The headlines always mention GDPR alone. I think it's more accurate to say that there are two laws which are incompatible: GDPR in Europe, and the CLOUD Act in the United States.
GDPR allows data to be transferred to other countries. There are a number of other countries where it can be transferred without restrictions, beyond needing to notify users that a transfer exists (you don't even need to name the specific country!). Such countries include the UK, Japan, South Korea, and Argentina.
Every court ruling that I've seen stemming from Schrems II focuses almost exclusively on the CLOUD Act. The US has, intentionally and explicitly, made it easy for law enforcement to access personal data stored by a US company. Like, literally the reason why this law exists is because one time Microsoft didn't hand over data to the FBI because it was stored in Ireland. The problem that it was written to solve was European data protection laws.
Personally I think the CLOUD Act is more to blame for this situation, and the law that I would rather have changed.
The ePD (a different EU data privacy law) requires IP anonymization. That feature is necessary, but not sufficient, to comply with the ePD. The ePD is a whole ball of worms in its own right, and I have a lower opinion of its value than I do of GDPR.
I'm not sure whether those features are sufficient for GDPR and international transfers, though. The issue is that IP address is still received by Google servers, even if it's deleted right afterwards, so a transfer still takes place. But it might be possible to make that a compliant transfer if you sign SCCs with Google (I can't figure out if they offer this for Analytics!), and implement "additional safeguards." There's an argument that IP anonymization would constitute sufficient safeguards in the absence of other identifiers, but that's beyond my expertise.
The agency said that it doesn't matter because you send the IP to Google and after that Google anonymise the IP but sending the IP in the first place to Google is the violation so it doesn't matter that Google claims they will later remove it. I think the whole GDPR is just a mess so don't shoot the messenger.
Is this because of UK GDPR? Since Brexit there have been pressures to change some parts of it. Could these changes take UK off this list?
The article states:
> The configuration error in connection with the IP anonymisation function was also corrected and Google confirmed the personal data had been deleted. However, the authority said in its decision that the IP address is "in any case only one of many 'puzzle pieces' of the complainant's digital footprint."
Wait sorry what? How does that even work?
What they probably mean is that European companies cannot use cloud services hosted in the US anymore.
This is still a generalisation, since they can -- as long as no PII or otherwise GDPR-protected data is sent overseas.
The most likely outcome is that Google will start offering EU-hosted GA as an opt-in. How much that will affect their global data collection and processing I don't know, but I suspect it will still be far less than if all EU services stopped using them altogether.
Edit: I may be wrong. See lmkg's response in the thread.
It held that the mere use of a U.S.-based provider to collect IP addresses and user key data was an unlawful “transfer” because:
Per the Court of Justice of the European Union, IP addresses are personal data (the court also considered Cookiebot’s “user key” to be personal data).
Under the Clarifying Lawful Overseas Use of Data Act, a U.S. cloud provider can be obligated to produce all data in its possession, custody, or control to U.S. agencies, irrespective of whether the data is stored in or outside the U.S.
This decision has a number of noteworthy implications. Among the more salient are:
The court never evaluated whether a “transfer” actually occurred. The decision assumes a “transfer” occurs even if data never leaves the EU, so long as the recipient of data may formally be subject to requests by non-EU authorities.
Or more specifically: That companies who target EU citizens (whether that is private use or a person being employee of a company - it does not matter) cannot use cloud services hosted in the US, when saving PII to said service.
It really doesn't matter whether you are based in Europe or not. Sendgrid for instance is an American company, but still has to follow the GDPR.
disclaimer: I donated to NOYB and worked with them on a complaint. I definitely support their cause. However, I also run a small bootstrapped digital business in the EU and complying with all regulations can become increasingly difficult...
Google has offices in Europe. Why, if it isn't possible to use it in compliance with the law (as a customer), isn't Google forced to shut it down or change it?
The same goes for Facebook and all other companies offering tracking etc. They should be responsible for offering compliant products.
Google is a subcontractor. The owner of the website is using a service to track browser behaviour, and, perhaps erroneously, user identities. The service is famous, but not unique.
What the subcontractor does with the data is the responsibility of the website owner -- if they allow Google to abuse the data owner (that is, misuse the PII of people visiting the website), then the website owner should be held responsible.
That's my issue. Since Google has legal entities in Europe they should be held accountable as well. Right now they are offering and marketing a service which is more or less illegal to use. If it were some company outside Europe, then yes by all means the website owner should make sure the 'subcontractor' is in compliance.
Are they though, if Google is providing the analytics and the ads? Seems more like the content provider is the subcontractor.
I would recommend searching for the terms "data processor" and "data controller" on the European Commission website. They have very clear explanations of the responsibilities for both.
As far as I can see, the problem was the way a specific site was using analytics. I.e. it's possible to use anaytics in compliance with GDPR. Have I misread it?
[Edit] The website operator seems to have failed to scrub IP addresses from data uploaded to analytics. This stuff about "EU Users can't use US cloud services" seems overcooked.
Regarding the cloud:
> In 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the bloc and the US in what is now known as the Schrems II ruling, which has ramifications for US cloud providers, social media sites, and providers of online tools.
> "This is a very detailed and sound decision. The bottom line is: companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.
It's perfectly permissible to use "cloud" services that are in the USA. It's just forbidden to use cloud services in the USA to store PII.
This is even more relevant as US data protection seems to only apply to US subjects - so an American using an EU service using a US host would be protected by US law (in theory, though likely not in practice), while an EU citizen using the same EU service is not protected by US law.
Is there a specific ruling or case that says AWS as a provider, regardless of where the actual data processing happens, is prohibited, this out that you can point me to?
More EU member states will likely follow.
Pretty much every website in Europe uses Google Analytics.
Next round Google Adsense? What will the European free web look like if it cannot be monetized anymore?
Also, isn't the article somewhat strange? It is about a ruling but does not link to it or even gives any clue how they found it and how the reader can find it?
More seriously, very little of what Google Analytics does is particularly novel or hard to replicate via another service, it's just used by default everywhere because that's what devs are familiar with. Ripping it out and replacing it with another product that gives you almost all the same functionality but which doesn't put you in breach of law is probably not that difficult most of the time. Doing that AND moving off AWS AND every other USA owned service where you store customer data.. now that's a different story
Maybe a large chunk of sites will disappear. But if the only way they were sustainable were through tracking ads and effectively trading in peoples personal information then that’s for the better.
Everyone understands what privacy laws mean for adtech. The sites that use adtech for funding aren’t an unfortunate casualty in this, they are targets.
pdf in english: https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Goog...
> As a processor, the second respondent provided the website operator with numerous configuration
options for Google Analytics. On the basis of the information received, it should be noted that the
Respondent configured Google Analytics as stated. Due to a possible configuration error, the
respondent did not activate the IP anonymization function in all cases. Under normal operating
conditions and to the extent that users based in the EU are affected, a web server is located in the
EEA, which is why IP anonymization is generally carried out within the EEA. In the present case,
normal operating conditions were present.
Adsense pays low and has ok protection from malicious ads.
All other players I know pay even lower and feature more aggressive/malicious ads. While also being in the USA and having even more questionable data handling.
If the European free and English internet turns of adsense right now, many of these publishers are bankrupt in that very moment.
What's analytics got to do with monetization?
Aren't websites still allowed to advertise?
2. This has to do with specific implementation of Google Analytics, wherein psuedo-PII is collected without appropriate disclosure and consent, and may be considered sale of data if the option to pass data to other Google services is selected. A vanilla installation of GA without opting into information sharing or passing custom parameters generally is GDPR compliant and falls under the Measurement (Purpose 4) category of cookie consent.
3. The European internet for publishers is noisy with consent banners, but continues to monetize and thrive. Advertisers haven't pulled out en masse and audiences still consume content. Ad targeting is harder, but the old ways of matching ads to content remain viable, along with other techniques.
Less dramatical outcome: roughly the same amount of advertising, roughly the same amount of ad spend/income, just not quite as targeted as it is now. Maybe you are too young to remember, but there used to be a web where not every website showed exactly the same ads to a given user. Ads where targeted more by context/content of the site than by browser history. That era made a certain company very rich that happened to be quite good at inferring context/content of websites using crawler technology.
Most likely outcome: not really any noticeable change, ad mediators will find a subset of tracking data that is sufficient to keep up their current level of targeting creepiness that isn't in judicable contradiction with the GDPR.
I personally like plausible.io - and they happen to be GDPR-compliant and EU based.
Which is not even the reason I chose them - they are just superior in many ways to GA. (no affiliation)