[HN Gopher] CNIL makes Google Analytics almost illegal in France ___________________________________________________________________ CNIL makes Google Analytics almost illegal in France Author : nephanth Score : 93 points Date : 2022-07-27 18:16 UTC (4 hours ago) (HTM) web link (www.cnil.fr) (TXT) w3m dump (www.cnil.fr) | bumper_crop wrote: | This is great news! For far too long, Website owners have been | collecting data on their users at no benefit to the users | themselves. When website owners try to collect data on their | users (for any and all reasons) it just violates the privacy of | those people and needs to be put to an end. Those French website | runners should really create their own, CNIL and GDPR compliant | anonymized data storing, rather than using off the shelf, low | cost alternatives. After all, things have been a bit too easy for | them. (Running a website is pretty easy, I would know!). In fact, | The fact that other, compliant-data aggregators, offer fewer | features and lower reliability is actually a good thing. Trying | to improve your website or even pester me with whatever you made | is just irritating spam; I can't believe those independent owners | would even dare. They should just be flushed out of existence. | | HEY! Why is everything being centralized to just a few services? | Why is the web dying?! | MR4D wrote: | Actual title is "Q&A on the CNIL's formal notices concerning the | use of Google Analytics". | | This editorializing by the OP is a bit too far. | gigel82 wrote: | Server side GTM (and similar devious tactics) should be what gets | legislated (since that's the thing that adblockers can't protect | us against). | tremon wrote: | The GDPR legislation is about means and goals, not specific | implementations. What makes you think GTM isn't similarly | illegal already? | gigel82 wrote: | That's great, and we need more legislation (on this side of | the pond as well). | closewith wrote: | Adblockers can still (and do) protect against server-side GTM, | as the requests are not obfuscated in any way. That may change | in the future, but it's not the case now. | | Besides, the CNIL ruling already applies to server-side GTM | implementations. | pieterhg wrote: | How? | gigel82 wrote: | Once server-side analytics get implemented widely, we've | lost. We'll keep chasing each other with tricks like renaming | the api endpoints, randomizing the javascript hash, etc. for | a while but if we end up having to run an ML model in the | browser to attempt to detect when our data is being stolen | we've lost a long time before. | | Might be better to shame any website caught using it with | some crowd-sourced list of some kind - then at least we'd | know who the bad actors are and force their content through | an isolated container / proxy / VPN, or simply stop using | them altogether. | closewith wrote: | If that's the case, then the war is already lost. | | But happily, in the EU - the market I operate in - server- | side analytics is seen as an avenue towards compliance. | | Obviously server-side GTM will be abused in the absence of | regulation, but that was also true of the existing | technologies. Strong and consistent enforcement can and is | bringing companies into compliance. | gorhill wrote: | > as the requests are not obfuscated in any way | | How do you know for sure that the requests are "not | obfuscated in any way"? | closewith wrote: | Right now, because the requests are identical to the same | requests sent to Google Analytics but with a different | hostname. It's trivial to identify and block them, and | current ad blockers already do. | gorhill wrote: | > same requests sent to Google Analytics but with a | different hostname | | There are instructions out there to also modify the path | of the requests[1]. Consider this paragraph in the | Summary section: | | > Cynics could say that this is an improved way to | circumvent ad blockers. And they'd be right! This does | make it easier to circumvent ad blockers, as their | heuristics target not just the googletagmanager.com | domain but also the gtm.js file and the GTM-... container | ID. | | * * * | | [1] https://www.simoahava.com/analytics/custom-gtm- | loader-server... | closewith wrote: | You can do that, and you can also proxy encoded requests | which obfuscates all data, but you could also do that | with the previous version of Google Analytics via the | Measurement API. | | In practice - in the EU, at least - I haven't seen any | examples of this, and it would be unlawful without | consent anyway, thanks to the GDPR. | | It's also still fairly easy to classify requests (if you | have access to the unencrypted request in the browser) | based on heuristics. That's partly what the company I | work for does. | | Separately, thank you for your contribution to the | Internet - it's as big and important as all the | behemoths, but unfortunately will never be rewarded in | the same way. | jeppester wrote: | It's been known for years - and hardly takes a lawyer to | understand - that sending user data to US-owned companies is | illegal according to GDPR. The US laws are simply incompatible. | | Yet everyone (including government entities) have been dragging | their feet on and on hoping for some divine intervention to help | them continue using Google, Amazon and Microsoft. And those | companies have kept the hopes high by incorrectly claiming to be | GDPR compliant. | | It's been embarrassing to witnes how little willingness there's | been shown towards protecting user data. Especially compared to | the amount of whining over how difficult it is to comply. | | Hopefully these - very predictable - rulings will finally start | to get the ball rolling. | mminer237 wrote: | I think it's because over 40% of EU business use the cloud[1] | and 70% of those use AWS, Azure, or GCS.[2] Enforcing the law | consistently would devastate tons of EU businesses as you would | suddenly eliminate all of their tech infrastructure overnight | with no real alternatives. | | [1]: https://ec.europa.eu/eurostat/statistics- | explained/index.php... | | [2]: https://www.fiercetelecom.com/platforms/european-cloud- | provi... | jeppester wrote: | The businesses have had more than enough time to comply with | the law. | | Now is the time to start enforcing the law enough to make | them actually care. | macinjosh wrote: | Clearly, even the EU doesn't care enough to enforce the law | or they would have already. They've literally had years. | | What does it say about the credibility of the EU that it | passes laws it doesn't even enforce? | oliwarner wrote: | It _was legal_ under the "Privacy Shield" until Schrems II, | and is still legal under Standard Contractual Clauses with | extra caveats for the US. | shakamone wrote: | This answer is accurate but no one seems to realise it. Under | standard contracts users waive their rights including privacy | rights under GDPR. Their are no user agreements anymore, only | contracts. | rlpb wrote: | "makes Google Analytics almost illegal" is an editorialized | (biased) title and that's not what the linked article says. Just | because use of a product is determined to contravene a country's | law doesn't mean that the product itself is made illegal; it can | be adapted to be compliant instead. | kergonath wrote: | The title is not great, but the Q&A is very explicit: | | > All data controllers using Google Analytics in a similar way | to these organisations should now consider this use as unlawful | under the GDPR. | rlpb wrote: | > > _in a similar way to these organisations_ | | If you use axe in a similar way to an axe murderer then that | would make your use illegal. It wouldn't make axes "almost | illegal". | naniwaduni wrote: | There are any number of things you can have that are not | technically illegal to acquire or possess _per se_ , but | would almost certainly be illegal to use in any expected | capacity. I think it's reasonable to describe those as | "almost illegal". Google Analytics is, apparently, in that | category. | kmeisthax wrote: | The product cannot be adapted as the concern is specifically | that Google can be legally compelled to violate GDPR. Schrems | II is _very explicit_ that EU companies cannot send data to the | US for as long as the US CLOUD Act is on the books. | | "Banning Google Analytics" actually downplays it. Even Google | _Fonts_ is actually illegal now; and it will continue to be | illegal until the US does the smart thing and copypastes GDPR | into local law. | cyral wrote: | So really every website, even HN, that doesn't shard all EU | data away in a separate EU datacenter (if they aren't already | based in the EU) is illegal? | jacquesm wrote: | No. | mminer237 wrote: | Correct. Also note that IP address are counted as PII, so | even sending an IP address (as required by any TCP/IP | request) to a US-located or US-controlled server is illegal | without getting consent beforehand. | tomkarho wrote: | I'm not sure that's how it works. Couple of things | (IANAL): | | 1. I don't think ip address alone constitutes PII but | needs to be combined with other data to be applicable | | 2. Even if it were, I would imagine it falls under | article 6 provisions where ip is required information to | fulfill a contract which in case of HN as an example | means delivering the web page to the browser | ricardobeat wrote: | Only if they are storing personal data (including IP | addresses). | kmeisthax wrote: | No. This part of the rules only applies to EU businesses. | If an EU citizen deals with a US business, the US business | still has to follow GDPR, but not the export rules. EU | businesses do have to follow said rules. | robertlagrant wrote: | I don't see there's a difference. Say they lowered the speed | limit, making driving at current top speed illegal. You could | say that speed's not illegal, it just needs modifying, but that | would seem a strange point to make. | bryanrasmussen wrote: | I think that's a strange way of arguing actually, you would | say the speed is illegal and the car and driver behavior just | needs modifying. Google analytics would by analogy be closer | to a car that can go a certain speed. | | But the question is if the law says that any car that can go | that speed is no longer street legal, then it is a problem | because it is probably difficult to modify the car. Just as | there are structural issues about Google Analytics where GDPR | is concerned that makes altering it really difficult if not | impossible, and if you can't fix GA to make it legal it is de | facto illegal. | BlueTemplar wrote: | I guess the parallel works even better with *minimum* | rather than maximum speed limits ? | kmitz wrote: | Speaking of adapting the product, the article explicitely | states : "Is it possible to set the Google Analytics tool so | that personal data is not transferred outside the European | Union?" | | "No." | | So right now it is practically impossible to use Google | Analytics in a legal way in France. | jeppester wrote: | It's a very common misunderstanding (which is happily spread | by US cloud providers) that it matters _where_ the data is | stored. | | What matters is that the data is stored by - and accessible | to - a company which submits to the US laws. | retcon wrote: | Equally it's a sorry indictment of our economic times that | the meaning of unlawful has been hammered into a | understanding that non prohibition is permission. This | aggressive and putative new use is refuted by every | founding principle of the common law in Anglo Saxon | countries and most of the western world. See the argument | of letter vs. spirit for a effect. | | Ed. cleared up phrasing around new use, replaced meaning | with use for .. meaning. | 8ytecoder wrote: | I don't think it has been tested in court. It's akin to a | U.S. Court issuing a search warrant on a house in Paris. | eftychis wrote: | My applause to CNIL on the action. | | I don't understand the "almost." The title is editorialized -- as | commented elsewhere. There is no almost. It is illegal the way | they act and store data. That nobody is going to come and place | you on handcuffs doesn't make something legal... | | Mainly though this is old news -- https://iapp.org/news/a/cnil- | is-latest-authority-to-rule-goo... -- CNIL and the Austrian one | did so in the beginning of the year. | | I would add a February 2022 tag on the post. | | I hope the whole EU agency pool does the same and start applying | fines and every tooth they can. | agluszak wrote: | I hope more and more such laws will be passed in the EU. We need | stronger privacy protection against big tech corporations. | WaitWaitWha wrote: | >We need stronger privacy protection against big tech | corporations. | | ... We need stronger privacy protection; | | ... be it corporations, governments, or individuals. | joe-collins wrote: | We need stronger protections at all levels of social | organization. Every group has incentives to exploit each | other. The ever-evolving trick is to arrange the balance of | power to minimize each faction's capacity for overreach. ___________________________________________________________________ (page generated 2022-07-27 23:00 UTC)