Hacker News new | past | comments | ask | show | jobs | submit login
Use of Google Analytics declared illegal by French data protection authority (cnil.fr)
1172 points by guillem_lefait on Feb 10, 2022 | hide | past | favorite | 1095 comments



I think we (in the EU) will soon realise the bizarre consequences of these regulations. European startups will not be able to use standard SaaS or PaaS tools (like AWS, Azure, Mailchimp, PayPal etc) if they are based in the US (like most of them are). No cloud services, no Office 365 or Google Workspace.

It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.

There must be some reasonable middle ground before we fragment and destroy the entire Internet. Why not start by making a general exception for temporary storage of less sensitive data like IP-addresses for efficiently and cost effectively delivering a web service.

If there is one thing they could start looking in to it would be handling of personal information by governmental organisations. I work a little bit with a few municipalities, and the number of documents with deeply personal information that are just emailed around over unencrypted email is shocking.


On the contrary, it only forces those providers to have a European presence.

We're not fragmenting the internet by looking after our own interests. This wouldn't be an issue if Americans viewed rights (and in this case privacy rights) as belonging to human being as opposed to Americans citizens. The US's policy is what led to this:

> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information

https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield


You are absolutely fragmenting the internet.

We had PII on Azure. We wanted to do business in France. We had to fork our services, and run a full stack on a crappy provider in France. They charged a lot more, would take weeks of vacation with zero support for us. It was a freaking nightmare.

EDIT: I love the responses I'm getting. People are in absolute denial that this does in fact fragment the internet. You may believe that's a good thing, and that's a rational discussion we can have. But don't lie to yourself, or to me, that this doesn't fragment the internet.


There is so much I want to say about this comment! First of all, it sounds like you had a terrible experience because you picked a bad ISP. I sympathize. But then you generalize from that and imply that anyone wanting an EU host will experience the same. Obviously that's not true - or do you believe no good ISPs exist in France? Second of all, why did you fork your code? Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity to incrementally extract the proprietary apis out of your application and replace them with processes you actually own? This will allow you to undo the fork and continue on, able to deploy your application anywhere you want.


We did our research, and settled on the French cloud provider that fit our parameters. They made promises about support hours that they did not keep. Changing cloud service providers is not cheap. We were a small team, and this cost us lots of effort.

We didn't fork our code, we forked our services. We ran everything on Azure. Then we had to configure our kiosk devices to either talk to Azure, or to talk to our servers in France.

"Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity"

I'm sorry, do you have any idea of the cost of doing these things?

If you have 6 developers, total, how many of them are you willing to allocate to rewriting your stack, so that you can sell your product in Europe?


>I'm sorry, do you have any idea of the cost of doing these things?

Oh indeed yes, which is why for years now I've been warning people to not write to proprietary APIs in the first place. It's a faustian bargain and sooner or later the bill is going to come due! If not because of legal requirements, then because MS or Amazon saturates the market, and has to increase revenue somehow. This is an example of where an ounce of prevention is worth a pound of cure. The upshot is that ignoring the warnings of people like me was a mistake.

(It's funny how people have moaned for years about "vendor lock-in" WRT Oracle. "They charge for every core!" But the cloud providers charge for every invocation, which is infinitely worse. And yet no-one seems to worry about it. It's really odd.)


So yeah, using HTTP to connect to a server that happened to be in the US... That's the thing that prevented us from selling in France.

But thanks for lecturing me that "vendor lock in" was what killed our 6-developer team that was developing hardware, and computer vision, and 3D computer graphics, while developing a health care product under the tons of regulation that comes with that.

Your arrogance is just stunning.


Hey, I feel your pain. Companies are like children to a founder, and you have described the heroic acts you've taken to save your child. It absolutely sucks to be in your position.

I think it's important to warn "parents" (or future parents) to avoid this particular tragedy, which I think is quite avoidable. I want to encourage people to question the orthodoxy around cloud, that everyone is doing it so its fine, and worse is better anyway, yada yada. It may be insensitive to use your situation to illustrate the downside of cloud vendor lock-in, but my motivation is not to look down on you, but to warn others about this very real, very painful outcome that they court when they make the popular choice.


I wasn't a founder. I was one of the 6 developers.

We happened to not use any vendor-specific APIs.

And it still killed us to fork our stack, and to teach our kiosks to be able to talk to the right server, and the extra cost of the servers in France, and the lack of support we saw from the provider in France...


Many noble efforts fail this way. You are not alone. This is one of those lessons you learn in regards to keeping your audience narrow, and executing on one thing at a time.

It's embittering, hardens the heart, and makes you want to give up, but you've gotta redouble and bust through it.

And by all means, shame the provider if they didn't live up to their end of the bargain.


Would you reconsider naming the provider?


> your arrogance is just stunning.

Sorry if I don’t follow your reasoning, I’m still stuck at this piece of USA policy you seemed to have glossed over:

> Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

https://www.govinfo.gov/content/pkg/FR-2017-01-30/pdf/2017-0...


"Agencies" refers to parts of the US govt; that is a US govt regulation for its own agencies with respect to its own citizens and the regulation of immigration. It has nothing to do with e-commerce, cloud storage, start-ups, web services, etc.

Just as France accords its own citoyens rights that foreigners aren't entitled to.


your frustration is justified. azure/aws is the entire environment. i dont think you could have implemented the suggested magical suggestion in any relevant or practical way.


Thank you for this response. Calling it a magical suggestion really does feel accurate. I was sitting here trying to think how you would even do this when everything is running on AWS (or Azure).


"Don't make HTTP calls outside of our borders."

"We're not fragmenting the internet."

???


A better wording would be “don’t make calls into jurisdictions that violate our legal statutes”.

Ok, let me make a simple “marvel comics” example: what if all your calls were funneled through “Putin servers” or “Iran cloud” or “ People's Liberation Army computers”? Would you mind?

I hear you arguing “but we’re the good guys! We’re USA, flag bearers of Democracy!” but no. Really according to EU law, under USA jurisdiction Pricacy Rights are fair game for people like Zuck. The guy that said “ I have over 4,000 emails, pictures, addresses, SNS. People just submitted it. I don't know why. They "trust me". Dumb fucks.”

Now, granted: our politicians likely want to stay on top of the consensus forming media, and make sure it’s within reach of their network. Annoying to see all the action moving to a different platform after all the years spent building relationships with the old media, but that’s the business.


I am so delighted I am able to access blog posts from people in Russia or Iran or China. Otherwise, it would be far easier for human rights abuses to exist. (This is somewhat tongue in cheek. My point is that information wants to be free, and we're all better off if there's LESS friction.)

When I found out Parler was being hosted on Russian servers, I immediately informed everyone I knew who was thinking about switching to Parler that it was a really bad idea. And it's their choice whether to use Parler or not.

I think it's great if companies can't hide that they're doing something like routing data through Russia. I think it's pretty stupid to not let someone use a product that routes data through Russia.

I also think that if Facebook stands up servers in France, it'll still be just as problematic as it is today.


This sounds really americentric. Have you considered that the every non-US citizen'd PII is fair game for US companies one in the county? As a European I wouldn't want my stuff to be routed through the US the same way you don't want your data going through Russia.


Yeah, it sucks that the US doesn't respect non-citizen data. But TBH I really don't think it respects citizen data either. Consider that Snowden discovered all kinds of ways the CIA and NSA were hoovering up data, in defiance of the law. But did the American people get pissed and force a change in those agencies, and call the leadership to account for disregarding the law because it was convenient? No: they successfully demonized the whistleblower who is still on the run. (Although I will say that excessive snoopiness is a lesser evil than censorship).

In the end, though, there is a high-tech solution here, and that's to migrate to 100% asymmetrically encrypted messaging, at the application level, regardless of underlying transport. This would force nation states to risk large scale hacking of devices, but that's more visible and easier to combat, as long as we remain free to make (and buy) the compute hardware we want to make.


The U.S. doesn't even respect Citizen@s data half the time. Remember, the Courts ruled that expectation of privacy, and therefore 4th Amendment protections are waived as soon as you engage with a Third Party.


> This sounds really americentric

His whole comment was about how he want to let traffic route through Russia even though he doesn't like it... but it's really Americentric? Could you explain that point please?


You pay for every invocation of what exactly? Lambda, certainly not fargate or ec2.

Then there’s the cost of your devs implementing the same feature azure and aws already has, which is usually forgotten about.

Also the icing on the cake for oracle was a contract termination fee. No cloud provider comes close to the oracle billing nightmare.


Do cloud service providers like Azure not have a way to "pin" some of your service instances to servers in specific countries? Seems like this capability would be important differentiating feature given EU privacy laws about where user data is hosted.


They do, in fact Azure is totally compatible with French law for handling private data. Many large companies use it.


> do you believe no good ISPs exist in France

Nothing comparable to AWS/GCP/Azure.


There are AWS and Azure regions in France.

GCP should open one early 2022.


But they don't count because they're still controlled from the USA.


AWS most certainly isn't for as far as the data protection is concerned. An EU entity runs the EU regions of AWS cloud, you enter a contract with that entity and _not_ with the parent and the data is under the EU law.


Is this really true? As far as I know you can be perfectly compliant with EU law by running in AWS's EU regions.


The core issue here are the CLOUD ACT and FISA Section 702.

Basically the US government says it gets free access to all data stored by any US company or its international subsidies anywhere and that non-us-citizens have absolutely no right to any data privacy at all.

However european citizens do have such a right, and as such, companies can not process personal information using american subprocessors, because those can not guarantee to respect the citizens rights.

For a long time this was all about some contractual clauses between processor and sub-processor: the american subprocessor guarantees by contract to respect the data subjects fundamental right to data privacy.

And then the USA made the CLOUDA and FISA and all those contracts are no longer worth the bits they are encoded in. American companies are by law required to not respect the right to data privacy and can not guarantee to respect it in good faith, as they are themselves subjects of a surveillance state.

Now look at how AWS reacted to this problem: they added new clauses to the contract with their european customers, in which they promise to challenge law enforcement requests, especially those that are overbroad.

When EU goes after FAANG like this, it pushes them to position themselves against mass surveillance and in favor of a global basic human right to data privacy. In my honest opinion this fight is very necessary and i can only hope that humanity wins against surveillance capitalism in the end.


Wonderful reason to break up the goliaths!


If you're the EU yes. Not so much if you're the US.


have you tried Linode?


Linode is also based in the US. Wouldn't it have the same can't-make-requests-to-the-US problems?


The small startup I worked for in Hamburg had a similar problem. They had to run all their infra on premise due to some wording of some of their largest clients and some odd rulings from BaFin.

The colo/managed provider they chose and had been working with for years was nigh incompetent. I was positive that being able to spin up infra in any of the clouds would have been a ton more reliable.


This completely misses the point, the laws shouldn't be written to accommodate businesses, its the other way around. If fragmenting is a consequence of better privacy laws, so be it.


Laws should be written to facilitate and improve the growth of civilization. This includes practical and fair measures for conducting business.

Imposing byzantine regulations on every webmaster on the planet isn't helping anyone, least of all the European user, who will increasingly be locked out from the rest of the planet.


Depends on your perspective. It might be that American/Chinese predatory service providers are instead locked out of the European market, allowing the breathing space for local solutions to flourish.


If your local providers need the rest of the world to be kneecapped in order to compete, you may want to start with that problem.

The EU consumer will end up with strictly worse solutions and all the rest of the world will “gain” will be the crappy trade-barrier-supported Euro versions of Google and Facebook.


This is a short term view. There's a certain amount of 'activation energy' that a system needs to be able to kick off and become self sustaining. If a giant generalized, subsidized solution already exists PHBs are much happier to spend years trying to knock a round peg into a square hole than take the risk of doing something bespoke for the problem at hand.


Creating an artificially easy sandbox for your local engineers and entrepreneurs by banning the competition will not lead anywhere good. Competing with the best forces you to improve; playing on easy mode leads to stunted skills and inflated confidence - and worse products, companies, and economies.


It isn't banning the competition. It's forcing the external competition to follow the same rules as the locals w.r.t. privacy laws. The fact that the external competition can't comply means that there's a market niche available which locals have an opportunity to exploit.


Businesses exists for consumers. Fragmenting hurts people - European users - in the first place.

I see very little advantages from these privacy laws but I use and appreciate US businesses every day.


So if those businesses utterly refuse to serve consumers then they have no business existing?


They are definitely serving consumers, otherwise they would cease existing. They're not serving politicians and their pet cause of the day though.


What, you don't appreciate a pop-up on every web page telling you that cookies are going to be used? XD


The cookie banners are a byproduct of companies still wanting to abuse your data, when was the last time you saw a cookie pop-up on HN? Logged in or not.


If only there were some way that European citizens could have told their browsers to not accept Cookies, then maybe we all wouldn't have to click on those banners all the damn time.


But I do want most non-tracking cookies.

Still, the "please let us track" popups can be fixed by policy or law, and I hope they are.


If a business pays taxes, and the laws don't take their needs into account to some extent, that's not justice. It's just mob protection with a veneer of legitimacy.

Lots of loaded assumptions there, of course, starting with the first conditional clause.


> You are absolutely fragmenting the internet.

It's not fragmenting the internet; fragmentation is the whole point of the internet. It's (re-)decentralizing something that has been decentralized the whole time, until these gluttonous whales decided try to eat the whole pie.


So a computer in France can not legally talk to a computer in the United States, but if I instead put that computer in France, I'm legally okay.

And you're convinced that embodies "the whole point of the internet"?


It isn't about "one computer talking to another", it's about where sensitive information is stored. It has never been legal to store classified US intelligence on computers outside of the control of the US government. That's an extreme example, but the handling of many types of information is prescribed by laws in different jurisdictions. Does that mean that US computers cannot "talk" to another other computers? No. Does that make the internet invalid? No.

Decentralization of the cloud is a good thing for so many reasons. I think you're deliberately confusing it with your PII issues and not grasping the larger picture.


I think you're ignoring the harm done to small businesses who cannot afford to implement decentralized services.

You are raising the barrier to entry, limiting competition.

Competition is good for so many reasons. I think you're deliberately ignoring the impact on small companies and not grasping the larger picture.


Those poor small international businesses? If you want to do business internationally, it'll be complicated, and that's fine. The internet has spoiled us by making it so easy for a while.


Seems like it doesn't bother you at all if this hurts competition. Or maybe you don't understand that by hurting competition, consumers are hurt? In our case, with a medical product, it was patients who were hurt.


It just shifts competition into new areas that are compliant with the law. If you can't use aws-us-east from france, then AWS is incentivized to build a (compliant) center in france or else lose that slice of the pie to the locals (or to a potential compliant azure center there).

It's always a tradeoff between racing to the bottom and stagnating. Both are bad, both hurt consumers, and this seems like a good balance between them.


So eventually, we'll all just run a full copy of our stack in each of the 50 United States, plus the few extras for cities that have different laws, and then in each of the other 190 countries around the world?

Does that seem like a good balance of needs to you?


If that's what it takes to allow locals to govern themselves independently, sure.

The technical difficulties seem so entirely solvable, in time (and with that competition you mentioned). Right now it's easy to deploy servers across tons of instances. In the future, if we need to, we can build analogous solutions to the problems you're talking about.

And where we can't build our way to easy solutions, that's fine. Those cases are probably the ones where there are legitimate local differences in what's acceptable, and I want locals to be able to decide that for themselves. It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.


> It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.

That's an interesting assertion. As counter-example to that assertion, [gestures at huge amounts of the internet as we know it, which was started by small teams.]

And I'm not talking about scaling to 7 billion users. I'm talking about scaling to all of _my_ users, even though they live in dozens or hundreds of countries.


Your demand of having users does not supersede my right to have laws enforced in my jurisdiction. That's the point of sovereignty.

If that means I don't get your business and I'm worse off for it, I'm happy to have my laws changed. Or maybe someone else will come up with the same service who does follow the local law.

You're basically discovering something that physical stores have had to deal with forever. Gary's International Store of Chainsaws and Weed knows that it can't sell chainsaws in jurisdictions where chainsaws are illegal to sell from stores. The people of that jurisdiction made the decision that chainsaws should not be sold from stores; Gary doesn't get to ignore that. Instead he has to incorporate the fact that not all stores get the same inventory in his logistics.

If that means Gary refuses to open his stores in such jurisdictions at all, that's fine. The people of the jurisdiction can decide whether they're happy with the outcome and change their laws if they're not.


Gary has every right to object if Indiana says he can only sell chainsaws made in Indiana, as that would be an absurd law.

Forcing me to run servers in France is absurd.

If anything, it increases the attack surface and makes it more likely that private data is exposed.


>Gary has every right to object if Indiana says he can only sell chainsaws made in Indiana, as that would be an absurd law.

He has the right to object in any case. That's free speech. But despite all his objections, he either does his business respecting the law or doesn't do business at all.

It's funny that you think that such a law would be absurd, when laws that require a store to sell locally-produced goods over imported ones also already exist in the real world.

>Forcing me to run servers in France is absurd.

You're welcome to think that. Don't run servers in France then.


> [gestures at huge amounts of the internet as we know it, which was started by small teams.]

Hence my original comment: The internet has spoiled us by making it so easy for a while.


You're absolutely right. Unfortunately, the little guy is more easily accommodated for with lenoency during onboarding regulation-wise, and the bigger actors can never be brought to heel if something doesn't go down on paper.


And I think your team did not think through before implementing your product. The GDPR and its consequences have been discussed for a very long time. And the product even managed to get locked into Azure.


> a very long time

What's a very long time to you might not be a very long time to me. GDPR wasn't a draft when the product I'm talking about first launched.

The Azure offering did not exist when my small team needed it.


You are building up a whole strawman here. This is all about sending personal data to a machine in the US, owned by a company, which falls under US law. You don't have to send that personal data to the US, do you? Why would you do such a thing in the first place? Surely informed people would not simply consent to such a practice. And I mean informed. Not just clicking "OK OK next OK" without knowing what actually goes on, just to be able to see the actual content of a website.


It's not a strawman, it was the company I worked for.

We helped manufacture medical devices. We sold a device that took medical images, and then sent the images to a server. The server would do tons of processing on the images, and help manufacture a medical device custom to the patient.

We ran our servers in the United States.

We could not sell our product in France, until we stood up servers in France to store and process the data.

Why would we do such a thing? To provide excellent healthcare to people. Even ungrateful French people. Our product was lower cost and higher quality than our competitors, with better patient outcomes.

What monsters we were for running our servers in the U.S., right?


Why are you so shocked that people want to assert control over their medical data? This is the crux of the problem. You're being absolutely incredulous that someone have a say in data that is about them.

Other people exist and have rights. It's about time that people assert their rights over data that is absolutely consequential to their lives, instead of being tiny pawns of companies who treat them like a highschool science experiment with live ants.


You either trust my company with your data, or you don't.

The idea that storing your data, encrypted at rest, on spinning rust platters inside your country somehow makes it safer than storing that same data, encrypted at rest, on spinning rust platters inside my country, is bizarre to me.

But that's fine. I think giving you the choice makes tons of sense. I'm not saying France should have a law forcing all data to be kept in the US. I'm saying it's bonkers that I cannot offer a product in France that happens to store data and process data on a server in the US. Even with a waiver. French citizens do not have the right to let their health care information be stored on a server in a different country. (As I understood the laws, at least - perhaps our legal representatives were misinformed.)

If you want control over your medical data, then I'm sorry, none of the existing tooling does what you should actually want it to. It should be stored on systems you designate. Not on some lowest-bidder French server that has unknown security practices.

It's amazing to me that you're lecturing me about other people's rights, when you're literally denying French people the right to buy my product, unless I meet some ultimatums. I'm not denying them, you are.

And you talk about consequential to their lives? My product lowered costs and had better patient outcomes, and we couldn't sell it. Maybe try a different argument.


It is kind of a strange idea in the first place, to store medical data outside the country, in a country like the US. I don't know if any country with good data protection laws would allow such a thing. I find the idea, that this could be OK for patients to be weird. I surely wouldn't want my medical data put onto US servers, likely without even knowing, because the hospital stuff does not know themselves and not telling me either. Maybe even worse being put to the choice of having some equipment used on me, which automatically shares that data to the US.

At some point in your project there seems to have been a time, when such basic questions of consent were overlooked and later you paid the price. Your intentions may have been nothing but good, but I for one am glad, that such practice was not allowed to happen.


You're in country X, and the top radiologist in the world dealing specifically with your disease process, is in country Y.

Walk me through exactly what you would like to happen.

If you think the best outcome is that only radiologists who live in country X can look at your medical images, then please really think about what that means for under-developed countries.

Please also think about the fact that people have medical imaging exams 24 hours a day, and think about where radiologists live and sleep.

The next time you get a CT scan and have to wait 4 days for the results, you'll know that your hospital system doesn't have teleradiology.

We absolutely understand patient consent, and then France started establishing laws that denied patients the right to consent to having their data transferred to the US. (As I understood our legal representatives, at least.)

(For the record, in case it's confusing to anyone following along, I worked on half a dozen different medical products in my career, in different companies, in different parts of the body, in different modalities, etc.)


I think that is the crux of the whole thing. You cannot assume, that any randomly selected patient can actually make an informed decision about consenting, when being asked, because people in general are not so informed about these data decisions. Getting informed properly can already take 4 days or more. So what you win on one end you lose on the other end when asking for actual consent.

My guess is, that they want to avoid the situation entirely, in which a doctor (or other people in the hospital or other institution) has to ask the patient for their consent for such a thing. It would come down to things like framing, for example: "The best people for x are in country y.", which might be true or just opinion of that doctor. There are issues with this:

(1) Usually the doctor is not informed about these data protection issues themselves. Usually the doctor did not also graduate in some mathematical / statistical / data science subject or following along the various data protection scandals. Most of the doctors probably have other things to do. Just like the rest of the population is mostly not well informed.

(2) We probably don't want a situation, in which the doctor dangles a carrot (the best people are in country x) in front of the patient, luring them into consenting.

(3) Doctors want to get their work done. They don't want to have to ask every patient for consent for things outside of their own expertise. Even if you transfer the paperwork to someone else, who will want that additional workload? Also the people going to a hospital might not want to have to deal with that stuff.

(4) What is the legal side of this? For example say you send data to the best experts in another country and you get a misdiagnosis and operate based on that. How does this work?

I think it is possible to keep data generally in France for example and only have the experts look at the data via conferencing tools. Then the experts can be made aware, that obviously they may not share any of that data with anyone and that they can only look at it, while it resides in France. For that we need a secure conferencing system, which is not run by big corp living off selling data directly or indirectly. We need capable tech people in the right place to set things up. We might also need Computer literacy on higher levels for the experts.


You were transferring dicom files out of country? Madness. That's identifiable medical data.

Tell me you were at least running anonymisation software in hospitals before you transferred?


Nope. This is a common practice in some huge businesses. Teleradiology.

We don't do it for fun. This is a part of patient care.

Radiologists awake in Australia can read images from the United States. It saves lives.

The radiologists are licensed and certified in the hospitals and states.

And by the way, if I get a CT scan of your head, I can trivially reconstruct your face. Might even recognize you with it.

If you want to freak out, medical records are sent by fax machine ALL THE TIME.


Thanks for the insight about this. It does not make me personally feel better about this situation, but it adds some to the general picture.


Under which law, please provide them specifically, were this not possible to do in France with data being processed in the US?

I am truly interested in this since I am in EU and use Azure for similar processing.


I wish I had it for you. I'm a developer, and I don't work for that company any more. Our legal representation came in and explained it to our upper management, who assigned projects to us. I don't know the regulation.


This sort of regulation is not new when it comes to health data. I'm actually surprised storing medical data outside the country was legal in France at any point, I don't think it would have been in my country.

So blaming the GDPR and new rules, seems a bit weird in this case.

Now, consumer protection regulation is always a balancing act. And most consumer protection laws will hurt some companies that didn't actually do anything bad. That doesn't mean I don't want any regulations. Particularly when it comes to healthcare.


Sorry, I'm talking in general, not specifically about GDPR and new rules. The whole trend stifles innovation because it's literally a barrier to entry.

And my real concern was people who want that cake, and also want to pretend they're not "fragmenting" the Internet. I wish people would call it what it is.


> would take weeks of vacation with zero support for us

Heh. Somethings tells me a devops engineer in France has way better work-life balance.


You'd think a _team_ of them could provide 8/5 (8 hours a day, 5 days a week) service...


The internet was designed to be resilient in the face of nuclear war. If it can't handle governments that actually protect their citizens from predation by multinational corporations, then we should rethink some things about the direction that we've taken with it.


Sure, so, let's say that France decides that HN info is PII.

So then Hacker News has to launch servers in France.

And then French HN users are in an island, and only see other French HN users' posts and comments.

And, to be clear, you think that's a good thing?


I don't think that's what's happening here. This is about a French company being disallowed by France from selling French citizens' data to a US Company.

Maybe this decision makes France toxic/favorable to certain kinds of business--much like how many privacy companies operate in Switzerland because the Swiss government is less likely to snoop than certain others, or how advertising companies operate in the US because they'll let you do whatever you want to their citizens. So yeah, fragments.

But you as a user are free to opt-into any fragment of the internet that will have you. If your government wants to stop you from doing so you should either take it up with your government or circumvent those limitations.

I don't particularly like the kind of fragment that France is creating here, the notion that data has a physical location in space strikes me as a rather shaky one, and I think policies following therefrom are likely to create convoluted architecture that exfiltrates the benefits of access without exfiltrating database instances (I've written enough code that tap-dances around the GPDR to know). Since I'm not trying to start an ad supported business in France, though, I'm happy to respect their right to come up with whatever weird policies they want.


Do you think it would be difficult to allow the different HN servers to federate their content across regions?


Would it be impossible? No. But would it be, say, 5x the amount of effort to build and maintain a federated system with no data stored across boundaries? Probably.


In what way is a French resident protected if their data is stored on a server in France but can be federated to other countries?


Difficult? Not so much. Demanding a yet another great firewall on the other hand sounds absolutely atrocious to me.


To be clear, you are underestimating the population size of European countries, as if would be a drama to lose HN or simply fork it.

I love hackernews, but there’s way more world out there to discover.

This is protecting EU citizens from EEUU companies having a free lunch on their data.


How on Earth did you conclude that I am underestimating the population size of European countries?

I enjoy communicating with all HN users, across the world.

If we each had to use only our own country's fork of HN, we wouldn't communicate with each other, and that would be a bad thing.


At last someone admits it outright - you want the EU to be an island, walled off from the rest of civilization, and perhaps also reality


Quick question: was there a reason you could not use Azure’s region support? https://azure.microsoft.com/en-us/global-infrastructure/geog...

Or was it before Azure had that? Looks like they’ve had it for awhile, at least back to 2009 or 2010.


France, Year Opened 2018, is what I see on that page.

This was impacting us in 2014 to 2016, as I remember.


Looks to me like the regulations did exactly what they were designed to do, and Azure implemented support for the EU market. The goal of these regulations is not to make things harder for companies trying to publish products in different regions, the goal is to get the big platforms (AWS, Azure, GCP) to implement systems that are in line with EU privacy requirements.

I'm sorry your business was impacted during the period where the regulations came into effect and the big platforms did not have compliant services ready. It would have been better if the negative externalities of these regulations would be entirely carried by the big platforms who are responsible for consumer privacy in the first place.


However all the GDPR requirements entered into force just in may 2018?

But in any case, the point is that the issue is solved without changing the laws or people having to switch cloud providers, as simply the global cloud providers have started offering compliant services.


The fragmentation is acceptable since the alternative for non-US citizens is to be treated as "free game"?


Its very interesting if limiting how companies are allowed to track, store and sell private information would be the central issue for which the internet will fragment around. It almost like tracking, storing and selling is the center of the modern Internet, rather than protocols like tcp, upd, https and so on.

In the past people said that the Internet was made for porn. Today the Internet is seemingly made for advertisement and surveillance. It not strange that so many people who worked in this industry for decades are feeling a bit lost in this new horrifying industry, which if the Internet really is made only to do advertisement and surveillance, I honestly think humanity is better off without it.


The internet is a tool.

You should support companies with the best behavior.

I worked at a company that enabled a radiologist in over country to do a preliminary read of a CT scan performed in another country.

Cutting the amount of time for a CT scan, and even connecting a CT scan with a radiologist who specialized in that particular kind of scan, we saved lives.

And yes, there's also furry porn.

It's a tool.

I feel like I'm trying to convince you that BOOKS are good, despite the existence of hentai.


Could that company exist if it wasn't allow to use advertisement or sell private information? In the past I would say yes without question since there is nothing inherently in connecting a CT scan with a radiologist specialist that require Google Analytics. Nothing at all.


The solution to this is to get your government to get its shit together on privacy. This is just a defensive act by the Europeans and to blame it on them is victim blaming.


> We had PII on Azure.

So why didn't you use Azure resources in Europe instead of "some crappy provider"? Sounds like you made a rod for your own back. If our clients are happy with Azure (in the right region) then I can't imagine many in the EU (other than perhaps national security services and their suppliers) reasonably refusing to allow use of it.

We host in Azure for some pretty significant financial organisations, mostly UK based but spreading our area. Some companies are requiring us to fully host in Azure DCs in their region, and some of those are Eastern, not UK/EU, based companies. At least one US interest that a friend's employer supplies demands data about its employees be hosted over there rather than over here, presumably so they can be assured it is kept to standards they are locally required to follow. Is it wrong that way around in your book too?

It isn't as easy as having everything in one region of course, but not much harder nor massively more expensive (caveat: most likely, as far as I know, I have the luxury of ignoring the bits that don't interest me and money is often one of those things, but I'm also senior enough that if there was something expensive happening, or something not happening due to expense, I'd catch wind as it would affect things I need to plan around) and it can't be as faffy/costly as using different providers in each territory.

If you are correctly following relevant regulations everywhere this does not fragment things any more than other rules that already existed. Aside from the fact things are being enforced this time, forcing companies handling PII to not quietly do things wrong because it is inconvenient to do things right. As an individual I'm perfectly fine with this.


Microsoft has set up a fully independent data center and business in German just because of this:

https://news.microsoft.com/europe/2020/09/30/our-commitment-...


Unfortunately, that didn't exist for us back in 2016, and our product is no longer in development.


So your argument is out of date and no longer valid.


I like the hot take but it speaks to the bigger point. The dual stack didnt kill the business, nor did the privacy law.

The company failed - it is what it is, and it sucks for the team - but you can't blame the EU protecting privacy/rights for bad business.


Standing up a second stack certainly didn't help. And who knows what the opportunity cost was.


Right. All I have to do is to stand up two complete copies of my full stack, and support both of them. There's no way that adds extra burden to me. My argument is completely invalid. Thanks for explaining that to me.


If you want to sell in two different countries don’t you have to comply with two different legal codes and support both of them?


[flagged]


The purpose of laws is to protect and govern their local citizens. I would hate to live in a world where a law does not get passed because of an argument like "but imagine how much work developers will have to do to follow the law!"


Agreed. But the internet is already fragmented. Each countries have their own laws and other countries no reason to follow them. All kind of content is accessible only in certain countries. It's also true for physical goods. I'm not sure why it's a problem.


I feel your pain but as an argument in this discussion it doesn't work. Your problem was in 2014 and Azure works just fine now.

It took some doing which was the whole point. The local provider even got a chance to match the offer.


You do realize by the same logic this inspires competitors to innovate...


So pass the cost of doing business in France on to the french.


Sounds like the market in france is ripe for disruption.


company stooge.


désolé!


Je suis un homme occupé, et te faire passer pour une risée peut prendre du temps, mais tout le monde a besoin d'un passe-temps.


I think fragmentation and looking after one's interests aren't even opposites. Analytics in particular seem like a very lopsided value prop: the american entity (Google) stands to gain from collecting analytics but doesn't really provide a perceivable equivalent value through the analytics service to the affected parties (EU consumers) in return, as you'd normally expect in a fair trade policy between two countries.

Looking at it from this angle, it seems perfectly reasonable for the EU to dislike the specifics of the analytics use case while still being ok with something like Google Docs.


> lopsided value prop

But that's not what CNIL is basing their decision on: "The CNIL concludes that transfers to the United States are currently not sufficiently regulated...Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services."

I probably don't understand the legal issues fully, but it seems the worry is that US intelligence services may be tapping the lines and databases of Google, may have agents working at Google as badged employees, or may be able to subpoena Google (or any US service provider). [for the record, I wouldn't doubt if all the above are true]

I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).

> "CNIL recommends that these tools should only be used to produce anonymous statistical data"

So the tools are not anonymous because the request headers of the client are being logged and used to identify a session, along with what resources on the site were accessed in that session.

Any site operator has this data on their visitors.

CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly? What's the solution? A site builder can't let web clients make direct calls to any resources in the US? That seems... sweeping, profound, surprising, impactful. Have fun with that.


> because the request headers of the client are being logged and used to identify a session

No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.

> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).

There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.

> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?

Almost. They don't want any calls prior to explicit user acceptance.

> What's the solution?

For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.

> That seems... sweeping, profound, surprising, impactful. Have fun with that.

It is, I don't think anyone is denying that. There are several things that may happen here:

1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.

2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.

3. The EU backtracks on this by adjusting their current laws.


Perhaps it's a fragmented internet that is best aligned with our own interests.

I, for one, would really like to have more fragments to explore.


For me it's philosophically reminiscent of the Berlin Wall or the Chinese Great Firewall. Personally, my knee-jerk reaction is that it threatens certain freedoms, but I am also a liberal raised with a Western education.


I guess I'm seeing more like a huge swath of farmland growing a monoculture for export, versus the same land being used as a patchwork of different crops based on the various farmers' tastes and relationships with their neighbors. The latter is more likely to change gradually as the climate and the needs of the people around it change, while the former is prone to changing all at once, perhaps unexpectedly.

People's ideas about how their technology should serve them will change over time. I don't want to have to overthrow the old internet before we can try something new, I want it to grow with us--the parts that aren't serving us die off, the parts that address new challenges flourish. If its all one thing, subject to one set of rules, that doesn't happen.


>I am also a liberal raised with a Western education.

Lucky you.

We need more Western education, not less, which is why fragmentation is a bad thing. My country of birth - in Africa - is aligned with the formerly communist nations; if they had to opt-in to a fragment, it wouldn't have been to the Western one. I might have never been able to emigrate.

Fragmentation seems like a leap backwards in time and a slap in the face of the promise inherent in the free flow of information.


> We're not fragmenting the internet by looking after our own interests.

Of course you are. This is the only possible outcome of any attempt to impose national rules on an international network. Instead of one global network, we'll end up with several local ones.

The internet is among the most incredible achievements of humanity. I'm glad I got to experience it before they destroy it. By now it's only a matter of time.


This is a great response to OPs comment.

At the end of the day we should be doing what is good for the People and somehow its always assumed that they will/should be the ones impacted when policies like these are enacted.

But Europe has leverage here - I don't think Amazon would want to miss out on a giant market base out of some moral principle and there are probably other levers to be pulled here to encourage that.

Anyway, not adding much to your comment other than kudos.


> On the contrary, it only forces those providers to have a European presence.

All the big cloud providers have presences in Europe. What am I missing here?


Nothing, this is now a solved problem. The EU didn't want the entire internet being hosted from the US. They designed policies to force hosting within EU countries. It happened.

The only people still moaning are Americans and hold-outs like Google refusing to move data.


> On the contrary, it only forces those providers to have a European presence.

If the EU has this much power to regulate operations that happen in America, then imagine how much worse it's going to be if you relocate your operations to the EU? In that case you actually become one of their subjects, rather than simply recording information about their subjects.


Wow

> Agencies can snoop on non-US citizens but shouldn’t snoop on US citizens

and they went and snooped on US citizens anyway.


If by those providers you mean Google, AWS etc. then that might not solve much. As subsidiaries of American corporations they would be obligated to hand over data to the parent corp, especially if the US DOJ required it.

I think the only solution would be for them to not collect and store data from GDPR jurisdictions that would violate the GDPR if they were forced to hand it over to the parent American corp.


No, the subsidiary would be governed by European law, and would be prohibited from handing data over to either the US parent company or the US DOJ if that violated GDPR.

The US parent company could not compel the subsidiary to violate the law of the region it was located in.


Yes, I suppose you're right, at least so long as they actually host their data in the EU.

But what happens when senior data scientists at Google want to do some analysis? Each dataset for each global region can't remain fractured from each other. The subsidiary may not have to hand it over to the US government but does the GDPR prevent data from leaving the EU zone? If not, then local copies in the US would be exposed.

I think there would be a lot of loopholes that needed to be closed. "Will be" a lot might be the better choice if words if France's decision becomes guiding legal doctrine in the region.

I don't think Google would willing give up that data either so they could be forced to change their practices to at least get that which allowable under EU law. And I don't want to get too slippery slope in this, but that could mean privacy-minded services begin using servers in the EU as an added layer of user privacy.


You're making the mistake of assuming that "something can't happen" if it is inconvenient for the business. The convenience of the business is irrelevant - it must operate within the law.

And yes, GDPR prevents data from leaving the EU zone if there is then a possibility that GDPR could be violated. That's the crux of the recent court cases in Austria and France. You may not collect GDPR protected data if as a consequence of that collection there is a reasonable prospect GDPR will eventually be violated by ANYONE.

For your example case, all initial data processing would have to physically occur within Europe, performed by a subsidiary not subject to US law, and only after they had reduced it to aggregate data that could not be reverse engineered to get GDPR protected data would they be permitted to export it to America.


the EU is shrinking in importance in terms of the world economy [1]

another 20 years and companies simply won't bother with it at all

[1]: https://fullfact.org/europe/eu-less-important-world-economy/


It's at 15% and forecast to go down to 12% by 2030. Also they're raising hell for corporations in the form of regulations and taxes. Why would any entrepreneur even bother?


> On the contrary, it only forces those providers to have a European presence.

It’s interesting to see the pattern here: if you can’t innovate, regulate.


Whine and fine


> like AWS, Azure, Mailchimp, PayPal etc [...] No cloud services, no Office 365 or Google Workspace.

Maybe an unpopular opinion, but imho AWS, GCP and Azure are popular with startups because of their generous free credits, not because they are good tools for startups. As a startup you are typically better served by a DigitalOcean-level of complexity, and there are plenty of such offers in the EU (Hetzner Cloud, Gridscale, OVH, etc)

For Mailchimp you have plenty of competition, some of it in the EU (SendInBlue and Mailjet come to mind).

For payment processing there are also plenty of offers, Adyen is probably the biggest European alternative but there are countless smaller ones.

Microsoft Office 365 can be replaced by (shocker) Microsoft Office (the offline version). But most of your documents probably don't even contain PII and would be fine in Office 365 or Google Workplace. The exception is obviously email, but the market is flooded with E-Mail services from any country you like (and your preferred Hoster probably offers an email package too).

So I'm not really sure what part of the ecosystem we are missing here? European companies often have the smaller advertising budget and mindshare, but it isn't like they don't exist.


> As a startup you are typically better served by a DigitalOcean-level of complexity, and there are plenty of such offers in the EU (Hetzner Cloud, Gridscale, OVH, etc)

As an actual startup founder who started as a 1 man startup, strongly disagree.

Spent maybe $200 a month on Google Cloud, got an actual production ready cluster. Scaled up to Millions in revenue, never had to deal with any Linux Server admin BS.

More time on business, less time on Linux Sysadmin.


> never had to deal with any Linux Server admin BS.

Oh, you just had to deal with a different flavor of BS. Or you was lucky and everything just worked out for you (but why Google Cloud and not some PaaS like Heroku, so you don't have to deal with cloud infrastructure/servers BS altogether?)

I've been both a system administrator, managing GNU/Linux and FreeBSD servers in the ancient ages, and DevOps guy doing all sort of stuff in the clouds. The complexity is still there, it hadn't disappeared in some magic cloud pixie dust, even though sales would wanna tell you that fairy tale. But here's the thing - you never get to dive into those waters (or hire someone to do it for you, be it an employee, contractor or paid support) unless shit hits the fan and forces you to.

You must've cheerfully walked through a minefield and haven't stepped on and even seen any mines. Honestly, I'm happy it worked that way. And hopefully, this minefield is sparse enough those days so you're a rule not an exception - I don't have meaningful statistics. It would be actually interesting to run a poll or something. I just happen to have seen a few companies/people for whom clouds weren't all unicorns and rainbows.

And as for the flavors - it just happened that you knew how to set up stuff in Google Cloud. Would you happened to know how to spin a simple instance on Digital Ocean instead and went that way, and be lucky to not encounter any serious issues, it would've been the same painless experience, just different flavor.


My server load was not the size I needed 20 dedicated servers, but far too much for Herkou. Just running a 120 core 24/7/365 on heroku is like.. all of my revenue. (Vs 1% on google cloud and maybe .1% on hertzer).


100%. The hidden part here is "DigitalOcean-level of complexity" is actually "DigitalOcean-level of features."

The big cloud providers have a variety of offerings of different complexity. Using GCP as an example: want k8s with all it's flexibility and complexity? You have GKE. Want to still run containers, but abstract away all the cluster resource management? CloudRun. Abstract away the container itself? CloudFunctions. AWS has EKS, ElasticBeanstalk, etc.

I understand people get overwhelmed the first time they're dropped into the console of these cloud providers but really it just takes a bit of reading to figure out what you should/shouldn't care about. And the benefit of doing so is enormous.


Disclaimer: Anecdata

Privately I host nearly everything on a shared host in Germany (that is everything I can host without sudo) [1].

For company policy reasons I must absolutely use AWS or GCE.

For an internal project I need to setup Matomo. Something I did thrice in the last few month on [1].

OK login through SSO into AWS. Look around, ask Google, find the bitnami image, click few buttons. Done. OH shit. Now I need to somehow make it publicly available. OK. Google again. Ah this is the way. Few hours of reading and clicking later I have a publicly reachable Matomo instance. Oh hey. It warms me that it is not ssl encrypted. OK. How to do let's encrypt? Google again with my second batch of coffee (or was it the third). Found an easy way, just enter a command in the shell. Oh hey, how do I get my ssh pub key into my EC2 instance?

Damn the day is nearly gone and I have yet to deliver this tangential asset to an internal project while killing my CCI (how much I am booked on client work) for something that the first time took me 30 minutes with the great documentation from [1].

To me as a meager Data Analyst the complexity of cloud offerings is a nightmare. And the documentation is written for other echelons of tech understanding most of the time.

[1] uberspace.de


If you’re a data analyst, then of course infra and sysops activities on cloud seem complicated. I’m sure a sysadmin could run/write sql, but would find the rest of your domain complicated too.


OVH gave us home. Enrolled us to Startup Program. Gave us support and hefty credit.

Managed K8s. Openstack.

When we started paying for it, it was still cheaper than AWS.

Just because AWS is the default, does not mean you should use it.


Was that before their datacenter caught fire and their customer servers were lost or after?


Yes, OVH experienced force majeure episode. I didn't follow exactly how the compensation was rolled out. I know it was messy. I am not going to defend their actions, I am sure they could always handle this better.

Disaster recovery planning is practice we should all adhere to. Hindsight is 20/20. Not trying to be a smartass. I know it was painful for a lot of folks.

At the same time, unless you paid for managed service with clear SLAs, then responsibility is yours.

Cloud is just someone else's computer.

FYI: we started with OVH before the fire


When I started, no other providers had the K8s features I needed.

Still prefer Google, as they are the OG for k8s.


And power to you. You did what you though was best in your circumstances.

Today circumstances have changed. You need hassle free scalable DB, then AWS RDS might you best choice. Maybe.

You need open standard IaaS, well, there is ton of options.

Even before K8S, you had and option of Openstack with Ansible. Yes, very different beast, but still much _simpler_ and _cheaper_ than stocking on large number of IT professionals.


We colocate about 20 servers and in any given month, spend no more than 1 person-days worth of time dealing with it. Many months we spend no time. That includes both sysadmin and hardware. But this requires knowledge that most devs these days probably don't have.

We might spend more time messing around with AWS than our colocated servers.


Right, if you legit need 20 servers than it might make sense for you. I would fit on like 2-3 decent sized servers if I did co-location, and would save not even 1 developer-day of salary...


You can rent 2 to 3 dedicated servers at affordable rates.


Right, but my time is worth more than what I could possibly save at my scale. You have to find the right balance.


I would guess that if costs is an issue then it must also be balanced compared to the potential profits. If your current $200 solution only allowed you to have US customers, while a $300 solution would allow you to have both US and EU customers, which one would you choose?


>I would guess that if costs is an issue then it must also be balanced compared to the potential profits. If your current $200 solution only allowed you to have US customers, while a $300 solution would allow you to have both US and EU customers, which one would you choose?

Whichever one let me pay rent at the end of the month


The US has plenty of customers. If I had to drop EU, I will. It's a nice bonus, but not a core requirement.


That seems good. Someone could copy your business and spin up on the EU market. If its profitable its profitable and its no worry for you. If its not profitable then the EU market is not large enough to carry the product on its own. GDP of the US is around $25 trillion, and EU is around $18 trillion, and population wise there are around 300 million people in the US and 400 million people in the EU.

Might I ask you what kind of product your 1 man startup have?


I am not 1 man anymore, we grew up a bit. But we are an ecommerce platform, basically centered around the big US marketplaces (Amazon, eBay, walmart.com). Yes Amazon and eBay are in Europe, so we are there.. but no say UK or France specific markets at this time.


Just make sure your BCP plan includes other provides. HN is full of stories where peoples' accounts are blocked with no reason and without means of effective contact.


That is consumer accounts, not business accounts at GCP. People confuse personal gmail with paid GCP. I have actual reps I can talk to.


Tangential, but assuming you're talking about Listing Mirror? I considered working on a similar product a few years ago, but felt the market was too competitive. Interesting you were able to compete with the plethora of similar services.


Indeed.

Pros and cons to being in a crowded market.

From day 1, you KNOW there is demand for your product. You can look up Channel Advisor and see the revenue. And 20 smaller companies under fighting for the rest.

Cons of course being, you have to figue out how to compete with all of these guys ;)


Working on a consumer SaaS startup and I strongly disagree. A virtual machine on something like DigitalOcean does not provide any of the nice abstractions that something like a Google Cloud Run (or similar on AWS/Azure) provides. The amount of time a cloud provider can save you administratively is difficult to exaggerate. That is from day 1. Should your startup succeed, and you need to scale, the real savings start to kick in since scaling to a large degree is handled for you. Good luck re-architecting your app into a kubernetes cluster and handling load balancing manually while your competition gets all that with almost no effort.


I've worked on so many small teams where dealing with AWS/Azure etc was a huge part of their day, for very very simple products.

I still remember arguing about bloating a web app with a 1mb package from AWS so it could use their serverless authentication offering.

Common theme as using those lambda function - sometimes paying quite a lot of them - to serve requests that would be twice as fast on the proverbial $5 linux instance.

So yeah, looking from the sidelines it feels like a huge amount of added complexity for small teams, "just in case" they need to scale. Which given how fast modern hardware is way further off than they think.

(unless they use lambda functions for every API request. in which case they better learn to scale in a hurry)


All Office docs contain a GUID that's closer to PII than an IP address.


Can't find any references to that except that each doc has a GUID. A GUID on its own is not PII - just some random number, so are you implying that MS collects every GUID along with author identifiable information?


I just got off the phone with a lawyer to talk about this exact issue.

If the GUID is related to the user (like user ID), then it is Personal Information - EVEN if the GUID is random. The distinction that is easy to miss is that a User ID GUID might be very low risk (compared to, say actual User Id or user name) - but is is still Personal Information.

If the GUID is for the document (and anyone can edit the document), then it is no longer PI.

Of course, all of this ignores things like the contents of the doc. If the doc is "SSNs of my customers", well... don't do that


The free credits are nice, but run out quickly. Azure is expensive, but has a lot of nice tools from key vaults, log analyzers, CDN, databases, pipelines, to firewalls. I mean, yeah, you can implement similar stuff on a DO platform but you're going to be wiring it all up yourself, taking on the liability for keeping it all secure, and providing the warranty for its availability and effectiveness. The value to AWS/GCP/Azure is far beyond free credits. They've commoditized services - it rarely makes sense to pay for in-house expertise in managing those services yourself.

Also, the offline version of Office is going away, to my knowledge. I think the current boxed version is the last boxed version they plan to sell.


I would say that looks at the state of things as they are today, which may not be the case as technology advances. If there's a service that provides a real competitive advantage that is only available outside of Europe, then this might exclude businesses in Europe to innovate and compete.


> Maybe an unpopular opinion, but imho AWS, GCP and Azure are popular with startups because of their generous free credits, not because they are good tools for startups.

That’s a complete misunderstanding of the cloud’s value proposition. The point of the cloud is to have things “just work” so you can spend more time shipping features and innovating. When I see startups not using it and “rolling their own cloud” by being their own sysadmin I question the strategic decision. To me it’s generally a sign that they failed to raise the appropriate amount of capital and are therefore trading velocity and agility for cost savings.

> So I'm not really sure what part of the ecosystem we are missing here? European companies often have the smaller advertising budget and mindshare, but it isn't like they don't exist.

Also because they can’t scale within a mostly unified 300 million market like US companies can, they have to special case and deal with all special snowflake regulations in every small European country they want to serve.

Plus, that’s not even touching on the engineering talent gap.


I'm pretty sure Microsoft 365 is GDPR-compliant and is storing data in whatever jurisdiction you set it up to.

I know we've had a lot of issues with an European company we bought; we're both using Microsoft 365 but they're set up in France. I don't think the IT folks ever figured out how to merge them (even though we probably pay a shitton to MS for support), so those folks keep using their old domain (but we can share documents and whatnot, so at least that's set up).


Stockholm, Sweden begs to differ as they just dropped Office 365 due to Schrems II: https://www.version2.dk/artikel/microsoft-forsikrer-lovlige-... (Danish article)


> we fragment and destroy the entire Internet

I would call fragmenting these things rebuilding the internet. Not sure how consolidating everyone on a few Mailchimp type services is in anyone's interest.


Exactly. If this make European startups build their own ecosystem and provides me with an alternative for the services I use but don't track me, I'm going to switch - simple as. I see this as a win for the internet.


Why limit it to the EU? Shouldn't every country have their own AWS, Azure and Google Cloud?

I think we underestimate just how difficult it is just to replicate existing services, let alone keep up with the innovation.

It's like the Argentinian effort to stimulate its own computer manufacturing by banning Apple products.


> Why limit it to the EU? Shouldn't every country have their own AWS, Azure and Google Cloud?

That is completely unrelated though. The only thing this ruling confirms is that you can not process data of EU residents when you can not be adequately protect them due to local laws i.e. the CLOUD act. If your laws allow you to keep the data safe, you can offer your cloud services to the EU market as much as you want. If they wanted to, the US could easily allow companies to guarantee those protections too.

I would not be surprised when, if no solution is found, some of the major cloud providers in the EU end up being e.g. japanese, israeli or canadian.


The EU as a block is pretty comparable to the US, so it wouldn't be that surprising if they came up with their own information infrastructure. I think you've answered your own question: why limit it to the EU? No moral reason, but it is a difficult project, you need a US/EU/China sized economy to have a good chance to pull it off.


> Why limit it to the EU? Shouldn't every country have their own AWS, Azure and Google Cloud?

Careful, there is such a thing as network effect for knowledge. More fractured systems mean more different approaches means less aftermarket documentation means less people being able to work for you.


I happen to be European but with that said, I also get the feeling that many western European HN-users here seem to fancy the idea of having many small local service providers that have challenges providing anything beyond basic hosting.

And that totally fine, if you think European companies have no competitive disadvantage on the global market to being forced to use traditional VPS providers or build and set up everything themselves. But I imagine it'd be very challenging if other companies outside the EU can go to market faster, deliver better services for lower cost, etc. than their European counterparts because they can use American cloud providers like GCP or AWS.


In all fairness, the faster, better, cheaper argument sounds too much like marketeese to me, and I have not yet seen that effect in real life. You can find dedicated people who are sufficiently good to manage some Linux server infrastructure relatively easily - all while AWS consultancies seem to pop up all over the place like mushrooms after a rain.


It'd help if the United States wasn't allowed to aggressively brain drain most of the rest of the world.


It’d help if the rest of the world tried to aggressively prevent brain drain by making the respective countries more attractive for work.


Or by making getting citizenship something that's attainable in my lifetime. Everyone complains about the US immigration system and of course it's not great but when I came here I kinda knew what the path forward was and how long stuff will take, for a lot of European countries there's no way to ever get citizenship and the path to permanent residency changes every three or four years.


I emigrated to Canada pretty much on a whim (using a fiance visa) and have fared quite well there. We (my partner and I) are weighing the possibility of emigrating again to Portugal which offers a rather reasonable golden visa - with a wide variety of European countries offering "trial" visas for workers under 30 with the most bare of requirements.

As a US citizen I've contemplated getting my wife residency down there and it's simply ridiculous - as are the hoops I'd have to go through to relinquish my US citizenship and that only matters because the US feels entitled to own me even though I haven't resided there for nearly a decade at this point. US immigration, from the working visa angle, is extremely unpredictable and only really estimable if you've got a large corporation with a whole bunch of lawyers to get your back - spousal visas aren't terrible but most come with some seriously onerous lifetime costs to execute (like taking a year off working).

I know there are a bunch of European countries and they've all got their quirks to immigrate into but you can really trivially get an EU passport and then move around within the EU.


In what European country specifically is there no way to ever get citizenship?


Switzerland and some nordic countries make it impossible. Portugal wants me to marry a Citizen, otherwise it's only residency. Luxembourg and the Netherlands wants me to learn their language, which is not something I would need to work there and in my experience visiting neither to be able to live there. It's not great.

On the other hand Italy denied my application once already, after my great grandparents basically left the country because Italy was not defending their town from Germany. They rejected my application because they say my great grandparents were not Italian but Austro-Hungarians. The lady at the consulate was super racist to my grandmother about it, in my face. After that now there's another way I could get my Italian citizenship by birthright by suing the government because of another racist thing they use to do where women were not transferring citizenship.

Again the US is not great but a lot of this things make me feel whatever "racial tensions" I may be a victim of in the US are mostly the media blowing stuff out of proportion, when most of the "racial tensions" I felt dealing with the EU are actual racial violence or discrimination that either me or my family where victims of.


> Luxembourg and the Netherlands wants me to learn their language, which is not something I would need to work there and in my experience visiting neither to be able to live there. It's not great.

That seems like a very reasonable requirement. How can you expect to participate in society, especially elections, without a decent command of the local language?


> How can you expect to participate in society, especially elections, without a decent command of the local language?

By hiring a local accountant and paying a small fortune in taxes? If I learn the language then yeah cool maybe I'll get into their politics thing but it's not that if I don't vote I'm not going to be a productive citizen. A lot of countries let you become a citizen without learning their language, most notably the US.


> By hiring a local accountant and paying a small fortune in taxes? If I learn the language then yeah cool maybe I'll get into their politics thing but it's not that if I don't vote I'm not going to be a productive citizen.

Being a part of society is a lot more than working and paying your taxes.

> A lot of countries let you become a citizen without learning their language, most notably the US.

An English test is required to become a naturalized US citizen. https://www.uscis.gov/citizenship/learn-about-citizenship/th...


Speaking as a US immigrant to Finland (a Nordic country), the citizenship requirements here seem quite reasonable to me. Minimal language proficiency, a civic knowledge exam, and at least 5 years drama-free residency.


I guess Switzerland. Pretty much every other country offers you citizenship after a time.


Switzerland is 10 years and then you need to pass a language and general knowledge test. The contents of the test depend on the region you live. Honestly I don't see it as that ridiculous.


I heard stories that it's still nigh impossible because you need good references from your local commune, and those are really hard to get.

Note: I'm only spreading rumors :)


Well, the exact requirements depend on the canton and commune you happen to be in. If you're in a village in Appenzell Innerrhoden it's going to be more tricky than if you're in one of the more international cities like Basel, Zürich, Geneva etc.


Why are you importing New World thinking to the Old World?


> It’d help if the rest of the world tried to aggressively prevent brain drain

What does that mean? Are you suggesting that countries should control where their citizens choose to work/live?


The rest of the world could also brain drain the US if it was easier to get into. The US -> EU/UK immigrants that I personally know have had a pretty hard time getting there permanently.


I moved from the US to the NL. Love it but I can’t get dual citizenship and getting permanent residence requires knowing the language well enough to pass a test, so why stay? It’s kind of a bummer because my son speaks native-fluent Dutch now. Next up will probably be Ireland.


> Love it but I can’t get dual citizenship and getting permanent residence requires knowing the language well enough to pass a test, so why stay?

Why did you move there in the first place, raising a kid there, when just learning the language is apparently a hurdle too big to take?


Learning the language isn’t the issue, learning the language well enough to pass a test when classes cost nearly €2k a pop is the issue.


To my knowledge to get naturalization in the Netherlands you must have stayed there for ~5 years and the required language level is A2, which is beginner level.

This doesn't sound like a crazy requirement to me. The giving up other nationalities would be a deal breaker for me thought.


Well, if you don't even bother to learn the language of the country you want to become a citizen of, then, yes, why stay indeed...


Learning the language to a conversational level as someone who speaks English is exceptionally hard. As soon as a Dutch person hears the accent, they switch to speaking English. Therefore you need very expensive classes to properly learn the vocabulary you’re expected to know for the test. We can stay here forever on our current visa, but I’d rather be a proper resident and be able to take advantage of the entire job market. I’d be happy to pay the money if the Netherlands would let me have a Dutch and American passport. Pre-COVID I didn’t really care, but post-COVID, having a passport to get to my sick family and be guaranteed re-entrance to the US is very important.


They think they are helping by switching to English. I’ve never had anyone refuse after politely asking to switch back because I’m learning.


The language test is incredibly easy, for what it’s worth. It is nowhere near fluent, or really even conversationally competent. It’s things like saying the correct words when buying an apple at a store.


Countries do not own their citizens. If they want their brainy citizens to stay, they should incentivize them.

The US is "allowed" to offer whatever it wants for people to move there.


That's nice for countries and bad for people.


Sounds like protectionism when they can't compete. The EU isn't exactly a shining star for tech development, probably because the culture there kneecaps it every step of the way.


Unfortunately, you will find that they'll "track" you just the same, but provide worse service due to smaller economies of scale.


I already get a lot of "We are sorry, but for legal reasons we are prevented from providing this service where you live" when I'm accessing American websites.

Recent European judgements seems to make it illegal to embed content from YouTube or Vimeo for example.

I don't see how dividing services up by region will help me anyway. I'd rather be able to choose from a few (I imagine there are more than a few at the moment) international Mailchimps than one in EU.


Its not illegal, but it requires consent. Plenty of solutions to offer a video without loading third party code until the user clicks it.


You could also use something like 'embetty' [1] and proxy your users from YouTube, Twitter and the likes to ensure their privacy.

[1] https://github.com/heiseonline/embetty-server


I feel that the whole point of this is to mimic China’s achievement of driving out foreign competition through legislation.

It’s similar to the UK’s pornography laws being more about surveillance and censorship rather than protecting children.


If you flip the scenario around in your mind.. how would you feel if virtually every site or service you visit scoops up your data and sends it to [China|Russia|...] and hosts all your private data on servers operated by the [Chinese|Russians|...] and are subject to [Chinese|Russian|...] rule and disregard whatever laws your country has enacted? How would you feel if you couldn't opt out without virtually opting out of the entire internet, including all the services your friends and family and local associations & companies use for messaging?

That's how the internet has been. That's how I feel about US tech giants getting all my data. They write their privacy policy, they dictate their terms, they follow US laws. I have absolutely no choice or voice or vote, unless one considers "yo dawg just build your own internet" a realistic choice.

I don't feel like the purpose is to drive out foreign competition. I feel like the purpose is to enforce privacy as a right, and I fully support it. I also fully support the right to transmit data across borders as long as the destination country also respects my privacy and rights instead of treating me as an alien and potential terrorist. Is that too much to ask for?

And in general, is following the rules of the country you offer a service in too much to ask for? Local laws apply to brick and mortar business; if Walmart wants to come to my neighborhood, sure go ahead, but please respect our laws. I don't see why internet companies should be above the law either.

GDPR is replacing rules dictated by US corporations with democratically established rules written by our representatives. It's unfortunate that there's now a clash between US laws and EU laws, but it's not the end of the world.


Simple. If you have a free market, I would just use competing services instead of the "Chinese" ones. No one is forced to use TikTok. If people really wanted a privacy focused service, a new one will arrive. DuckDuckGo's success is an example of that.

imo it's just a thinly veiled protectionist law that will fracture the internet all for the sake of propping up EU incumbents who can't innovate.


Yes it's simple in dreams and an economic theory stuck in an era where a potato is a potato and it doesn't matter much whose potato you buy. Unfortunately the free market tends to be a race to the bottom, for complicated reasons. The market is also not effective nor is it rational, nor is it good at displacing entrenched players and natural monopolies, least of all ones that don't give a crap about ethics. It's not effective against deliberate lock-in and network effects, nor against externalities and exploitation. It's not effective where effect requires individual sacrifice multiplied by millions.

If free market were effective, we wouldn't have needed labour laws to keep people from dying in factories where they work 16 hours a day, we wouldn't need laws to make vehicles safe, we wouldn't be desperately looking for agreements to curb pollution and climate change, we wouldn't need laws to protect minorities against discrimination.. hell, I don't think we'd need laws at all because everyone would just rationally and effectively choose good actors & displace bad actors.

It's a nice fantasy, but it's not one we live in.


The free market isn't perfect, but it's been historically better than centralized economic planning.


I don’t believe your parent is arguing for centralized planning in any shape or form.

Even the US knows rules for markets - it’s never entirely free. European laws just set more rules and give the consumers more rights - something I consider useful where there’s a strong imbalance in knowledge and power between the consumers and the companies offering a service.


> I don’t believe your parent is arguing for centralized planning in any shape or form.

National regulation is a form of centralized economic planning. Is it always bad? No. Is it always good? No.


I'd like to think that there are gradients between opposite peaks.


> No one is forced to use TikTok.

TikTok was nearly forced to sell parts of its operation so it could continue operating in the US, in India it's actually banned.

> DuckDuckGo's success is an example of that.

As good as DDG is, it's not that great of an example as all the background tech there still relies on Microsoft's Bing, which means there is very much a US-centric search engine monopoly in place.

> that will fracture the internet

Maybe the Internet needs fracturing, we've reached a point where a handful of US corporations control the vast majority of the web traffic [0], that kind of massive centralization is the absolute antithesis to what the web is supposed to be and presents a massive filter bubble in-itself.

[0] https://staltz.com/the-web-began-dying-in-2014-heres-how.htm...


> TikTok was nearly forced to sell parts of its operation so it could continue operating in the US, in India it's actually banned.

Yes, that's a great example of protectionism that was reversed.

> As good as DDG is, it's not that great of an example as all the background tech there still relies on Microsoft's Bing, which means there is very much a US-centric search engine monopoly in place.

DDG is not the only privacy focused search service. There are others with their own homegrown search engines. I believe some of them are French. This also reflects consumer demand. DDG only able to evolve and grow based on how many people want to use the service.


As a counter point - I think it's fair to view the extreme lack of consumer protection laws in the US as protectionism for domestic tech companies. The US has been extremely resistant to roll out consumer protection laws and that's shifted it into being the equivalent of a pacific island nation with extremely lax tax laws - it's the wild west of the internet where all the sane laws don't exist that attracts all the companies that don't want to play by the rules.

The US could coordinate and work with the EU to try and craft laws that span both regions in a unified manner so that businesses can operate more freely but instead they're choosing to subsidize a protectionist agenda by levying a cost on the privacy information of its residents.


> The US could coordinate and work with the EU to try and craft laws that span both regions in a unified manner so that businesses can operate more freely

I love your wording. Regulation mixed with "operating more freely" is oxymoronic. The same can be said with your argument of "subsidizing a protectionist agenda" when you're referring to the lack of regulation and legislation.

> As a counter point - I think it's fair to view the extreme lack of consumer protection laws in the US as protectionism for domestic tech companies. T

The spat between US tech companies and France's ancient media companies is not new. It's very disingenuous to pretend that the purpose of these laws is just to protect consumers.


To be honest, it's really only oxymoronic in a very limited slice of America. It has come up a few times on HN that the definition of freedom varies wildly in different parts of the world. As an example, take healthcare: in the US market driven healthcare might be the freest freedom that ever freedomed - but elsewhere social safeties that allow residents to live the best quality of life they could are considered to be the highest freedom you can achieve. While health issues are a regrettable part of the human condition, a society might want to strive to minimize the amount of stress spent by individuals on particularly bad die rolls by their bodies and fate allowing individuals the freedom to spend their time more according to their wills. Even "free market" US healthcare comes with a number of regulations - I'm not certain if you were alive (and paying insurance) before pre-existing condition coverage was guaranteed but a lot of people ended up unable to even secure insurance in that world, it was awful.

Regulation is a firm requirement to a free market, without regulation of any kind you will pretty quickly descend into authoritarianism as whoever has the biggest stick will just take everyone else's stick. While there definitely are dangers at the other end of the spectrum if you're fanatically at either end you've got to ignore a whole bunch of pretty well known issues.


It’s oxymoronic everywhere based on the definition of the terms, and not just in “limited parts of the US”. It’s Orwellian doublspeak. No amount of mental gymnastics changes that.

> Regulation is a firm requirement to a free market, without regulation of any kind

I agree, but there are lines that when crossed either negates or greatly lessens the overall benefit for most people outside of vested interests.

> you will pretty quickly descend into authoritarianism

Moreover, historically speaking - centralized economic planning tends into devolve into tyranny vs systems with primarily free markets.

This is also much less about protecting consumers than it is about protecting old French incumbents who are unable to evolve.


> Regulation mixed with "operating more freely" is oxymoronic

Common regulation between jurisdictions allows businesses subjected to the regulatory oversight of multiple involve jurisdictions to operate more freely than if the jurisdictions did not coordinate and instead adopted regulations where it was impossible to comply with one without violating the other.

You shouldn't just pick one word from one part of a statement and a two-word phrase in another part and ignore the rest of the statement in order to create your own argument to respond to.


You’re just cherry picking an even worse example of regulation. The core definition of regulation is the limitation of what an entity can and cannot do ie operating less freely. Your argument doesn’t change that


> You’re just cherry picking an even worse example of regulation

No, I’m pointing to the exact subject of discussion, the suggestion that the US and EU, who currently do regulate and do so independently, could coordinate regulation.


Yes, that's the overall discussion, but that's not this specific sub-thread is about. This subthread was about addressing the strange, oxymoronic doublespeak being used by someone responding to one of my comments. Maybe you meant to respond to a different comment?


It actually isn't oxymoronic though - I like being alive and my freedom to remain alive relies on the regulations and laws that discourage people from murdering me. Regulations aren't the opposite of freedom except in an extremely narrow view - regulations often help to make free markets more free.

This isn't a case of doublespeak at all - it's just that the world isn't a simple place.


This is not a "all regulations are bad or all regulations are good" argument. This is about an oxymoronic statement. I feel that you and previous commenter have trouble differentiating the two.

> regulations often help to make free markets more free.

No. They do not. That's nonsensical. The whole point of regulation is to exert control over something for better or for worse, depending on the situation. That's the exact opposite of freedom regardless of the consequences.

Your analogy is poor because it doesn't mirror the original quote. A better analogy that mirrored the original quote would be, "We need to murder people in order to save their lives." It makes about as much Orwellian sense as saying, "There's freedom in slavery."


> Yes, that's the overall discussion, but that's not this specific sub-thread is about.

I’m specifically addressing how the statement which branched this sub thread off was, itself, a non-sequitur to the statement it pretended to rebut.


It’s not a non sequitur. It’s a response to a nonsensical argument ie “regulation makes markets more free” It’s oxymoronic.

There are many good arguments in favor of regulation, but that is not one of them, despite all the mental gymnastics being done to pretend that it’s a good argument.


"they follow US laws"

...when convenient.


Perhaps unpopular opinion, but I don't want a fragmented internet, where I have to remember 10 different options for every single service I need to run a startup. Is that really the hill we want to die on?

I have enough things to worry about, I don't want to consider 10 different cloud computing options, 10 different database options, 10 different analytics services. I want to just go with the big popular option.

Heck I'm willing to bet even if more options come up, the most popular option will be some aggregator site that tells you which one to use.


Here here. Good riddance.



Thanks!


>I think we (in the EU) will soon realise the bizarre consequences of these regulations.

Could this not also be said about US regulations such as CLOUD act, Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333.

I don't think it's accurate to solely blame the EU when this is in response to legislation that gives/gave the US access to all types of personal data on European citizens.


> I don't think it's accurate to solely blame the EU when this is in response to legislation that gives/gave the US access to all types of personal data on European citizens.

I would argue that the Americans getting better privacy protections and working with other countries instead of forcing American companies to behave illegally abroad would be a much better solution than the Europeans watering down their privacy laws.

American companies will set up independent shell companies or subsidiaries to serve European customers anyway. Microsoft and Amazon are never going to voluntary leave a market of 400M customers. Doing so would leave too much room for a competitor to grow and then threaten them. So if fragmenting the web means that Europeans get the same services as Americans, but with better privacy, then I am all for it.

Europeans are to blame for the flaws in the GDPR, not for doing their thing without the blessing of the Americans.


Maybe that's true for the Microsofts and Google's of the world. But for smaller companies trying to provide SaaS or PaaS it totally keeps them from entering the market. So in the end it only increases the difficulty to compete in EU and increases the power of these mega corps.


The recent German judgment was also about subsidiaries. If 'Meta Europe ' falls under the cloud act it isn't GDPR compliant.


It’s a simple shell game. Meta US can very well become a subsidiary of Meta Bahamas, and still get licensing fees for its brands and IP from a nominally independent Meta EU.


I agree. Hopefully this is temporary and they can figure out a reasonable compromise. As a Swede I do feel that parts of the EU (with Germany and France) are heading in the wrong direction. Those are not countries famous for their entrepreneurship and it seems like their first instincts in relation to the US are usually protectionist.


I'm also European and I completely agree with you. They're basically taking the whole EU as a hostage to protect their own inefficient domestic companies =(


I can tell you that there's a deep-seated suspicion in the US that for France, much of GDPR's purpose is about enabling protectionism.

The logic is understandable. Surely, if you just get rid of the abusive American monopolies the home-grown companies will take their rightful places... right?


That doesn't seem to be true though. There are multiple countries outside the EU that have an adequacy decisions regarding their privacy laws like: Japan, South Korea, Canada, UK, Isreal, etc. They can host EU data without issues.

The only reason the privacy shield agreement was thrown out was due to lack of safe guards from US intelligence.

Even without the privacy shield, US companies would still be able to store EU data in a country with an adequacy decision if it wasn't for the CLOUD act. This seems more to do with US law wanting access to EU data.


Critically, they want access for for free.

The US does not have to give anything in return to get all the private data from EU they want.

The EU in return gets...nothing.

If you are a politician this is not a great position, you get no money, no jobs and no data.

If they equalize data access, "data sharing" (on an intelligence and on a commerical level) could be a valuable component of future negotiations.


> The EU in return gets...nothing.

The EU gets the services they use....


Of course the users do (and pay for it)

However from a political standpoint that's as good as nothing.


Is there anything restricting US companies from first transferring EU data to a country `A` with an adequacy decision and then transferring that data to the US (assuming `A` allows this)?


I wouldn’t worry too much about AWS or Azure. When AWS realised how much money the European Public Sector spends on the public cloud a good few years back they went from being behind Azure in terms of complaisance to now being ahead.

I’m Danish and as we’re a notorious Microsoft country I have the most experience with everything Azure, but the fact that Amazon was so quick to ensure that 100% of the workers who ever come near the services they sell within the EU are EU citizens is something that we still looks somewhat envious toward. It’s actually an area where Microsoft might eventually run into some trouble if they don’t work on their compliance but I can certainly understand how it’s hard when one of their key selling points to Enterprise is that we can call Redmund.

I don’t think the EU will get into much trouble over this, however, and I don’t think it will have too much of an impact on our tech industry. I do agree that it’s not likely to help European alternatives to Microsoft or Amazon, but that’s not exactly the point or the legalisation is it? It’s there to prevent EU citizens and our personal information from becoming the primary commodity that is sold between giant companies.

Advertisement companies like Google will no doubt struggle with this going forward, but is that really a loss for anyone?


> but the fact that Amazon was so quick to ensure that 100% of the workers who ever come near the services they sell within the EU are EU citizens

Uh not sure what you're referring to but that's not true. The only airgapped region w/ enforced citizenship was for US citizens in GovCloud.


Shaking up the current situation doesn't seem to be an entirely bad thing. As it stands, the majority of the internet is depending/residing on datacenters provided by a handful of companies. I'm not sure that's a good thing.

Building satisfactory alternatives to Office, Workspaces etc. isn't a monumental task by any stretch. With the sudden demand that you predict, they'll spring up like weeds.

This might be ham-fisted and crude, but in the end I see a lot of positives.


If replacing Office / Workspaces is not a monumental task, why are there only two good options? Workspaces is only just becoming a viable replacement for enterprise because pivot tables are hard.


A big reason is that competing with them on equal footing is a monumental task. You are working against network effects, heavy duty marketing, integrations into other products and a whole army of developers.

Developing the product itself isn't the reason.


But network effects and marketing are irrelevant for products that can't be used in your country because they violate local laws. If some Google product can't legally be used in the EU, then it has zero network effects there and Google wouldn't waste money marketing it there.

Also, the competing EU-based service might be strong competitors to the ones in the U.S., among people like me who are privacy conscious. I don't use Google services, but I'd be happy to consider using GDPR-compliant services based in Europe.


I think you misread the comment thread. You are just restating my point. I agree with you. I was talking about the current (previous?) situation, where US and EU companies are on equal footing on the european market.


The big companies buy the little companies as soon as they look like they may be a threat. It’s not monumental or hard to compete with them.


I think you are underestimating the effort required to produce an suite of office products.

Libre office is a third option, but does it have much usage? Why or why not?

Could you sustain a development team capable of creating this with a limited market and revenue stream?


> Could you sustain a development team capable of creating this with a limited market and revenue stream?

Market wouldn't be limited and potential revenue streams would be huge. So yeah. Just as a reminder, this is still assuming that there is a significant window where the big options aren't available for Europeans.


Sorry I wasn’t clear. The reason there are no competing products isn’t because it is hard. It’s because they keep getting bought as soon as someone does “good enough”


They don't have to sell to them though, right?


Would you turn down a "name your price or we'll run your business into the ground wink wink" (by disabling app store, never getting on the first page to results, etc). Not saying that is what is going on or anything...


In most cases the underdog is running on investment funds, and has handed over a significant amount of the company control to investors. When a buy is proposed, those investors have to weigh the really quick (probably really large) profit of selling versus playing the long game fighting an uphill battle against the giant.

This is how promising companies are swallowed by the market leaders.


> There must be some reasonable middle ground before we fragment and destroy the entire Internet.

Elsewhere "fragmentation" is called diversity and competition. It's sad that it has to come about due to regulation, but it's a good outcome nonetheless.

The familiarity and precedence of current offerings becomes a kind of Stockholm syndrome for people. More options mean more chance of valuable improvements, and geographical diversity means different mentalities and points of view, instead of more "me too" options.


> No cloud services, no Office 365 or Google Workspace

I'm so looking forward to that.


What is the alternative? We are going to go back to 2005 where we send docs over email? Files end up being too large, nobody knows what the latest copy is, etc.


The EU is big enough that companies like Microsoft will find a way to offer their services legally, and if they wouldn't, it would be a huge opportunity to EU based competitors. It's not like we don't have any software companies in the EU.

Also, there's no reason that collaboration tools must be hosted on a US cloud. Especially Microsoft traditionally provided tools for their customers to host their own infrastructure -- it's only a recent phenomenon that everything is hosted by the vendor themselves.


I think you’re right. Microsoft is perfectly able to split its operations. They’re doing it now in China in a much more drastic fashion, and they seem to have been preparing to do it in Europe for a few years now.


The fact that US companies may need to treat Europe like China speaks volumes about the road the EU is headed on.


Just that two ships are departing from a location does not mean they heading in the same direction.

It is true that both the EU and China are swiftly heading away from this unprecedented era of technology companies being able to act as they please abroad without impunity. It is an era that the US, which benefits from this arrangement greatly, understandably does not want to leave.

But what matters is why they are doing this, not that they are doing it. And in that regard it is much harder to find similarities.


[flagged]


"protectionism" is morally neutral to anyone except a hegemon. A nation can decide to protect itself from free expression and abolition of slavery just as it can protect itself from unsafe food imports and price dumping. It all depends on who is being protected from what.


You know exactly what kind of protectionism we are talking about here: economic protectionism. The kind that has to be employed by a decaying empire whose populist, anti-entrepreneurial, anti-business and anti-innovation policies led to it losing the high-tech race and now instead of working together for progress is walling itself off to dream of the memory of its lost glory.


You will have a very hard time arguing that the EU is more protectionist than the US.


It says quite a lot about American imperialism, actually. These developments were basically guaranteed the moment the CLOUD act passed, and after the adventures Microsoft had with the DoE.


Or people get fed up with cloud companies like Google (already happening) and people realize self hosting is becoming more and more simple (also happening) to the point where anyone can do it. IPFS and other tooling could push a decent portion of users to this. We can already see some of that effect with things like mastadon.


You can host this on-site :)

No need to go cloud everything. I think you can even buy the whole azure pack to run on-site.


Do you genuinely think they're the only office products providers in the world?


No, do you think they were going to list every single office product? They said "Cloud services" which encompasses more than just those two.


If European startups end up starting companies in the US, and the US companies can't operate in EU, there will either be a massive vacuum to serve the European market ($15 trillion in estimated GDP), or there will be companies that like profits and want to earn some money by providing products in EU.

We can create a middle ground. When ever information about a EU citizen that get transferred to the US, a similar information about a US citizen get transferred to the EU as hostage in case there is a data violation. A list of IP-addresses accessing usa.gov in return for a list of IP-addresses that accessed europa.eu. Surely a deal can be made that give both sides equal power.


I think we are already dealing with the "bizarre consequences" of having our personal information uploaded to servers in a foreign country without consent.

Privacy abuse on such a massive scale, never before seen in human history, requires action.

And it does not matter how normalised this has become for the people in the valley of the clueless.


We already had a good sneak peek in Germany, when schools closed last year for some weeks due to the pandemic.

Popular video conferencing solutions weren't allowed due to privacy issues. The official "Lernraum" platform that have been used for this did not work most of the time.

I understand where these laws come from, but it's sad that there often is no European alternative


That’s okay.

The EU can build it itself when the US player are not able to not send data to their US data centres.


Why would EU building it themselves going to happen? Either it could be profitable for company to operate in EU or it is not. Assuming current US companies are efficient enough and if they couldn't be profitable, why could be a same thing built by EU is profitable there. In fact it is opposite as they couldn't track as much as American companies even outside EU.


Because US companies are hamstrung by US laws that prevent them from complying with EU law (i.e. US govt says you must give private data to us and EU says you can't give private data to non EU govt). Other companies not based out of the US can guarantee privacy that meets EU spec if they don't have local laws compelling data access. So it might not be EU companies that capatilize on it but there can be a market opportunity that US companies can't fill.


Because the US companies are bloat with their bureaucracy and structures. A Google is not able to pull a startup thing. See Stadia or the other short-lived projects, they all suffer from a lack of skin in the game - so to say.


There are more startups in US than EU. Also I think bureaucracy is worse in EU than in US.


I don't think it can. Maybe they can buy yandex, but i think europe has drained its talent tothe US. And even if they build it, how will they monetize it?


Europe isn't drained of talent by a long shot. It has surely been tapped to some extent by the bay area exodus, but there's plenty of tech success stories and talented people here still.


Yeah the talented people are getting paid 3x as much to work for US companies with like two or three exceptions.


I don't belive that to be true at all - EU have a lot of great SaaS/tech companies that emply a lot of really talented people. What EU need more of however is vc money.


That's just ridiculous. It's a miniscule portion of the total talent that has left to US, and Europe draws many people in constantly as immigration is easier.


Why is it on Europeans to weaken their privacy regulations and not on Americans to strengthen theirs? Why should we bend to the lowest common denominator instead of lifting everyone up?


> No cloud services, no Office 365 or Google Workspace.

I think you are overestimating the problem. Before Facebook decided that it wanted the European market we had hundreds of similar services. We will have local replacements the moment these US companies with their near unlimited war chests finally fuck off and give European companies room to breathe again.


AWS has always had a very clear region system which let's you decide the location where you store your data and run your services. Most popular region here in the EU being eu-west-1 (Ireland), which usually gets new features and updates first. Once you choose a region for your application, it takes some effort to store data outside of it.


It's sad but predictable that the top response amounts to "Forcing companies to act ethically and legally would just push them into the USA".

That's not exactly a great argument here, given that this French court has objectively made the right legal decision here in terms of EU privacy law, and the rights of their citizens.


Microsoft will be storing EU users' data in the EU: https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boun...

Will this enable them to comply with the requirements?


Microsoft has done the leg work for this already. They currently have a completely contained Azure environment in Germany. I think it was deployed to ensure compliance with german/EU health data protocols.

I have first hand experience of this, migrating between their global PaaS and the contained German one. The bulkheads are quite air-tight (much to my personal detriment).


They also had a completely separate o365 offering called Microsoft Cloud Germany that failed due to lack of interest (and the fact that it was years behind the global platform, I say), which was finally shut down last year, with everyone who renewed their contract automatically being migrated off.

They're working on it, but still not everything is entirely regional.



Not if they have to provide this data under the cloud act.


Europe's future internet without web3 sounds wonderful.


These tools have EU versions of their services with servers in Ireland or other places so that the data does not leave the territory. There will be absolutely no consequence to these regulations.


The server locations does not seem to matter as long as American government agencies are able to make the company provide the information.

But, companies like AWS claim that they voluntarily bind them selves to to provide much stricter privacy safeguards than the US law requires[0].

[0] https://aws.amazon.com/blogs/security/aws-and-eu-data-transf...


> No cloud services, no Office 365 or Google Workspace.

For quite a lot of business data, the "do not export data out of region" thing is nothing new. Which is why it is not actually unusual to be able to select where the servers are located.

That being said, if this made Microsoft Teams impossible to use, it would made a lot of us happy. That thing is crap.


It’s justified to keep that in mind. The EU is absolutely capable of myopically binding itself in red tape and stumbling in to second order problems.

It is also silly to tolerate techs incessant fuckery.


> I think most successful European entrepreneurs will just end up starting companies in the US instead.

If these companies end up banned in Europe, that's not really a problem from Europe's PoV. Europe may end up deciding that US companies not coming is a problem in itself, but that is already the case imo.

Honestly, if this policy is actually enforced, it's very hard to imagine how the landscape would shift. Maybe Europe would be brought to its heels, and be forced to remove the law. On the other hand, maybe the US would be forced to renounce their cloud act, which is a large part of Europe's privacy issues with US companies. A third path could be companies reverse-incorporating in some place that would let them keep in business.

It's a bit hard to predict honestly.


The UK market for digital products won't stop existing just because a few UK entrepreneurs move to the US.

These regulations are the only way to dismantle US big tech monopolies. The US government won't do anything about it on its own accord because it's too profitable. Other countries need to neuter the influence of US big tech first. Then the US can police their own better to encourage intl competition if they want to.


You can use all these, but you cannot send your own visitors' data to M365.


Nah, the tools will be adjusted to comply.

The EU combined is the largest economic region in the world. With backdrop the other huge one China where doing business has become increasingly difficult and volatile.

Tech giants cannot afford to pull out of the EU. Call their bluff, they won't. They can't even if they wanted to, as shareholders will skin them alive.


>The EU combined is the largest economic region in the world.

It's not 2011 anymore. The GDP of the US has surpassed the GDP of the EU.


Being the number 2 (or three if China overtakes) is still not exactly a weak position to be in...


Is this with or without money printing?

I'm teasing. I accept your new data, but I don't think it fundamentally changes my point.


If we don't count money printing, europe would probably be in an even worse shape. Remember that the interest rates in the big Western European countries have been negative for years with still almost no economic growth, and that was pre-covid! Even the FED isn't technically directly buying US bonds from the market like the ECB does to prop up the debt sales of its weaker members. Even the historically low current FED rates, I think are still higher than the peak of most European central banks rates of the past 5 years. Again, all of that did very little to prop up their economy (which usually indicates it's pretty zombified) so they couldn't even start hiking the rates back in 2018-2019 like the FED did. That means they are now stuck with very few "easy" ways to recover from 2020.

I know you are just joking, but the sheer irony of a money printer joke in this context was just too much for me to not react :')


Companies will bend to the whims of regulators in the countries they do business in. Look at US companies in China.


AFAIK, Microsoft moves most of it's cloud services to Europe by the end of this year for their European clients [1] So I guess where's a will there's a way - they just need a "little" nudge. Should be good for datacenter redundancy anyway, no? But: some datacenters are in fact crappier/slower than others - German datacenters take way longer to implement some new features compared to US datacenters or even those in Holland/Irland. But that's due to slower german regulatory processes

[1] https://blogs.microsoft.com/eupolicy/2021/12/16/eu-data-boun...


I run multiple organizations just fine without any third party proprietary SaaS like those provided by Salesforce, Google, Apple, etc.

It is crazy to me so few realize it is really not much, if at all, harder to run a business without involving US surveillance capitalism corporations.

Tools like Nextcloud, Matrix, Jitsi, have turn-key SaaS providers or you can self-host them easily as well. Same for many many analytics solutions.

I honestly think every company would be better off having more sovereignty in their tech stacks and data, and it is much better for consumers who may not realize they are -also- sharing their data with third parties like Google who use it sell targeted behavior changes to the highest bidder.


We knew those consequences from the start, they are just being realized veeery slowly


> European startups will not be able to use standard SaaS or PaaS tools (like AWS, Azure, Mailchimp, PayPal etc) if they are based in the US

PaaS and IaaS providers all have a presence in the EU or is that still not good enough to pass the regulation that's in place?

SaaS I get it, they'd have to create a presence in the EU but I don't think that's a bad thing. They will, at least the big ones you mentioned. And if that's a problem for smaller SaaS providers then the market will have a solution for that emerge over time.


> I think we (in the EU) will soon realise the bizarre consequences of these regulations.

Wait until you see the result of the green revolution: you'll pay your energy 3 times more than now.

We'll need decades to recover (if we recover) from this ideological move from people that lives in la la land and have no idea of the consequences of their acts.

It already has started with natural gas prices skyrocketing. The Russians are holding us by the balls and our politicians are spitting at their faces...


Out of curiosity, where did you get that 3x claim on green energy? And how is that related to Gas?


It was inspired by natural gas prices that went 3x this winter and an article that said we (French citizen) pay our electricity much more than what it cost us to produce because our production is sold on the markets then sold back to us at an inflated price (deepl should offer an OK translation even if it might lose a bit of the humor : https://institutdeslibertes.org/nous-avons-la-meilleure-fonc... ). I don't have data to say how much more will it be expensive, but I know it will be bad enough that we certainly will have protests.

You can't just delete nuclear, coal and natural gas power plants and think the invisible hand will provide. There is no secret plan behind: we're gonna crash then our politicians will blame the Russians and / or COVID but certainly not their incompetence.

Don't get me wrong, I don't want to live in a polluted world more than anybody else, but I also want to take a hot shower daily without it being a luxury expense. We needed to think the transition and do it progressively before. Too late.


> European startups will not be able to use standard SaaS or PaaS tools

I wish!


I don't think Google analytics is that essential. It has privacy problems and there are alternatives around. It is just often the lazy choice of developers. They would have to adjust a bit, comes with the job anyway. Not using it doesn't "fragment the internet".

I still don't think laws against specific software is helpful though.


Or... Or... these co's stop mining/saving data on all EU folks altogether. If they could prove to regulators that the tracking and mining and selling of data does not happen at all for EU folks perhaps these cloud players could still sell services to the EU market.


> most successful European entrepreneurs will just end up starting companies in the US instead.

And then they will not be able to serve the european market, nor profit off the european economy. Good luck competing with each other for that US market.


More like they build successful companies in the US which then enter the European markets with a massive warchest and dominate any domestic EU startup in the space.


> It will take forever to build up a similar ecosystem in Europe

And even then it seems risky the EU will deem the business model entirely in violation of privacy laws. It's very chilling

When the EU finally completes their utopian/dystopian ideas of privacy from foreign Internet services, the great firewall of Europe, perhaps then EU regulators will look inward and do the same things?

But for now it all has the appearance of disfavoring International Internet services, as if to encourage regional tech companies to advance.

Which seems reasonable, Europe seems to have lost most of it's Tech companies, and that's a problem that needs to be fixed. It's just weird to go about the problem by claiming International companies are in violation.


> the great firewall of Europe

It's not Europe who blocks anybody, but plenty of US websites just blanket-block EU visitors because they can't be arsed to create a GDPR compliant website.

Which, as a European, in practice feels like running into a great American firewall.


What's funny is I don't think of the EU was that high on the privacy list? Doesn't govt slurp up data on its citizens in terms of national health care systems, databases on identity, easy access to online records etc? Is there even a trial by jury in the EU? I thought they had a type of prosecutor / judge that could go rooting around anywhere they want pretty much unchecked.


It’s not about what you collect. It’s about consent and transparency. I can log into my government website and literally see anything about myself that is known to the government. If you get arrested, your name isn’t released to the press so you can continue your life afterwards. If you go to jail, and apply for a job afterwards, they do a background check. If the job has nothing to do with what you got arrested for, it comes back clean. These are all sensible things. When I grew up in the US, I had absolutely no privacy or expectation of privacy with the digital world. I don’t miss it.


The point is though that a EU citizen has zero privacy rights when data is transferred to the US. Zero. Not US level protection, not EU level protection - just fair game.

For that simple reason the EU has to step in. There is no other way.


This is entirely untrue. AWS and Azure are most definitely able to offer GDPR-compliant in-region hosting options and I'm sure GCP can to (I just don't know their offering as well).


>It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.

This is what you are wrong about. It would be true if you were from a small country like Sri Lanka or similar but for EU many European companies will smell an opportunity to fill the void.


An alternative is to push USA to get similar laws making it equal on both sides.


Sounds like a whole new market opened up for the EU.


The activist MEPs in the EU who have pushed for these regulations are overwhelmingly (German) socialists.

I support their work to protect the privacy of EU citizens. But I'm also aware that their goal is to replace Microsoft, Google, Facebook etc. with state-owned European enterprises.

European state enterprises can be surprisingly efficient. However keep the Germans out of it. German government IT is still in the Middle Ages. Let countries like Denmark and Estonia build the future of European IT.


Danish governmental IT has more than its fair share of scandals.


A lot of this seems to be coming due to US regulations that compel US registered companies to hand over data from subsidiaries in Europe markets if asked by US intelligence and law enforcement agencies.

With these various data locality regulations, i wonder if a standard operating approach could be to split tech companies into 3 legal entities, a technology licensing company, a US registered operations company and a Europe registered operations company and hand the shares in all three companies to the current shareholders. This would insulate the Europe entity.


The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.

In fact this is how most of the companies operate already to cheat on taxes.

The way microsoft did it for a while here in Norway was to license azure cloud stuff to a sub operator (EVRY) that is completely insulated except for the licensing agreement.


> The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.

As it stands, the US part can be owned by a EU company. Or, probably more realistically, both EU and US parts could be owned by a mail box in the Caimans.


> The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.

Is this true for ownership by individuals too?

If I, an American citizen & resident, owned and operated a company registered to a European nation to serve my European customers (with European hosting), does that make me compliant? Does an American solo founder have a path to compliance at all, or would I be required to collaborate with a completely separate workforce that has no ties to America?


If you are subject to the cloud act in the US then you are not compliant or in anyway can be compelled by the US to hand over data on EU citizens.

As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.

Another way to be compliant is to not collect PII.


> Another way to be compliant is to not collect PII.

The GDPR extends far beyond the US notion of PII. As I understand it, it covers basically all user-submitted or user-related data if it's possible for that data to be hypothetically tied to an individual in the EU (even if that can be done without your service holding traditional PII).

> As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.

Yeah, a federal agent with a wrench can do anything they want to me (https://xkcd.com/538/), but I'm trying to figure out my options.


> The GDPR extends far beyond the US notion of PII.

That's a good thing. The US notion of PII is ridiculously naive.


It includes IP address... the fundamental glue that makes routing to and from said servers possible. Good luck being able to resolve web requests without knowing where to send the response.


IP address is both personally-identifying information and also technically required to provide computational service.

Just like your name is personally-identifying information and (usually) required to provide medical service.

But being required for service doesn't automatically mean that it can be shared with third parties. You can't share names with third parties. Why would you share IP addresses?


A name is not a requirement to render medical service, so I don't see how that example is relevant. A practioner is capable of treating patients without knowing their name. Laws may compel them to keep track of that data, but it's not strictly necessary.

And the act of connecting to a server hosted in another jurisdiction (e.g. America) would require sharing your IP. This could be directly (the entire web service hosted in the USA), or indirectly (some of the web service's assets are hosted in the USA).

If you put a CDN in-front of your web service, then that CDN will most likely be sharing your IP with the host server too. Especially if the web service wants to do something non-cacheable that they can't offer from behind the CDN.


There are many (!) types of medical treatments. Some require multiple visits. A medical practitioner needs some way to ensure that progress is maintained across multiple visits.

The internet has multiple visits too. They're just called packets instead.


MS did the same in Germany with Deutsche Telekom as a partner, that shut down around 2018 [1].

[1]: https://nextcloud.com/blog/microsoft-and-telekom-no-longer-o...



Hmm, that's interesting. I suppose more cloud providers could do something like that, for the benefit of customers and GDPR?

E.g. Amazon already bills me through some Norwegian entity of some kind, to get VAT done right etc.

If they had servers in Norway, I suppose it would have been possible to proxy everything - not just billing - in AWS Norway through this sub operator?


To fall out of scope of the CLOUD act, the subsidiary needs to be independent and prevent any data access by its holding company. The holding company can in no way have "possession, custody or control", which are not well defined so that doesn't make it easier to assess if a subsidiary is out of scope.

https://jnslp.com/wp-content/uploads/2020/05/Defining-the-Sc...


So is it likely the European Commission did this in an attempt to block US companies from offering internet services to the EU (or at least, internet services that handle user info)? It's pretty hard to make a profit or operate in the EU if you literally can't control that entity.


Schrems II (and the Privacy Shield invalidation) has been in response to the aggressive data collection by the US government, and the extra-territorial nature of legislation used to achieve this. The US is able regain access to the EU market by repealing/changing CLOUD act and similar legislation, so I personally don't think this is (primarily) done to block US companies. However I am not the one implementing these rulings, so the best I can is speculate.


It seems pretty hard to think the US will drop the legislation every 3-letter-agency had wished for over the decades before it became law. The only thing I can imagine that actually gets the law changed is if the EU heavily invests in prosecuting these cases, to the point that tons of US companies worry they'll lose access to the EU market (with non-negligible fines to back up the law).


> So is it likely the European Commission did this in an attempt to block US companies from offering internet services to the EU

More like the European Commission did this in an attempt to protect European citizens from having their personal data exfiltrated against their will to the US on order of US law enforcement agencies.


No, EU had an agreement with the US called Privacy shield that allowed US companies to process EU data. However this was struck down by US courts and that is what leaves us with this mess.


> However this was struck down by US courts and that is what leaves us with this mess.

According to Wikipedia, it was struck down by the CJEU, not by a US court:

"The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping."

https://en.wikipedia.org/wiki/EU%E2%80%93US_Privacy_Shield#L...


If anything, it was a move to push US legislators to respect foreign privacy laws.


The point is more nuanced: The problem is not the handing over (happens here too), but the fact EU citizens do not get informed this has happend and have no legal way to challenge this (especially concerning FISA/FISC). They have the opportunity to do so in the EU.

Yes, this is what will happen with a setup of 3 entities, b/c FANG will not want to miss EU revenue.


Right but the solution is for there to be a treaty between the US and the EU that allows for this. Putting the burden on every foreign company to duplicate their infrastructure is stupid work to solve a human problem.


How would a treaty solve it when the US has decided to aggressively disrespect the existing agreements?

Basically the US can’t be trusted to keep its word, so why make it easy for US companies to operate in Europe?


Or the US could adopt better privacy laws.


Mark one for another American conundrum: having so much distrust for "the man" while at the same time being completely oblivious to the amount of personal data being skimmed off their daily activities. But it's all to guarantee Freedom™ so it must be ok?


Much of the Constitution in the US was written by people who wanted corporations to do whatever they wanted and no government can intervene. You see a lot of this philosophy still living today in rulings and precedent.


Your tone implies disagreement but that's exactly what I want as part of the treaty.


or USA could just.. stop having such ridiculous law in place.


But is "Wait for a possible but incredibly unlikely series of events to occur" really a solution?


Solution to what?

The only problem that I see is that it's hard(er) for US companies to collect data about EU customers. That's hardly a problem for the EU customers; they can just buy from EU importers (if there's no equivalent EU product) or rely on EU service providers.

I don't really see a problem.


There is no different solution. The EU tried twice to build this kind of solution and EU courts have shot it down twice with the argument that in the face of no legal representation of EU citizens in the US it is not possible.

So the US needs to move here or it can not happen.


We already had two (I don't remember the order, but they were called Privacy Shield and Safe Harbour) and somehow US and US companies "forgot" to upheld their part in any meaningiful way, so there's some mistrust on the whole idea at the moment...


Both were illegal because they did not address the core issue. The EU commission (representing EU country governments) is more business driven and wants it to work, so they created Safe Harbour etc. They also drove the standard clauses which are illegal too (or better: If as an EU company you sign them, it's your responsibility to make sure the US three letter agencies do not access the data of your customers, good luck with that).

The EU parliament have the people in mind, so they don't think it works and drove the GDPR. The EU courts look at the law and see it's not possible to create contracts, so shot down Safe Harbour and Privacy Shields. The EU courts say standard clauses could work in principle, but see above.


Treaties are not necessarily worth much these days, when the next populist can just pull out unilaterally, or decide that following international law is for chumps.


Agree. That also means no new US or EU company has a chance to go across the pond. BigCos can set this up. Not so easy for a small startup.


How does this hinder an EU startup to expand to the US?


> human problem

Incompatible laws problem


Exactly, the CLOUD act is the one of the main problems here: https://en.wikipedia.org/wiki/CLOUD_Act


I've read most of the EU rulings and court cases on this topic. The CLOUD Act is basically the only US law that any of them mention or refer to.

And let's be explicit here: The entire purpose of the CLOUD Act is to bypass EU data protection laws. The incident that led to the creation of this law is that Microsoft didn't hand data over to the FBI because the data was on a server in Ireland. This isn't an unintended consequence, this is what the law is supposed to do.


The point of the CLOUD Act was to say that if you are a company in the US you can't ignore an order to turn over a copy of data you control just because you happen to have stored that data with a third party storage provider that is not in the US.

It doesn't matter that the third party storage provider is not under US jurisdiction because the US government isn't trying to compel the third party storage provider to do anything. They are trying to compel the US company to access its own documents that it stored with that third party, using the same mechanisms the US company normally uses when it wants to access its data.

From the third party storage provider point of view there is no difference between the US company retrieving the data because it wants to do something with it itself or the US company retrieving the data because they are being compelled to by law enforcement.

This is really just clarifying that the rules for electronic documents are not very different from the rules for physical documents. If I am in the US and own a document that a US court orders me to produce a copy of I'm not going to be able to get out of that by telling them that the document is in a filing cabinet in a storage unit I rent in Canada or Mexico. No, they are going to order me to either go get that document or have someone go get it for me and give it to the court.

If it didn't work this way every US company that has any documents they think might get them in trouble if they are ever investigated would rent some storage space outside the US, physical space if the documents are on paper and cloud storage space if they are electronic, and store everything there. Boeing for instance would have all its information about the 737 MAX outside of the US. Tesla would have everything related to full self-driving outside the US. Everyone would keep HR records outside the US to make it harder for plaintiffs if the company is ever sued over alleged discrimination.


There's a critical nuance that you're ignoring, which is whose data is being stored. In the incident in question, it wasn't Microsoft's data. It was the data of a customer of Microsoft. You're treating several different scenarios as "data controlled by Microsoft," but there are sharp distinctions between Microsoft's own HR records, vs an email belonging to one of Microsoft's customers.

US law doesn't distinguish these scenarios very much because of the Third Party Doctrine, where data given to a third party has no expectation of privacy. But this is a view rather particular to the US not shared by much of the rest of the world, and certainly not by GDPR (or its predecessors). One way or another, the CLOUD Act is still basically saying that US legal doctrine applies to data stored in other jurisdictions. And GDPR is stating, correctly, that this doctrine is not compatible with EU data privacy obligations. EU policy is very much the opposite of the Third Party Doctrine (and the winds are slowly turning against it in the US as well), and third-party data controllers have positive obligations to safeguard the privacy of data given to them.

Given this scenario, I don't see the nightmare scenario you're posing actually manifesting. EU data protection laws do nothing to curtail Microsoft handing over Microsoft's data. There's just data that Microsoft physically stores which they is not legally theirs.


I'm not sure such split would require sub-companies to be public, they could likely be private, owned by a single publicly traded US company. Tech companies already have many subsidiaries in countries that they have offices in, for example employees in European countries are not employed by a US company, but a subsidiary which is not publicly traded.


They already have EU subsidiaries. The problem seems to be that US laws seem to be able to compel US based parent companies to hand over data from their overseas subsidiaries.

If you make it a EU based public company and give control to your own shareholders, it's no longer a subsidiary and your shareholders are holding shares in a European company.


It's not as clear cut.

If someone is running a global web site and wants analytics, which of the 2 entities, or both, would he reference in HTML? Even if we're going to region-lock Europe to the European Analytics servers, analytics today often involves some computation done over the entire data set, including both US and the EU, done on the backend. Which backend would that be?

The privacy aspect has become something of a "think of the children" reason for a sort of "Internet xenophobia", as well as creating huge barriers to entry for small companies which cannot comply.


> barriers to entry

It's easy to do things online as a company of any size, post-GDPR: Don't scrape user data. Done - no compliance required, because the law is not about you in that case.


Google is already doing this in countries like China and South Korea.


I think a lot of the big tech companies are very reluctant to split their operations inside/outside europe.

They gain big benefits by having a single pool of datacenters able to serve users from anywhere in the world. If they needed to guarantee that an EU user would always be served with a machine in the EU, I can imagine it would add at least 20% to their operating costs.

They'd need more equipment both inside and outside the EU to handle failover, maintanance, etc. They'd also have more complexity slowing development down (they can no longer have small services 'mastered' in just one region). And there is substantial extra complexity in application design (what when a tweet from an EU user is retweeted by a US user, but then replied to by an EU user. Where will the text of the tweet be stored? How will deletion be handled?).

For example, will HN have to have seperate databases for "comments by EU users" and "comments by US users"? And will they need a process to migrate your account from one to the other?


It's not only "a machine in the EU" . It's a company in the EU totally separated from the main company in the US to be out of the reach of the US government and legal system. Maybe the EU company could license software and knowledge from the US one, to keep sending a steady flow of cash there. But it's going to have its own goals and it will want to go its way soon. A hard problem IMHO.


When I hear arguments like this I always think about what it would be if we were to replace 'user data' with 'financial data'.

"It would be so easy if companies could just pay their taxes in one country. Think of how much they could scale their finance department."

The same applies for start ups : "book keeping is such a hassle for start ups, why impose that on them? All these financial regulations are really anti business".


"I can imagine it would add at least 20% to their operating costs."

Why is everybody working on the assumption that all this data has to sit in the US?

Keep it in a country with the strict-est possible privacy laws, say Switzerland, and noone would complain.


Hah, it's a myth that Switzerland is so privacy oriented. They have laws saying that the Swiss intelligence services can access all data, so it wouldn't help.

And Switzerland is not part of the EU.


Both Swiss and German people seem completely deluded about the activities of their own governments and intelligence agencies.


You gonna have to be a bit more specific than that.

When I think "Swiss", "Germany" and "government intelligence agencies" then the things that come to my mind are Crypto AG [0], how the BND started out as a CIA OP [1] and how the very same BND seems to be more interested in pleasing American interests than protecting Germans [2].

Which is btw the same BND who cooperates with the NSA [3] to help them tap directly into one of the world's largest IXP De-CIX, completely legal in Germany [4].

The US made sure of that by pressuring the West German government into watering down the G-10 law [5] during the cold war.

So whatever "delusions" you are referring there to, you have to be a bit more concrete about them.

[0] https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-ci...

[1] https://en.wikipedia.org/wiki/Gehlen_Organization

[2] https://en.wikipedia.org/wiki/ECHELON#Examples_of_industrial...

[3] https://en.wikipedia.org/wiki/Operation_Eikonal

[4] https://www.spiegel.de/netzwelt/netzpolitik/de-cix-betreiber...

[5] https://www.europarl.europa.eu/document/activities/cont/2014...


Why tho? Do you think German citizens have more privacy in Germany than in the US, where the US legislature clearly states that non US citizens have zero privacy rights whatsoever?

I don't think it's delusion, I think it is literally correct.


Right now, the data sits where it “loses” the least amount of money (I.e. where it is most efficiently spaced). If we start arbitrarily forcing companies to move their data elsewhere, then they’ll incur serious costs without any real benefit.

I’d almost rather just give a French company control over some section of the US warehouse if I’m Amazon.


Plenty of US organisations couldn't use a cloud service that loudly proclaimed to store the data outside the USA.


"I think a lot of the big tech companies are very reluctant to split their operations"

Yes but they are even more reluctant to lose all EU revenue.


Note that Wikimedia has been not using Google Analytics since forever because they're concerned about precisely the same privacy problems as the regulators.

This other post has more comments: https://news.ycombinator.com/item?id=30284820

I love that the plaintiff in this case is the "NOYB Association", as in None Of Your Fucking Business, Google.


You might know that already, but NOBY indeed stands for "None of Your Business"(https://noyb.eu/en).

The organisation has been involved in nearly all of the last privacy related rulings in the EU and is a real blessing for consumer rights.


And a note that you can donate to them, and I have done so for nearly four years.


It would seem Wikimedia is still violating the law as they keep Analytics data/data of users[0], but haven't yet pulled the Microsoft move of creating a separate EU company that the US-based entity has no control of.

0: https://meta.wikimedia.org/wiki/Data_retention_guidelines


It's totally plausible that Wikimedia and the EU have different, mutually incompatible responses to the same problem.


If someone adds <img src="http://blah.us"> to their website, and that image is hosted in the United States, how does that not also violate French data protection?

The user's browser makes a request to a US server, including the user's IP address.

I legit do not understand how to make French people happy with these laws.


> how does that not also violate French data protection?

The regulations don't ban collecting IPs (nor any PII). They just regulate it to the point that it must be deemed necessary according to certain criteria. I would imagine linking an image may be fine in 95% of cases, but what it would mainly depend on is the logging practices of the image hosting company. Their business would be bound by EU regulation if they are choosing to sell service to an EU-based website, and it's likely that image host that would be liable for compliance.

It's worth adding quite a lot of the regulation here is tied to company size, revenue and scale of data sharing in general, so if you are for example a small business/non-profit you're very likely to be fine either way.


It would probably depend on the purpose. If the purpose is the show the image and all logging is done to an access file and not processed into advertising models I'd think it would be ok.

if the purpose is to collect PII and build advertising models like it was with the google fonts or the 1 pixel images then it is not ok.


>Their business would be bound by EU regulation if they are choosing to sell service to an EU-based website, and it's likely that image host that would be liable for compliance.

Is the image hosting company really _choosing_ to sell service to an EU-based website if someone adds <img src="http://blah.us"> to their (French) website? It seems like it'd be an unreasonable expectation upon a company (especially one in a completely different country/jurisdiction) to e.g. ensure their existing logging practices _also_ comply with French, Austrian, etc laws.

Surely the user who adds/posts the image on a French site would/should be liable here, not the host of the US-based image (service?), no?


This largely depends on whether the French website is a paying customer hosting their own images in a deliberate fashion (e.g. Amazon being responsible for facilitating GDPR compliance of S3 logs), or if it's a randomly hotlinked non-owned image.

In the latter (hotlinking) case the French website would almost certainly be entirely responsible if they operate at scale (excepting user generated content). In the former, it's obviously less clear cut (and also as mentioned revenue & scale are going to be very relevant).

Practical example: a private individual posts a hotlinked image on a French forum. Relevant questions:

- is that user profiting at large scale from data logged on the image server? No.

- is the forum website owner? No.

- is the image host deriving revenue directly from proactively collecting, analysing and profiling user data from readers of that forum post who are based in the EU? Possibly.

- is the image host doing so at large scale? Maybe.

3 & 4 are definitely true of Google Analytics, but broadly won't be true of many image hosts, so your image linking example won't be an issue most of the time.


It probably does violate French data protection. There were similar lawsuits in Germany over the use of Google Fonts. Making a users browser interact with a US-based or US-owned service is currently very thin ice.


All they need now is some sort of ISP level filter to make sure nobody loses their privacy to US servers. They could call it a "Great Firewall" maybe.


Protecting the privacy of citizens is not akin to society-wide censorship, a la China. This is a disingenuous argument.


But it infringes on my freedom to get spied on by shady companies and their government!


Kind of. I'm still losing my ability to choose.

I've often found the slippery slope 'Fallacy' to not be so much of a fallacy in reality when it comes to power.


Yep, next to be banned is fake news articles, then entire sites that contain some fake news articles, then sites that contain links to other sites that have fake news....

[Edit] for clarity


“Slippery Slope” is only a fallacy when you can’t reasonably draw a line from the proposed idea to the “dangerous” end result.


And yet requires a similar solution.....


I've been having to remove google fonts because we had some germans say we're breaking their laws by using them


To be fair, nowadays there is hardly any benefit. Since browsers use cache partitioning (mostly because CDNs were tracking users) there is no benefit in not serving it yourself (although yes, licensing restrictions now apply but there is plenty free fonts to use).


Why remove them? Why not proxy/cache the fonts from your own server?


Depending on the license, that might cost more, or not be an option at all. For example, Adobe doesn't allow you to host their fonts; you have to link to their CDN. https://helpx.adobe.com/fonts/using/font-licensing.html#web-...


Except he explicitly referenced Google Fonts



I suppose GA effectively tracks you across IP addresses and maybe even across private sessions on one very popular browser.


By not embedding third party content on your site.


I’m guessing that if you are a US-based site then you are exempt and it’s only if you start an EU presence that you would need to worry about this?


Just two weeks after Austria, another EU country has deemed current Google Analytics implementation illegal in EU.

From the article: > "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."

I am really looking forward to seeing how this will play out in the rest of the EU, and which practical consequences it will have.

And, as usual, fellow EU citizens, support NOYB work, if you care about data protection: https://noyb.eu/en/support-us


Is the CNIL actually starting to do its job? Since the early 2000's they were doing literally nothing against the many crimes against users committed by big tech. In the past few years though they started to distribute fines when the law was obviously and willingly broken (eg. Google)... did they suddenly start to care for users? or do they care that they can fill the pockets of the government (who doesn't dare to tax those evil multinationals) while making it look like they care for users?

I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data. For their defense, their budgets and prerogatives have been cut so many times they probably couldn't investigate/fine anyone if they wanted to.


CNIL is just following Austria here


> I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data

We have a very different view of the CNIL.

Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity, eg: https://www.vie-publique.fr/en-bref/278140-drones-de-surveil...

They don't have political power in itself, but they do use what power they have enthusiastically.


> Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity

Yes, now think about all the times we don't hear from/about them. It seems that they are doing more as time goes, but they have done little to stop dragnet surveillance, racial/religious/political profiling by the authorities, the deployment of CCTV all across France, (il)legal ⁽⁰⁾ obligations for ISPs to track their users, school restaurants requiring fingerprints to get a meal (yes that's a thing), public services using Google Analytics / Zoom / Microsoft / Doctolib, stingrays operated by police for political repression, and the list goes on and on...

In "digital freedom" (LQDN, FFDN, April, Framasoft, etc) the CNIL is (or at least used to be) rightly regarded as a joke when it comes to human/user freedom, despite having very noble goals. The fact that the press only talks about them when they're doing their job doesn't change that they've clearly failed their mission to protect civil rights in the computer era, despite very good and reasonable legal guidelines dating from 1978.

⁽⁰⁾ French data retention laws are illegal by european standards.


> Is the CNIL actually starting to do its job?

IIRC, They got massive funding with GDPR


GDPR enforcement is big business for the government, but no money goes to the poor associations, like LQDN or NYOB.

Quite the contrary, those associations have to survive on 'donations', and probably not very high salaries for their staff.


CNIL is not an association. It is part of the french state.


Not sure why you're being downvoted. People from such non-profits were key to european institutions developing a proper understanding of the problem space, which directly led to GDPR legislation.

If you're rich enough, be sure to donate some money to LQDN/EFF and others to protect human rights in the digital realm.


Don't quite understand this at all.

Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.

Also is it illegal because there is an anonymised id number created when you send data. If that's the case then it's not just GA that's a problem but any tracking system i.e. Plausable.

Furthermore given that a randomised unique id is personal data then there would appear no way to use any websites analytics on any website as you have to store this in a DB which will require a unique id per row by design.

What about other data for example a webserver log will contain similar data is that not allowed? If it's not allowed how can I ensure my site is protected as I need those logs to identify and ban hackers.


> Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.

Yes, because you're still passing personal data to the USA, which means US intelligence services can access it.


If my website is hosted on a server located in the US, then is this illegal? Serious question. Assume it's a static site and that I don't collect any data myself whatsoever. But who knows what the server operator could be doing covertly?

If this doesn't cut the internet in two, I don't get where the line goes.


Are you hosting and processing personal data (including IP) on your server?

It might be.


Ninja edited.


A static site still logs the visitor's IP address in the logs of your webserver for example.


Is that the case for any data that is passed into the USA then rather than just GA?

So if I hosted my servers in any of the AWS US regions that too would be illegal if they have any personal data in them. In this case personal data is a randomised unique id. So say I have a table of users and all I have is a username and a password and a unique id for the record that's personal data and the customer is not allowed to give their permission for me to store that in a US data center ?


Potentially, yes, though this hasn't been tested in court yet.


Wouldn't that cut off a vast swath of the internet from France though ? Some of the main big providers of internet services use US based data centres. I'm meaning:

* Amazon

* Google

* Facebook

* Netflix

* Microsoft

* Twitter

* Uber

I mean the list goes on but these are a really big part of the internet.


That might be a good thing. New data centers would be constructed in France and the french people would have more jobs. It’d also be a national security boost because France would be less reliant on external data centre providers.


Wow, unironic protectionism and "it'll create jobs" rhetoric.


It’s a geopolitically grounded form of Protectionism.

I don’t like that smaller countries have to rely on larger countries that don’t have their best interests in mind. Not only should France buid its own tech infrastructure but so should every other country that can build it.

In the post-NSA age this is vital if you want your country and its population to be secure against cyberattacks and mass surveillance by great powers.


this isn't just 'jerbs' rhetoric. Having French data on French soil guarantees that if push comes to shove French authorities are in control of their citizens' data. It's a matter of national sovereignty. If companies have billions of dollars worth of physical infrastructure located in the countries they operate you can be sure compliance with local laws will actually happen.


Not sure if you've been watching, but protectionism has become extremely popular.


A lot of the actors you're listing actually have datacenters and/or cages at french DCs and/or racks at french ISP PoP


The differentiation is probably, that some data is required for offering a service, that people choose to use, but GA data is not.


Yes, of course. It's possible that the they will sue every single big company, but quite possible. I think it's a good way for the EU to build pressure against the US to revise the CLOUD act.


This will only happen if the EU makes a true effort to go after as many big US companies as possible. If corporations actually start to lose access to the EU market, the US will follow suit and change its laws.


Godspeed!


If enforced thoroughly and by the letters of law. But the authorities in EU has control over selective enforcement of laws(that there potentially won't be by 26th century) letting the law spun as an open negotiation.


a randomised unique ID and username/password are not personal data if they can't be used to identify a person. IF you associate that uniqueID or username with something that can identify the user (like IP/ Personal name etc) than yes it's illegal for you to store that data in US even with the consent of the user.


I feel like this is either a mis-interpretation, or the scope of this law would prevent 95% of websites from existing in the EU (including hackernews which stores your email).

So any US company cannot store PII on an EU citizen? If someone from the EU comes to my site to make a purchase, I can't allow them to do that?


The key is consent and right to deletion. GDPR is ok with you storing data if the user consents, you list all the data, you list who you share it with, and you have a contract with anyone you share data with so you can comply with a deletion request.

The US government won’t honor deletion requests for any IPs it requests from GA, therefore you can’t comply with GDPR if you use GA.

If you don’t share data it’s much simpler. You collect just what you need to do the processing the user consented to. And you delete it when a user asks.

Edited to add: I should say the 2nd paragraph seems to be the regulator's position. It seems a bit extreme to me and I don’t fully endorse it. But my main point was to try to highlight why most essential and consented processing is unaffected by this ruling.


Yes that is my interpretation of it. The whole point being that any data stored in US can not be guaranteed to respect GDPR because the US government can request access to that data and the EU citizens don't have a recourse to that. any US buisness that want to have EU citizens PI needs to have a host in EU.


Not just a host, but the corporation in control of the data can't be controlled by a US corporation at all, lest the US corporation be able to pressure the EU subsidiary into handing over that data.


So every US company needs to have a separate, non-controlled, entity in the EU? Seems pretty unrealistic to me.

In this scenario, I feel like the US company would be better off blocking traffic from the EU.


Exactly. Maybe it was intentional in an attempt to get the US to claw back the CLOUD act, which is the point of contention here. Until that happens, US websites (see: big businesses with a legal department) are likely going to block storing any EU citizen data, which might (but probably not measurably) help prop up local EU services.


Yes, that's exactly right. Makes perfect sense to me.


It will likely become even worse: it is not just AWS US regions, but any region. AWS is a US based company falling under US legislation, and (as far as I know) also owns its EU regions. So basically you cannot use AWS to store content of EU citizens.

You know any other US based companies? They have to follow the same reasoning.

It might even be if you are a US based company, you have to follow the same reasoning.

As a US company, you are not allowed to store or transfer data considered personal by GDPR of EU citizens, as your company can be compelled by the US government to hand over that data through an opaque/secret order where the EU citizen is not notified nor has the option to challenge this.


There is the fact that in the EU you have the right to ask (and the business the obligation to comply) for your data to be deleted.

This is incompatible with your data being kept by a US business in the US, which is not subject to that law.


> If it's not allowed how can I ensure my site is protected as I need those logs to identify and ban hackers.

Server logs are allowed as "technically necessary" as long as you show "good will" (I'd call it that way) in keeping the saved data to a minimum. 14 days of log keeping? Fine, that's cool for technical reasons. 14 weeks of log keeping? That's excessive and could get you in trouble.


Ok so what's the actual minimum you've said two weeks here but where is this actually defined ?


It's not defined, because it depends on why you're processing the data.

Different reasons would entail different retention times.


There's no hard limit here provided by the law or otherwise. Some of the local data protection offices say that they find something of "up to 30 days" reasonable, so I guess that's a good starting point. Cutting that time in half will show good faith and you'll still be able to analyze logs, I think.


Ok 30 days do you have a link for that?


Well, you'll for example find the 30 days in this document of the data protection office of Bavaria: https://www.lda.bayern.de/media/muster_1_verein_verzeichnis.... (It's a sample for sport clubs etc.) and it's also what our lawyer has recommended to our company as the upper limit.


With GDPR and personal data, if you can justify your use then it's legit. Working out which justifications are acceptable is left -- at least partly -- as an exercise for the reader ('s legal team).

But we may observe that some practices are easy to justify, while others are more challenging. Some attempts at justification have been rejected, which means that trying to rely on them in the future is a bad plan.

Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.


>Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.

The vague, uncodified "intent" is my biggest problem with GDPR and GDPR-like laws, especially when it comes to small businesses. Even with the best intent, I've seen startups in my community get into "real" trouble trying to comply with mixed results. Not every company can afford to allocate the time/money necessary to comply with sudden deadlines and/or new technical requirements. Not every company can afford to take the risk of "I think this PII is absolutely necessary, but... could I prove it in court? Can I even afford the lawyers to try?" If I didn't read HN, I doubt I'd even know laws like this new French one even existed; I can't afford to dedicate someone to monitor changing laws around the world.

Saying "it's important for businesses to allocate sufficient resources toward researching evolving law in every country they might do business in, and it's okay if businesses fail if they can't afford to do so" is reasonable.

Saying "if you're trying to do the right thing, you'll be fine" is, quite frankly, the complete opposite experience I've seen from most well-meaning companies in my sphere trying to accomodate GDPR rules with limited budgets.

Of course, I am located in the US so maybe this is the intended result.


Depends on what the logs contain. If they contain no personal information at all, EU data protection laws do not apply.


IP addresses are considered to be PII so you need to either truncate them before saving or have a deletion routine in place.


IP addresses are PII when they can identify a person, and that's not always the case, e.g. a company network using NAT for outgoing connections so that dozens, if not hundreds of people appear from the same IP address.


How are you supposed/able to make that decision on a log level?


There's no way you can make that decision, which is why the simplest course of action, or the less risky one, is to treat any IP address as it actually conveyed PII, even 192.168.0.1.


This whole set of laws is so absurd. I should have the right to retain my server logs as long as I want. I bet in the future in Europe people will have the right to have others' brains forcibly zapped to remove embarrassing memories.


The whole point is that "your" logs contain personal data about others. That data is theirs not yours. Moreover if you get asked about "your" logs by the US government you have to hand "their" data over to them, for which there is no legal recourse for the person owning the data.

To make this more obvious, the EU is essentially saying that you can create a post service that routes all their letters through the US where they can be opened by the FBI, without any legal recourse.

I'm always amazed how people (even very technical) argue that things are perfectly fine for electronic data when they would completely oppose the same thing for physical things, e.g. letters. I guess years of propaganda have worked


> That data is theirs not yours.

I fundamentally disagree. You can't come to my house with a red hat then demand I never tell anybody you have a red hat and forget I saw it. That's absurd.


I dont think ownership of a red hat would be considered personally identifiable information under the GDPR.


I should have a right that you should not save my personal information longer than needed. Now what?


No, you shouldn't. If I make an observation, that's my observation, my data. I should have full rights to observations I made myself, regardless of if it involves you. Europe has this 100% backwards.


What would you think if somebody told you this, after following you or your kids the entire day, while taking pictures and notes?


It would be weird, but sure, no difference. This is what a private investigator already does legally.


Do you think some laws might apply to private investigators and how they do that work?


Not everywhere. It depends on the jurisdiction.


But surely an US private investigator would have to respect french laws when following people in France?

The core of the issue is about fundamentally transnational transactions, and who has jurisdiction in that matter.


You do, but not user’s ip addresses


You can likely still do analytics if you don't collect an identifier that persists through multiple sessions. That's a big hit for ad-tech, but plenty other use cases don't really care for that property.

You can also collect that identifier if 1) you have a legitimate reasons to do so and 2) don't share it with third parties.


> Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.

If you've sought the visitors consent then yes it's legal


This court case makes it illegal since, while the user might consent to GA tracking, they legally can't consent to giving up their GDPR rights. Given that, the US law enforcement could still break GDPR by forcing the US corporation to hand over EU citizens' data.


Seems like a nice opportunity for a browser extension to automatically detect sites using GA, and also automatically report them to EU authorities. Zero clicks needed!


But that also remains true for the website themselves, since there is proof that the website illegally sends data of any EU citizen to the US. This really is pretty wild regulation.


Utterly confused here half this thread is contractdicting the other half.


> Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.

From what I can tell: If you ask your users for permisssion ("informed consent"), then no, it is not illegal. The way I understood the court case in Austria, the disputed point was whether or not the use of GA falls under the GDPR. If it does fall under it, then you are obliged to ask your users for consent ("opt-in"). If it does not, you can use it freely without consent.

Because analytics data isn't worth that much if you collect only part of the data, most collectors of data do not want to ask users for their consent, because most users would reject this.

But IANAL. In any case, please stop using Google Analytics, and self-host your analytics using Matomo, Plausible, or something similar. Matomo can also be configured to use server-side analytics, in which case your analytics become both less invasive (no client-side JS needed) and more complete (can't be blocked by ad-blockers).


I think this is basically a fat EU lie - that if you pop up a cookie popup most users say no to cookie banners.

I've heard that if you do a non-modal cookie banner, 75% of people just ignore it rather than go into it to deny cookies. About 12% (half of remaining) click accept all cookies. The rest close it again without taking action if they can.

I realize there are folks who go into things and customize everything on every website - most users I think don't care enough.

What's funny -> your ISP might be selling your browsing history. Your TV is selling your watching history and no one cares. But cookie pop-ups everywhere is all these privacy idiots can think about. It's performative privacy, that annoys the heck out of a lot of users and wastes a ton of time.


My hypothetical ISP and TV would also be violating GDPR if they did such things. They might currently face fewer lawsuits than google but that doesn't mean that no one cares.


The rule is europe is basically this:

"Internet Service Providers on the European market cannot sell the browser history of their users, without their explicit and informed consent". So they add another paragraph in the sign up screen you have to click yes on to get your discounted service.

This is the failing of the EU model. Users will provide consent to access a service in most cases. To work around that no the EU is jumping through all sorts of highly subjective hoops around what is explicit consent (it's usually pretty darn explicit), coming up with ideas of legitimate interest (talk about subject to interpretation) etc


If they can say no and can still use the website, you are definitely in the clear.


>If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.

The basis of regulations is that citizens are too stupid to consent to things even if they are fully informed. Whether that is a good or bad approach is up for debate.


If this is actually true I think it has far reaching implications. I have many questions about this approach but lets take it slow for the French example:

* Is there a list of these "things" if not how is anyone to know?

* Who is policing this ?

* How do you get advice in your own language (not French google translate does a terrible job at translating lawyer speak)?

* What are the consequences if you don't comply ?


The idea of a "right" is shaky if you can sign it away with a click.


That's not at all the point. The issue here is data residency.


Asking permission for something users don't understand is tantamount to not asking in the first place.


Will you defrob my balancator? Of course not, because you don't know what it is. The same applies here: if you don't know what something means then say no. If you say yes then it's understood that you know what you signed up to.


No, this is not how consent works. Consent has to be informed and well-judged: If you don't understand what you're agreeing with, you have not given it (even if you say yes the other party cannot proceed as if they have gotten it).


An agreement requires a meeting of the minds. Blindly clicking "yes, accept cookies" in popups does not rise to that level. People just want to read the article, they do not understand or care about the data retention policy. So it is very hard to claim they consented.


And reading the data retention policy is not enough if it doesn't explain the extent to which the authorities in their country can wipe butt with said policy.

But anyway, I think even that is beside the point. I think the point is that there are things Europe considers fundamental rights. And the concept of a "right" doesn't.. really.. make much sense if someone can go "btw we'll just violate it, click to agree."


Then why does every site ever seem to still use huge cookie banners asking for that consent?


Taking this to the logical extreme:

A French website can not use any American service, right?

Because any American services "are not sufficient to exclude the accessibility of this data for US intelligence services".


We're quickly getting there.

For instance, any service that handles health data absolutely cannot have the data be accessible in a way, shape or form by american-owned entities, for any reason.

It's not hard to imagine that, as time goes on, these same limitations will be expanded to other types of decreasingly sensitive data.

And honestly, that's perfectly reasonable. The US government gives itself the right to systematically spy on everything going through US cloud companies. Precedent has shown it can and will use that data against the interests of its supposed allies, even for industrial espionage.

If the US says "every US company must give over european data to the government", then at some point europeans have to say "US companies can't have european data".


What about Hungarian services? Hungary is in the EU.


Taking this to the logical conclusion: This is the fault of US Intelligence Services for overreaching to the point where it impacts general trust in US companies, and should be solidly blamed on them for being legitimately untrustworthy and exploitive.


Indeed, a French website which keeps private information about its users must not - ethically, morally - use US services which are accessible to US intelligence agencies.

That is irrespective of any legislation or court rulings, it's just common sense.


I wonder who are people more afraid of exposing their private information to: the USA or their own government.


Definitely USA. My government doesn't drone strike people based on communication patterns or disappear them to black sites without ever being put in front of a judge.


I'm sorry, but are we both talking about france here? The "coup d'etat and murder anyone in Africa that goes against my wannabe reboot of a colonial empire," or is it the "bomb Greenpeace ships in foreign countries" France? If we are being honest, the intelligence services of France have proved to be much less accountable and much, much less constrained by pretty much anyone. It's also completely willing to do the bidding of any corporation the French government's "dirigisme" deems worthy enough to assassinate a few Africans for.

The big difference between France and the USA is that the French people usually either passively or actively support them and do not see any problem with what they are doing and would much rather look at the evil Americans. It's not even a political issue, it's almost seen as a divine right.

That's literally one of the main reason macron has been popular: his wannabe bonapartist "great France" mindset (and even those who dislike him don't usually criticize him on that front) that involves crushing the ennemies of France, and a whole lot of illusions of grandeur.

It's also a country where the literal neonazi FN still gets 40% of the votes, but people still laugh about dumb Americans because they voted for trump. Keep in mind, the only reason we don't see more french droning in Africa is because they lack the ability to do so.

And I'm not American or French, but I've had a lot of first hand experience with the damage France is causing in Africa and I'm very familiar with French culture. Yet I'm almost always amazed by the extent of French grandstanding online.


Are you afraid USA would drone strike or disappear you if they get to your private data? Do you think that is a valid concern for most people?


It's by far much more likely than my own government doing anything close to it yes.


Most people in the world do not live under your government.


I think it's a valid concern for everyone, yes.


Then you should get out more and talk to some real people.


You are aware that there was a number of completely innocent people who were disappeared int US black sites, because of some name mismatch, something they said somewhere or because their neighbor didn't like them. Now you might be white and have an English name so chances of that happening to you might be slim.

However if you do not believe that this is an issue that we have to work against i suggest you get out and develop some principles. You seem to only have issues with these things if done by communist governments.


I am aware. Those cases number in what - single digits?! Statistically speaking I am much more likely to die of the flu.

However, communist governments have done that to millions. If you don't see the difference, I suggest you reexamine your principles.


You framed the question. Don't push the goal posts around by pointing to past autocracies. It might be a very small risk, but it is infinitely bigger than the risk from my own govenment - where the risk is zero.


There are current autocracies too, not only past ones. Also communist, of course.

And I was talking about my government, not yours.


Single digits is still single digits too many. Specially if all involved aren't punished by harshest possible means.


Sure. But the original question was: do you think that that should worry regular folks more than the evil and abuse perpetrated by their own government?


> Then you should get out more and talk to some real people.

There's a difference between it being a concern for everyone and everyone being concerned by it.


I'm not worried about most people, I'm worried about the people that the USA does go after, because the USA usually goes after good people who rightfully criticized what they're doing.


> USA usually goes after good people who rightfully criticized what they're doing

With drone strikes and disappearings?! Wow! Do you have an example?


The USA does drone strikes all the time, not only against minor targets, but with egregious collateral damage. Listing examples isn't even worth the energy because this is common knowledge and a simple google search would reveal hundreds if not thousands of these killings.

It was US Military leaks via WikiLeaks that first got Julian Assange onto the USA's hit list, and if and when they get their hands on him, they will make him disappear into a gruesome privatized prison system where he will have no right to be heard, because he published things the government didn't want people to know about.

I don't care if I, personally, will fall victim to this. Trusting the USA is a stupid thing to do, and you have to accept that they are capable of doing a great deal of harm to anyone they want to, regardless of nationality.


Julian Assange wasn't drone striked nor disappeared. (Although I do not approve of US's treatment of him either)

Again, do you have an actual example of "good people" being drone striked or disappeared by the US?


> I wonder who are people more afraid of exposing their private information to: the USA or their own government.

The USA, because, at least in principle, every individual has some manner of influence over his own government.


But, reversely, every individual's own government has a much bigger influence on the individual than the US government has.


The USA, of course. Don't forget you vote for your government, not for Google's CEO.


Google's CEO has pretty much ZERO powers over me. The USA government is (largely) democratic and (mostly) obeys laws. But my government... is not the one I voted for and I trust it 0%.

Because I do not live in the West but in one of the great majority of countries with a corrupt, abusive government. The democratic governments of the West are the exception, not the rule.


> The USA government is (largely) democratic

Well, if I may nitpick, it's a federal republic rather than a democracy...

More to the point though, there was this study at Princeton U about the correlation between US government policy and popular opinion on a variety of subjects which found that public opinion correlates very poorly with government policy / legislation passed, but opinions among the very-rich correlate well. Can't remember the exact reference right now.

> and (mostly) obeys laws.

Oh, definitely not. It can well be argued that there is constant mass violation of the constitution. And regardless of this, the US is such a notorious outlaw on the international level that not only does it refuse to accept jurisdiction of the international criminal court, but has in fact threatened action against court staff if the court hears any case against it:

https://www.hrw.org/news/2019/03/15/us-threatens-internation...


The effect you mentioned (democratic deficit) is also inversely correlated with unionization (which positively correlates with public engagement with government). So it could be that the reduction in population median household income due to reduction in unionization (and increase in top earner profit / larger inequalities) causes an exacerbation of the effect, with the observation you mentioned.


Under communism unionisation was pretty much complete - but that did not make the dictatorship a democracy by any means.


> it's a federal republic rather than a democracy...

Germany is both a federal republic and a democracy and I would argue the the USA are too. Both countries ultimatively derive their legislation from the general populace and are representative democracies.

I've seen the claim you made several times, but every time I try to look it up I fail to understand it.

What is your reason to think a federal republic would exclude democracy?


Yes this seems to be a common distinction made in the US, which I also don't understand. What I learned in politics at school (and studying it for a short time) was that republic and democracy are orthogonal concepts (leds leave out the federal which seems to be even another dimension).

A republic essentially means, the state doesn't have a king (head of state by inheritancel, but some sort of president which gets elected in some way (not necessary by the population). A democracy is a category of how decisions get made, i.e. by some vote of the people (demos).

Is there some subtlety I'm missing or is this thing about "federal Republic not democracy" something just always repeated, without properly understanding it. .


Still infinitely better than my government though, which was the whole point.


"The government has a defect. It's potentially democratic.

Corporations have no defect - They're pure tyrannies."

- Noam Chomsky


Still waiting for those "pure tyrannies". Meanwhile every damn thing I am using in my daily life, from my car, computer to the furnace heating my house - was made by a corporation.

And I did live under communism, with absolutely zero corporations. Then I knew tyranny every day. And shortages.

Did Noam Chomsky live under communism by any chance?


The fact that you lived under a bad government, while sad, doesn't invalidate Noam's statement.


Maybe. But the fact that we haven't encountered those "pure tyrannies" anywhere sure does.


I won't dive into details, but please consider that maybe you're not recognizing them.


Considering I lived under a tyranny, I should be fairly qualified to recognize one if I see it.

But I can always be wrong, so I am open to examples.


The french service should expose user information to the French government either. If the government has a public warrant for that information, then opinions might differ about whether or not it is legitimate for the website operators to oblige.


As a US analog, I'm more concerned with my own government collecting data on me than I am about the Chinese. One of those has an entire ocean to cross to cause me IRL problems.


Since everyone is spying on everyone, what's the ethical or moral issue here?


The issue would be, that the website developers / their management contributes to the issue, by enabling partier to do that spying. If no data was send to another party, then spying on that data is much harder and probably unattractive for most use-cases. GA data becomes valuable through collecting from many many senders.

While the people doing the spying are already doing something ethically very questionable, the person deciding what data is collected on a webservice can still make the decision to contribute to the problem, or be vigilant about data protection.


So you are saying the US intelligence agencies have some unfettered access to all of GA data? Or that it is sent unencrypted and intercepted in transit?

It's not the DNS calls or phone companies that are more to worry about?


If US intelligence wants to have access, they will, via their law, as far as I understand. They will require Alphabet to give the data, Alphabet will get it from Google, and that is it. No need to listen or intercept anything.

Best thing you can do is not to make use of GA in the first place, so that no such data of visitors of your websites exists in Google infrastructure.


I think your understanding of US intelligence and forcing companies into compliance needs updating.

First, it is exaggerated, which is not surprising in today's media and outrage climate. Second, things have changed since Snowden and the congressional oversight had been rolled out. Third, GA is not that valuable compared to other sources.

Your chief complaining would be better spent about how Google uses the data rather than intelligence agencies.

Also note that Google fights against overly broad intelligence / police requests and publishes data on how many they get and comply with.


I agree, that one should be more worried about how Google uses the data.

I think I wrote about the US intelligence thingy, because it was closer to the topic. The question, why the court ruling went this way and what it rests on. If there was no possibility for the US to access the data, then Google could probably simply pinky finger swear, that they are not doing anything evil with the data and EU law might be fine with it.

Does it matter, whether the scenario is "exaggerated"? If it is possible, it needs to be considered by the law. Otherwise it might soon become less exaggerated and more reality than we would wish.


Somehow there is lot of complaining about China doing it... I really don't understand that one...


If you think that launching your app in a another region is hard, there is currently a case being evaluated in Europe which is evaluating the argument that even if the data never leaves the EU and the provider is a European entity but affiliated with or a subsidiary of a US company, that this is stil considered a violation.

So unfortunately just moving hardware locations may be insufficient, even forming a new entity won't suffice.

In my humble opinion we are witnessing the nationalization of the Internet, in the name of good intent, but eventually the risk vs reward calculation of doing business across the Atlantic (for either side) will tilt in the direction of avoiding the risk.

Although it could be argued that "good, laws are made for people not for businesses" I'd counter that a great deal of the free information published by US companies and non-profits will become unavailable in the EEA.

I'm hopeful that the DPAs and courts in Europe will decide to balance these concerns.

FWIW: I run one of the more popular data privacy platforms, Osano, so this is an area we track very closely and which is near and dear to my heart. I built Osano as a Public Benefit (and certifeid B-Corp) to try and prevent the nationalization of the Internet by giving businesses an easy way to respect the rights of their customers & visitors.


I mean, I assume the US are interested in this exchange as well. If they are, they could lead by example and reform the CLOUD act or implement some more effective data protection regulations themselves.

We aren't in this mess because the EU somehow wants to nationalize the internet, we are because with current legislation, US companies can be forced to hand over whatever data they posess, no matter where it's stored.

Not a lawyer, but my current understanding of the current events is more or less the EU saying "if it's subject to the CLOUD act, it violates the GDPR". That's a pretty clear indication of what's wrong.


Is anyone using an alternative that provides some basic analytics and isn't likely to get me in legal hot water in the future?

I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?


We host Matomo (formerly called Piwik) ourselves. And we also host the fonts we use ourselves. Since we are a healthcare based startup we prefer not to share any data outside of our controlled servers.

We even disabled the cookie based tracking inside Matomo at the cost of not linking different visit sessions. Same session visits are fully tracked though. Saves us a cookie warning.


Funny thing... I went on their site (fr.matomo.org here in France) using Safari. All images are not displayed (? on each images). Tried on Firefox, displays the images fine... Checked what kind of images are these, all .webp ! :D They have improvements to do if they want to be "google free" themselves...


This is the way! Glad you went that way, still struggling to get everything set up like this for our company. But marketing will come around the corner soon... ;-)


It looks like self-hosting Posthog (https://posthog.com/) should work, and they look great.

They're a US company, so you can't use their cloud service, but it's designed to be self-hosted and they have a list of EU cloud providers so you can do 100% EU-based self-hosting if you want: https://posthog.com/docs/self-host/deploy/hosting-in-eu


I've been using [Plausible](https://plausible.io) in its self-hosted version for about a month, on a 7M+ page views per month. So far so good


What type of server specs (memory, CPU, disk size, etc.) do you use to self host it?

Based on an open issue[0], it's suggested to run a server with 32GB+ of memory to handle hosting Clickhouse but that would mean self hosting Plausible would end up being $160 / month on DigitalOcean which would make it 10x more expensive than hosting my custom app that I want to see analytics for.

I know you can use less memory but it sounds like using less can result in an unpredictable environment where everything can stop working at any given moment depending on what Clickhouse wants to do. This happened to someone who replied in that issue. Their production set up stopped working because it ran out of memory.

Someone else wrote about it using close to 8GB of disk space to track ~8k page views at https://cyberhost.uk/plausible-3-month-review/. That was only written back in March 2021 too. They said they are going to look for an alternative solution because the the storage costs are too high.

[0]: https://github.com/plausible/docs/issues/67


Clickhouse has got a lot better in limited memory environments. They now recommend 4GB minimum.

The production environment that crashed due to Clickhouse OOM was our hosted product a while ago :) After that, we haven't had any downtime on our Clickhouse DB for over a year.

The issue with disk space stems from a bad default configuration. Clickhouse used to have EXTREMELY noisy debug level logging enabled by default with no rotation. This has been fixed in our hosting repo[1] so you get sensible defaults.

If you don't want to worry about downtime, planning disk space or compute capacity, then that's exactly what we offer at https://plausible.io. We process and keep the visitor data on our Hetzner servers in Germany.

1. https://github.com/plausible/hosting


The Clickhouse instance run on a Render[0] "Standard" private service. So 1 CPU (no idea what that means), 2GB of RAM, and a 10 GB disk. So far I've been using 10% of the disk and it's not growing very much.

[0]: https://render.com


I also just deployed plausible on Fly.io I wrote a [blog post](https://intever.co/blog/plausible-self-hosted-with-fly) and a created a [github](https://github.com/intever/plausible-hosting) repo to document the process


Works fine for me as well, though I use the hosted version (not a high volume site atm).


The powerful thing about GA is the link with Google Ads, does that work nice for Plausible as well?


Plausible founder here. There's nothing automatic but you can track your campaigns with utm_campaigns manually.

Google has made sure that analytics for Google Ads works best within their own walled garden. Same with Facebook and Twitter with their Pixel products.

Instead of using the Referer header or utm parameters as intended, these large corps send obtuse random IDs (gclid, t.co/<id> links) which only they can correlate to an ad, search query or tweet using their internal database.

So until there is anti-trust action in this space towards more oppenness and competition, you're stuck with the ad provider if you want tight integration between ads and analytics.


Self hosted Matomo/piwik is pretty good. You probably want to make sure it's on servers in the EU owned by a EU company (Hetzner, OVH, Griscale, etc). Alternatively you can configure it in a way that avoids collecting PII [1] (which also removes the need for consent popup, privacy policy etc). You won't get much info about repeat visitors that way, but I imagine it's quite usable for many use cases.

1: https://matomo.org/faq/new-to-piwik/how-do-i-use-matomo-anal...


The cnil.fr page hosting this article seems to use self-hosted piwik, which is a good sign that the regulators think it's ok.

(I wonder why they need to collect analytics information for this page at all.)


It's only ok if you self-host on a server in the EU, right? It'll be interesting when different regions of the world start having mutually exclusive laws about where data has to be stored.


>It's only ok if you self-host on a server in the EU, right?

In the EU/EEA or in a jurisdiction that has adequate level of data protection.


Self-hosting something is always going to be less complex, but you'll still need to determine what you're tracking and why, write that down in a form people can understand easily, and let people opt in explicitly (with a just-as-easy way to opt out later).

People don't have to opt in for you to keep the data for technical reasons, for instance if you keep IP addresses for while to find and block abuse, but you can't keep data longer than strictly necessary and can't use the data for other purposes than you declared beforehand.

Write down your policies and put them in an (again, easy to read, understand and find) privacy statement and you should be pretty much GDPR-proof.


What's the rule for aggregated data?

I track page view counts as simple sums, and it's not feasible to drop an individual user's page counts because I don't have enough info to identify a unique user. In fact, I put no cookies on the user's machine (but that means I have no way to identify a specific user for opt-out purposes for these aggregated page counts).


I am not a legal advisor, but I believe the matter is settled by what you said:

> I don't have enough info to identify a unique user

If it is not user identifying information, then it should not be an issue.


I'm the creator of Fugu (https://github.com/shafy/fugu), if you're looking for an event-based analytics solution that is open-source, free and self-hostable. Fugu doesn't track unique users, just anonymous events. I also offer hosted version if you don't want to deal with hosting (currently using Digital Ocean with their Frankfurt data center, but will switch to an EU company soon).


I just started using Goatcounter for a noncommercial site (music history research blog) and I'm happy with it. All I wanted was a glorified hit counter.

It doesn't have the goal conversion metrics and other advanced features of GA, so obviously not a drop-in replacement for all use cases.

https://www.goatcounter.com/


Another very happy user here. Was super easy to add to my Jekyll site hosted on GH pages. I believe the creator is active here as well btw.


happy goatcounter user here to, for the same reasons as you say, way less complex than GA but it has more metrics I care about.


I think that self-hosting is the way to go, get a server in your own region/country and don't send the data to any 3rd party.


This roundup has a lot great & lightweight options[0].

[0]: https://stackdiary.com/open-source-analytics/


We’re using our own logs with https://goaccess.io processing over 300M requests a month with no issues.

No privacy issues to worry about using trackers.


If your logs are storing IP addresses without consent from users, you are probably (IANAL, but heard this from lawyers) infringing GDPR.


Yes! I'm currently using https://usefathom.com/, works pretty great


We decided to go for (selfhosted) Umami[0] but don't have it in production yet.

It is not really a replacement for GA though, it collects much less data. We've decided it is enough for us.

[0] - https://umami.is/


Take a look at Redistats that I built in 2013, privacy policy: https://redistats.com/privacy-policy


https://usefathom.com/ (what we use), plausible.io, umami.is


Check out Pirsch Analytics: https://pirsch.io


Nobody is going to get in “legal hot water” on account of Google Fonts or Google Analytics unless they’re Google themselves or a top 10 ecommerce company some politician wants to make an example of. There’s millions of sites relying on those things.

Is the EU going to drag them all into court?

This is like saying you never jay walk because you want to avoid the legal hot water. The water isn’t even lukewarm!


> Is the EU going to drag them all into court?

Why would they need to? Just hand out fines, like you do with traffic tickets, no courts required.


I would venture most of the internet is not hosted in the EU. You expect US, Chinese, and Japanese citizens to respect an EU fine for a law they have no say in? Sure they are doing "business" in the EU, but many of them are not doing business at all.


> You expect US, Chinese, and Japanese citizens to respect an EU fine for a law they have no say in?

No. What is the EU going to do, besides nothing? If you do business in the EU they will take your business away, and if you don't there's nothing they can do. I'm sure we all break some foreign countries laws every day and there's nothing they can do about it.

I do expect fines to be handed to EU companies and I expect them to pay them though.

> I would venture most of the internet is not hosted in the EU

Most content isn't made in the US, and the US somehow still forced its copyright system on the world.


You can sue, as said google fonts case awarded damages.

I'm now wondering if I can scale this for profit.


> Is the EU going to drag them all into court?

Not the EU itself... but your competitors, who can not just complain at your respective data protection agency but also file for c&d letters, court injunction orders or penalties.


Some courts beg to disagree with your position: https://www.theregister.com/2022/01/31/website_fine_google_f...


Oh, wow, didn’t realize 1 website had been fined $100. The legal water is boiling!


The fine is only $100 if your lawyers and legal team work for free.


You must have missed this part:

> The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.

So, if you feel brave you can challenge some courts on this.


No, I didn't miss that part. "Next time, I'll really punish you" rarely works until there's actual consequences.


There are actual consequences: https://www.dsgvo-portal.de/gdpr-fine-database.php (I think I have seen one of those databases somewhat more official before)


This is basically a 'we are watching you' warning, second time the fine will be different


Yeah, that's definitely a slap on the wrist. But now that website needs to stop doing that, or it would face actual consequences.


GDPR mechanisms are directed at pushing you towards compliance, not getting big payouts. So in many cases you can even avoid any fine if you cooperate on first notice.


It's per claimant. That would be a $15bn Equifax settlement.


Show me a single site that relies on google analytics.


Somehow I'm not surprised that my choice of words was jumped on. Let's say "making use of" to keep further pedantry at bay.


www.airbnb.com


> I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?

Well... if you self-host Piwik or Matomo, you're relatively safe and you can avoid a lot of the bureaucracy bullshit that you'd have with external services.

However, check with a lawyer before setting it up, and definitely get user consent for detailed tracking. There are basically two camps of thought how much is allowed without explicit user consent: the more strict camp (which I belong to) believes that it is illegal to even use technically required data (like IP address, browser agent, date/time of visit, URL/query parameters) for analytics of any kind. The other camp is more relaxed and believes that it is OK to conduct basic analytics on that data (justified as "legitimate interest" of the site operator to provide a good experience to the user), but don't set anything like cookies or localStorage that could allow detailed tracking.

It is not yet clear by a supreme court decision which school of thought is going to win out - personally, I follow the requirement of data minimization per Art. 5 Nr. 1 lit c) EU-GDPR. Data that you do not have cannot be stolen, seized, abused or used as justification for fines, after all.


Interesting that you mention localStorage.

If the web-page's javascript ONLY stores and processes data stored in the client's localStorage to generate the local page, and sends nothing back to the server, so the web-site operator never sees that data, then is the web-site operator processing that data, or is it only the user-agent's operator ?

The web-site operator certainly wouldn't be a "data controller" since it isn't collecting or storing the data. And it's hard to see how the web-site operator would be a "data processor" in that circumstance.


Never thought about that scenario, I only mentioned localStorage or sessionStorage because it has been abused in the past to get around tracking blockers and to create "supercookies".


I've just asked the UK ICO for advice and got a confirmation it wouldn't be considered as a data controller or processor. I gave this example:

Me: "Effectively, in my case, the user is adding 'post-it' notes of their own devising that remain 'sticky' so the next time they visit the same page they'll see their own notes - but those notes are never sent to the server"

Me: "It's effectively the same circumstance as a classical computer program being downloaded by the user, and then used (locally) to create/save files on their local device. In that case you wouldn't consider the author of the computer program to be the data controller, surely?"

ICO (Flynn): "Flynn: Okay that sounds reasonable." ICO (Flynn): "So if your product/service is not dependant on personal data and you are not processing it then you appear to not be captured by data protection legislation."


i am working on splitbee.io :)


This is really good news for consumer privacy everywhere. I was just in a meeting with some marketers in my org and they were quite dismayed so I'm conversely quite happy. I've been saying for years that content is king and tracking will only be sustainable for so long. It's only a matter of time before laws like this are the norm rather than the exception globally.


Shouldn't Google etc. go after the draconian US laws making this an issue? I feel most of them try to attack EU or fight the courts there.


is google making a lot of money from analytics?


Maybe not directly, but analytics is what allowed Google to "see" the whole internet, with some help of Chrome. These 2 products allowed Google to track the majority of the internet traffic for the past 15 years.


At this point they have so many channels and side-channels, that i think they can comfortably let go of GA.


For those of you outside of the EU who would like to opt out of being tracked by Google analytics on web pages, install the browser add-on Ublock Origin.


Shameless plug: I have been building a self-hosted-only analytics platform for a long time: https://www.uxwizz.com. It looks like a good time to switch to self-hosted analytics.


Is it really such a rare occurrence for people to want to see statistics for a specific page or compare pages/articles? Because almost all new-wave analytics tools either do not support it, or it’s hidden and not easily discoverable.


Are you referring to stats such as time-spent on a specific page?

From my experience, there are several thousands of people/companies using UXWizz and so far no one has requested this feature yet.

But now that you mentioned, it seems like a pretty useful feature, especially if you can see top performing pages/articles.

I think one reason why people don't care about the specific analytics for a page is that they usually write pages/articles for SEO purposes. To see how well a page is performing SEO-wise, you usually go to Google Search Console (or Bing Webmasters) and see search terms/click-through-rates for that page.

Also, time spent on a specific page is not that useful, t