on the implementation of this service, it's also clearly not the case currently that:
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains
Or at least, they can, but they may be excluded from civic services they are entitled to avail themselves of, which their taxes go towards paying for.
Google knew they were making an illegal business and still went ahead. IMO they should be charged for being a criminal ring defrauding small businesses for SEO as part of a global scheme... if not for helping genocidal regimes surveil/censor/imprison/murder their population as they have been doing for years.
The GDPR is not limited to the internet. So say you go to make a blood test to check your health, GDPR will apply there too, you don't need to go with a fake ID and with a mark on your face, the law protects you from greedy companies so you and your family don't have to use weird workarounds to protect yourself.
IMO it's the other way round: data collection and lack of respect for privacy got out of hand and has been like that for a long time now. It's finally coming under control, albeit slowly. This is not the end of it. And I'm super happy about GDPR.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
Why is it on the victims to protect themselves against illegal practices? We have courts and authorities for a reason.
If it stopped at Google, this would be easy. But GA is just tip of the iceburger.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
I don't believe that at all. But ultimately what I believe does not matter. I'm just happy that right to privacy online is finally becoming a thing.
Got a grandmother?
Yes, you can always avoid the bad behavior of corporations by living in a tent in the wilderness. No, that doesn't mean we shouldn't regulate them.
there are hundreds of alternatives to Google Analytics, developers/admin/companies should just choose wisely. That's what the GDPR is about: end of free lunch for everybody at the expenses of people's privacy, choose your shit carefully.
And what about Chrome?
This is different from going on the site of your local company and feeding data into Google analytics involuntarily.
The relevant legislation is about whether or not you agree to data being collected and shared, and the issue is that US companies are essentially data funnels for NSA & co.
They are the same.
[1]: If you clicked on "Password forgotten" on the log in page, they'd just send you your password unencrypted by email.
I guess it's a matter of luck.
Google are the ones spying. The aggregate put on GA dashboard are a minute of the personal info they collect.
>In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
It's their responsibility to include or not google analytics, though.
IMO we should break away Google entirely and trial their execs for crimes against humanity. They're cooperating with USA, China, Saudi Arabia... by helping murderous regimes deploy their techno-police, how many million people have they helped imprison/murder?
By getting their companies off GA, European governments are weakening their industry.
This probably holds true for many SAAS products. Many of the best are from the USA. Forbidding European companies to use them is a desaster for the European internet industry.
There are many niche systems that fit specific purposes. Sure GA can benefit from scale and existing profiles with user data gatherer in other context, which a self-hosted solution would not have acces to. But does it address every need better than specific systems? And is the added benefit worth sacrificing your users' data to google?
Yes, if you only want to count visits and don't have a problem having all bot traffic included. For everything a bit more advanced you need a proper analytics tool.
This is a link I often check before traveling abroad regarding photography, and what is described is indeed illegal in France.
Unless your argument is "but how would they know about it", in which case that applies to any other crime.
Wrong. Google Analytics (at least v3 by default) tracks IP addresses, which are considered personal information. [1]
[1] https://www.cookielawinfo.com/anonymize-ip-in-google-analyti...
There is a load of hyperbole in the EU privacy business, and it s coming from the german side which is super sensitive to it. But germany is a worldwide exception, their laws for censorship and privacy exist for specific reasons, and they shouldn't be propagating them everywhere.
Specifically in the analytics space, i don't think a lot of people are going to pay for analytics. A free verson makes sense because a lot of websites dont make money. Google provides it for free because they have a monetary incentive to keep marketers in their ecosystem, other companies don't. (Unless the other companies choose to monetize them just as google did)
I think the biggest loser however is going to be the decentralized open web.
No, but we could ban ISPs from being allowed to log DNS requests. There's lots of things the ISPs are doing that should not be allowed. It's done completely without our consent. If regulating DNS would have as consequence "to legislate DNS out of existence", then be it.
This was the case before da interwebz as well: Your attending physician/doctor, your local grocery store, your local post office, your employer, your school - they all have a bunch of your private information, and should really not propagate it to the evil US empire, or anywhere for that matter.
> Are we going to legislate DNS out of existence too?
Apparently we haven't legislated straw men out of existence, as you seem to be using one very publicly.
Or to everyone, by leaving it in a giant publically exposed database enabling massive financial fraud. Thanks equifax