Hacker News new | past | comments | ask | show | jobs | submit login
German company's use of Google Analytics breached GDPR (theregister.com)
83 points by aliswe 14 days ago | hide | past | favorite | 57 comments

I have some professional expertise in both Google Analytics and data privacy.

The headlines always mention GDPR alone. I think it's more accurate to say that there are two laws which are incompatible: GDPR in Europe, and the CLOUD Act in the United States.

GDPR allows data to be transferred to other countries. There are a number of other countries where it can be transferred without restrictions, beyond needing to notify users that a transfer exists (you don't even need to name the specific country!). Such countries include the UK, Japan, South Korea, and Argentina.

Every court ruling that I've seen stemming from Schrems II focuses almost exclusively on the CLOUD Act. The US has, intentionally and explicitly, made it easy for law enforcement to access personal data stored by a US company. Like, literally the reason why this law exists is because one time Microsoft didn't hand over data to the FBI because it was stored in Ireland. The problem that it was written to solve was European data protection laws.

Personally I think the CLOUD Act is more to blame for this situation, and the law that I would rather have changed.

if you opt out of tracking, would it be OK to have GA (which in any case only registers aggregate anonymous data) with storageless mode and anonymized IP?

The data stored by Google Analytics is most definitely not aggregated. Go into the User Explorer report (under "Audience): you will be able to trace the individual interactions of each visitor to your site. GDPR considers this data be pseudonymous, which is distinct from anonymous.

The ePD (a different EU data privacy law) requires IP anonymization. That feature is necessary, but not sufficient, to comply with the ePD. The ePD is a whole ball of worms in its own right, and I have a lower opinion of its value than I do of GDPR.

I'm not sure whether those features are sufficient for GDPR and international transfers, though. The issue is that IP address is still received by Google servers, even if it's deleted right afterwards, so a transfer still takes place. But it might be possible to make that a compliant transfer if you sign SCCs with Google (I can't figure out if they offer this for Analytics!), and implement "additional safeguards." There's an argument that IP anonymization would constitute sufficient safeguards in the absence of other identifiers, but that's beyond my expertise.

ok, thank you ..., but is it PII?

> anonymized IP?

The agency said that it doesn't matter because you send the IP to Google and after that Google anonymise the IP but sending the IP in the first place to Google is the violation so it doesn't matter that Google claims they will later remove it. I think the whole GDPR is just a mess so don't shoot the messenger.

> Such countries include the UK

Is this because of UK GDPR? Since Brexit there have been pressures to change some parts of it. Could these changes take UK off this list?

The UK-EU withdrawal agreement included a transitionary adequacy agreement, in large part because the GDPR formed (and still does as the UK GDPR) part of UK law.

Would it have helped with the "storageless" mode you can activate with GA? And IP anonymization?

The article states:

> The configuration error in connection with the IP anonymisation function was also corrected and Google confirmed the personal data had been deleted. However, the authority said in its decision that the IP address is "in any case only one of many 'puzzle pieces' of the complainant's digital footprint."

> companies can't use US cloud services in Europe anymore

Wait sorry what? How does that even work?

This is very badly worded.

What they probably mean is that European companies cannot use cloud services hosted in the US anymore.

This is still a generalisation, since they can -- as long as no PII or otherwise GDPR-protected data is sent overseas.

The most likely outcome is that Google will start offering EU-hosted GA as an opt-in. How much that will affect their global data collection and processing I don't know, but I suspect it will still be far less than if all EU services stopped using them altogether.

Edit: I may be wrong. See lmkg's response in the thread.

A recent ruling about Cookiebot and their use of Akamai indicates that even EU-located servers run by a US company run afoul of GDPR. The core issue is that the US CLOUD Act gives US law enforcement access to data on those servers.

It is limited to personal data though. So (if this decision holds) you cannot pass datatl outside the EU without explicit consent.

Huh, interesting. Thanks for the info. Do you have any links to this?

It's a decision from a German court. Here's a link to an English analysis of the ruling, which includes links to the decision itself:


Thanks. Do you know if this covers other kinds of services, such as global load balancers (Akamai, Google Load Balancer, etc), for instance? They do know about source IP (which is considered PII), destination hosts and in many instances (where they terminate TLS, or unencrypted connections) pretty much all the information being transmitted.

I don't know for sure, and this ruling is likely to get appealed so don't take it as final yet. But the Akamai service in question was a CDN. I have a hard time imagining an argument that would sanction CDNs but not apply to load balancers.

It was about the use of personal data specifically, not jus tin general a use of US services. From the linked article (which seems to draw some broader fear-mongering conclusions not evidenced by the case it discusses):

It held that the mere use of a U.S.-based provider to collect IP addresses and user key data was an unlawful “transfer” because:

Per the Court of Justice of the European Union, IP addresses are personal data (the court also considered Cookiebot’s “user key” to be personal data).

Under the Clarifying Lawful Overseas Use of Data Act, a U.S. cloud provider can be obligated to produce all data in its possession, custody, or control to U.S. agencies, irrespective of whether the data is stored in or outside the U.S.

This decision has a number of noteworthy implications. Among the more salient are:

The court never evaluated whether a “transfer” actually occurred. The decision assumes a “transfer” occurs even if data never leaves the EU, so long as the recipient of data may formally be subject to requests by non-EU authorities.

> What they probably mean is that European companies cannot use cloud services hosted in the US anymore.

Or more specifically: That companies who target EU citizens (whether that is private use or a person being employee of a company - it does not matter) cannot use cloud services hosted in the US, when saving PII to said service.

It really doesn't matter whether you are based in Europe or not. Sendgrid for instance is an American company, but still has to follow the GDPR.

I'm not sure I understand what's happening here. If they sent the IP address (by mistake), I guess that's a violation irrespective if it's in the EU or the US? Does this mean that an EU company can no longer host their main app with Google Cloud, AWS, DigitalOcean, Linode etc, even if the servers the EU?

disclaimer: I donated to NOYB and worked with them on a complaint. I definitely support their cause. However, I also run a small bootstrapped digital business in the EU and complying with all regulations can become increasingly difficult...

The position of Schrems/NOYB, as far as I understand it, is that using a cloud service potentially subject to US law, irrespective of where the servers are actually located, is inconsistent with the GDPR. He basically says the same thing in the linked article: "The bottom line is: companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced."

I understand they take a strong stance, but this does feel quite limiting if the expectation excludes nearly all cloud service providers… not even talking about analytics but just VPS hosting, database, CDNs etc

There are a lot of different viewpoints regarding GDPR. But the one thing which grinds my gears the most is the fact that somehow people using tools like Google Analytics take on legal risk, but not Google itself for providing it.

Google has offices in Europe. Why, if it isn't possible to use it in compliance with the law (as a customer), isn't Google forced to shut it down or change it?

The same goes for Facebook and all other companies offering tracking etc. They should be responsible for offering compliant products.

If I was defending them, I'd use an argument along the lines of "trackers don't track people". In other words, "improper" use of the tools is the crime, not the creation of the tools themselves.

Is it actually possible to use it in a not improper way though? That's the issue I think, if Google are going to offer the tool for use in EU, then their tool should not put its customers at legal risk.

The thing about GDPR is, the intention (in most cases) doesn't matter. If Google is using servers outside Europe or using the data for anything not officially disclosed (and disclosures hidden in eulas etc. don't count) then they are in breach of GDPR.

Nah, I don't think so.

Google is a subcontractor. The owner of the website is using a service to track browser behaviour, and, perhaps erroneously, user identities. The service is famous, but not unique.

What the subcontractor does with the data is the responsibility of the website owner -- if they allow Google to abuse the data owner (that is, misuse the PII of people visiting the website), then the website owner should be held responsible.

> What the subcontractor does with the data is the responsibility of the website owner

That's my issue. Since Google has legal entities in Europe they should be held accountable as well. Right now they are offering and marketing a service which is more or less illegal to use. If it were some company outside Europe, then yes by all means the website owner should make sure the 'subcontractor' is in compliance.

> Google is a subcontractor.

Are they though, if Google is providing the analytics and the ads? Seems more like the content provider is the subcontractor.

I think you miss the point: Google are the data processor in this case. (In fact, as the body collecting the data, they also have shades of a data controller.) Doesn't matter if they're a subcontractor: they have responsibilities under the GDPR, because they're the ones holding onto that data. It's not like they're holding it in some form, passing it on to the website owner, and obliterating it.

I would recommend searching for the terms "data processor" and "data controller" on the European Commission website. They have very clear explanations of the responsibilities for both.

> Why, if it isn't possible to use it in compliance with the law

As far as I can see, the problem was the way a specific site was using analytics. I.e. it's possible to use anaytics in compliance with GDPR. Have I misread it?

[Edit] The website operator seems to have failed to scrub IP addresses from data uploaded to analytics. This stuff about "EU Users can't use US cloud services" seems overcooked.

You are right regarding the IP, the question would be however, why this isn't deactivated by default.

Regarding the cloud:

> In 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the bloc and the US in what is now known as the Schrems II ruling, which has ramifications for US cloud providers, social media sites, and providers of online tools.

> "This is a very detailed and sound decision. The bottom line is: companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.

That's some kind of summary (and it looks a bit partisan).

It's perfectly permissible to use "cloud" services that are in the USA. It's just forbidden to use cloud services in the USA to store PII.

enabling IP anonymization to my knowledge breaks geo-related features in GA.

Can EU companies use AWS or Google Cloud in Ireland or it is also falls under US CLOUD Act?

Non-US companies must use a EU-owned servers (not just EU servers controlled by AWS, DigitalOcean) to process EU data subject traffic. If they don't, they're in violation of Schrems II, which makes them in violation of the GDPR.

This summary makes it sound like a protectionist measure but that is not the design. The issue is just the US overreach in that the US expects any company to provide any data it holds, even if that data is stored outside the US, owned by a subsidiary, etc. EU (or Canadian, Russian, Kenyan, ...) data is simply not safe from US security services' reach if it is stored by a company subject to CLOUD. The court decision is only a consequence of this overreach and the EU's sovereign right and attempt to protect its citizens.

This is even more relevant as US data protection seems to only apply to US subjects - so an American using an EU service using a US host would be protected by US law (in theory, though likely not in practice), while an EU citizen using the same EU service is not protected by US law.

This doesn't seem consistent with the general Schrems II ruling (which was specifically about cross-border data transfer previously thought covered via EU-US Privacy Shield), and that AWS has specifically commented on https://aws.amazon.com/blogs/security/customer-update-aws-an... and https://aws.amazon.com/blogs/security/aws-and-eu-data-transf....

Is there a specific ruling or case that says AWS as a provider, regardless of where the actual data processing happens, is prohibited, this out that you can point me to?

Yes, it dropped today: https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

More EU member states will likely follow.

Fun fact, a few weeks ago we were asked by the reviewer of the (EU-funded) H2020 research project in which we participate to add google analytics and twitter to our website so we can give her stats about our website visitors. Even despite our protest she insisted. People need to stop seeing the EU as some kind of pinnacle of rationality, GDPR is an unworkable implementation of wishful thinking that will be obsoleted by technology (which can already perform the same amount of tracking with AI and side channels).

What will happen to the European internet now?

Pretty much every website in Europe uses Google Analytics.

Next round Google Adsense? What will the European free web look like if it cannot be monetized anymore?

Also, isn't the article somewhat strange? It is about a ruling but does not link to it or even gives any clue how they found it and how the reader can find it?

"What will the European free web look like if it cannot be monetized anymore?" Given that, subjectively at least, most sites that I end up on which are "monetized" through ads are valueless content farms, I see the eventual banning of Gooogle AdSense within Europe(and taboola, out brain and all the others) as a wholly good thing!

More seriously, very little of what Google Analytics does is particularly novel or hard to replicate via another service, it's just used by default everywhere because that's what devs are familiar with. Ripping it out and replacing it with another product that gives you almost all the same functionality but which doesn't put you in breach of law is probably not that difficult most of the time. Doing that AND moving off AWS AND every other USA owned service where you store customer data.. now that's a different story


> What will the European free web look like if it cannot be monetized anymore?

Maybe a large chunk of sites will disappear. But if the only way they were sustainable were through tracking ads and effectively trading in peoples personal information then that’s for the better.

Everyone understands what privacy laws mean for adtech. The sites that use adtech for funding aren’t an unfortunate casualty in this, they are targets.

I don't see how a web that depends on advertising and the whims of foreign megacorps is « free ». If anything it leads to lower standards of free speech and discourse.

Free money wise

this is the blog post from noyb (the organisation who made the complaint): https://noyb.eu/de/oesterr-dsb-eu-us-datenuebermittlung-goog...

pdf in english: https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Goog...

Thank you for sharing. I feel this is the most relevant part:

> As a processor, the second respondent provided the website operator with numerous configuration options for Google Analytics. On the basis of the information received, it should be noted that the Respondent configured Google Analytics as stated. Due to a possible configuration error, the respondent did not activate the IP anonymization function in all cases. Under normal operating conditions and to the extent that users based in the EU are affected, a web server is located in the EEA, which is why IP anonymization is generally carried out within the EEA. In the present case, normal operating conditions were present.

Why do you consider Google Adsense&Analytics the only possibility for monitization?

When we look at publishers who publish in English for the whole world, the situation is like this:

Adsense pays low and has ok protection from malicious ads.

All other players I know pay even lower and feature more aggressive/malicious ads. While also being in the USA and having even more questionable data handling.

If the European free and English internet turns of adsense right now, many of these publishers are bankrupt in that very moment.

Ads are less and less common for monetisation. Most websites have switched to some form of affiliate marketing.

Citation needed i think, especially for european sites.

> What will the European free web look like if it cannot be monetized anymore?

What's analytics got to do with monetization?

> Next round Google Adsense? What will the European free web look like if it cannot be monetized anymore?

Aren't websites still allowed to advertise?

Are you arguing that if Europe stops using Google Analytics that is a bad thing?

1. There are plenty of privacy-focused and self-hosted web analytics packages. Their adoption is widespread in EU online publishers and is growing in the US.

2. This has to do with specific implementation of Google Analytics, wherein psuedo-PII is collected without appropriate disclosure and consent, and may be considered sale of data if the option to pass data to other Google services is selected. A vanilla installation of GA without opting into information sharing or passing custom parameters generally is GDPR compliant and falls under the Measurement (Purpose 4) category of cookie consent.

3. The European internet for publishers is noisy with consent banners, but continues to monetize and thrive. Advertisers haven't pulled out en masse and audiences still consume content. Ad targeting is harder, but the old ways of matching ads to content remain viable, along with other techniques.

Worst case: monetized in the non-free way. Which might eventually turn out to be the best case.

Less dramatical outcome: roughly the same amount of advertising, roughly the same amount of ad spend/income, just not quite as targeted as it is now. Maybe you are too young to remember, but there used to be a web where not every website showed exactly the same ads to a given user. Ads where targeted more by context/content of the site than by browser history. That era made a certain company very rich that happened to be quite good at inferring context/content of websites using crawler technology.

Most likely outcome: not really any noticeable change, ad mediators will find a subset of tracking data that is sufficient to keep up their current level of targeting creepiness that isn't in judicable contradiction with the GDPR.

there are many, many other analytics providers.

I personally like plausible.io - and they happen to be GDPR-compliant and EU based.

Which is not even the reason I chose them - they are just superior in many ways to GA. (no affiliation)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact