[HN Gopher] Danish Data Protection Agency concludes Google Analy...
___________________________________________________________________
Danish Data Protection Agency concludes Google Analytics cannot be
used lawfully
Author : ZacnyLos
Score : 216 points
Date : 2022-09-21 18:19 UTC (4 hours ago)
(HTM) web link (www.datatilsynet.dk)
(TXT) w3m dump (www.datatilsynet.dk)
| aurora72 wrote:
| Anything related to Google can't be used lawfully because Google
| acknowledges no law.
| [deleted]
| kmeisthax wrote:
| No, the specific problem is that Americans can't comply with
| GDPR because they are American.
|
| This will be the state of EU law until America either repeals
| the CLOUD Act and shuts down the NSA, or copypastes GDPR into
| local law. I would prefer either to be honest.
| dataking wrote:
| I'm not sure this is correct. The EU and US agreed "in
| principle" on a new privacy shield in the spring of this year
| [0]. Maybe third time is the charm? (I think this is the
| third attempt.)
|
| [0] https://www.politico.eu/article/privacy-shield-data-deal-
| joe...
| Deukhoofd wrote:
| The CLOUD act is one thing, but Section 702 of the Foreign
| Intelligence Surveillance Act is a far bigger problem.
| Allowing the FBI, CIA and NSA full access to all data
| regarding every non-American without a warrant required on
| every US internet service is a massive breach of privacy, and
| will always be a GDPR breach.
| senko wrote:
| I'm a happy Plausible (https://plausible.io/) paying user.
|
| Simple to use (few features compared to GA, but exactly those I
| need), respects privacy, and has fair pricing.
| AdriaanvRossum wrote:
| For who needs a summary of what is happening in the EU [1]
|
| 1. Since 2020, it's illegal to send personal data to the US
| because of the invalidation of the Privacy Shield [2]
|
| 2. Google said it was okay in the EU to use anonymized IP
| addresses
|
| 3. The Austrian Data Protection Authority (DSB) [3] ruled
| differently and waived most of the arguments raised by Google.
| The DSB ruled that even anonymized IP addresses are personal
| data.
|
| 4. The Data Protection Authority of The Netherlands followed by
| implying that the use of Google Analytics might be banned in the
| future [4]
|
| 5. In February 2022 The Data Protection Authority of France
| (CNIL) followed [5]
|
| 6. In June 2022 the Data Protection Authority of Italy (Garante)
| followed [6]
|
| 7. Now, September 2022, Denmark - after already banning Google
| Workspace for municipalities [7] - considers Google Analytics
| unlawful as well [8]
|
| This is a sound decision, but not a new one. It's a confirmation
| of what has been ruled in July 2020, but now it seems to have
| more impact.
|
| PS: I'm the founder of Simple Analytics [9] - the privacy-first
| analytics tool that, unlike other privacy tools, does not use any
| identifiers.
|
| [1] https://blog.simpleanalytics.com/will-google-analytics-be-
| ba...
|
| [2] https://iapp.org/news/a/the-schrems-ii-decision-eu-us-
| data-t...
|
| [3] https://www.data-protection-authority.gv.at/
|
| [4]
| https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne...
| (in Dutch)
|
| [5] https://www.cnil.fr/en/use-google-analytics-and-data-
| transfe...
|
| [6] https://www.gpdp.it/web/guest/home/docweb/-/docweb-
| display/d...
|
| [7] https://www.simpleanalytics.com/blog/denmark-bans-google-
| wor... (includes translated version)
|
| [8] https://www.datatilsynet.dk/english/google-analytics/use-
| of-... (this thread)
|
| [9] https://www.simpleanalytics.com/
| dataking wrote:
| Thanks for you summary! I, for one, needed it. Can you comment
| on why the BSB found that anonymized IP addresses are personal
| data (3rd point). Is it because the anonymization is too weak?
|
| Edit: seems GA only masks the last octet of an IP4 address.
| AdriaanvRossum wrote:
| See the PDF from Google as a response to Austrian DPA [1].
| See heading "Technical and Organizational Measures" on page
| 23 and "Optional Technical Measure" on page 26.
|
| More you can find in the NOYB blog post [2]. NOYB is the
| organization who imitated the complaints towards Google
| (Analytics).
|
| > While Google has made submissions claiming that has
| implemented "Technical and Organizational Measures" ("TOMs")
| [1], which included ideas like having fences around data
| centers, reviewing requests or having baseline encryption,
| the DSB has rejected these measures as absolutely useless
| when it comes to US surveillance (page 38 and 39 of the
| decision):
|
| > "With regard to the contractual and organizational measures
| outlined, it is not apparent, to what extent [the measure]
| are effective in the sense of the above considerations."
|
| > "Insofar as the technical measures are concerned, it is
| also not recognizable (...) to what extent [the measure]
| would actually prevent or limit access by U.S. intelligence
| agencies considering U.S. law."
|
| > Max Schrems: "This is a very detailed and sound decision.
| The bottom line is: Companies can't use US cloud services in
| Europe anymore. It has now been 1.5 years since the Court of
| Justice confirmed this a second time, so it is more than time
| that the law is also enforced."
|
| [1] https://noyb.eu/sites/default/files/2021-05/2021-04-09_Re
| spo...
|
| [2] https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-
| google-...
| [deleted]
| ZacnyLos wrote:
| There are tons of alternatives: https://european-
| alternatives.eu/alternative-to/google-analy...
| skybrian wrote:
| And yet, has anyone ever been harmed by Google Analytics? How
| would we know?
| spookie wrote:
| This has been answered in the thread, but the tl;dr is that it
| compromises European rights.
|
| Poor Google :'(
| skybrian wrote:
| How important can these rights be if compromising them harms
| nobody?
|
| You could have the right to name an asteroid, but it's not an
| important right.
| belorn wrote:
| We know from scandals and leaks that google has access to
| citizens sensitive data from multiple nations, with privileged
| access that handles medical, military, political, commercial,
| and legal information.
|
| No one should hold that much power.
| skybrian wrote:
| That's not what I asked, though. Those aren't examples of
| people being harmed.
| V__ wrote:
| > This has been particularly relevant as Google, following the
| first Austrian decision, has begun to provide additional settings
| in relation to what data can be collected by the tool. However,
| our conclusion is that the tool cannot, without more, be used
| lawfully.
|
| Even though Google has branches in Europe, again the website
| owners will get in legal trouble and not Google for offering a
| product which cannot be used legally.
|
| Is there any other industry where the client is responsible for
| making sure the service or product is legal and not the producer?
| googlryas wrote:
| You can use google analytics legally in all of these areas that
| have deemed it illegal, because they're just saying it is
| illegal for common public-facing internet usage. You can still
| use google analytics for, say, corporate intranet sites in
| Denmark if you'd like.
| Xylakant wrote:
| I doubt you can. If the data collection is illegal under the
| GDPR (or it's incarnation under danish law), then it won't
| help if you don't use it in a public facing context. The GDPR
| doesn't make any difference between subjects that are
| employed by the entity collecting the data and others.
| V__ wrote:
| Sure, but that is not what Google is advertising, and it
| should be Google's responsibility to inform users about that.
|
| Exaggerated example: If I would buy a car which by design
| isn't road legal, and this design flaw would cause an
| accident killing someone. Normally the carmaker would be
| responsible. The carmaker couldn't say, well technically,
| it's only for use in your backyard, but you have to be a
| lawyer to know that, and our advertising isn't reflecting
| that at all. Somehow, Google get's away with such logic.
| stickfigure wrote:
| > Is there any other industry where the client is responsible
| for making sure the service or product is legal and not the
| producer?
|
| Pretty much all of them? Let's say you buy a humble walkie-
| talkie. It is your responsibility to operate it in regions
| where the specific RF bands it uses are legal.
| V__ wrote:
| And you as a customer are clearly informed about such
| limitations. No walkie-talkie would advertise themselves as
| free to use anywhere. Also, no walkie-talkie sold which by
| design uses the wrong frequencies would be allowed and would
| make the user liable and not the producer.
| PeterisP wrote:
| No, that's not true, if you buy a walkie-talkie, the seller
| has all kinds of obligations to ensure that it follows the
| requirements.
|
| Radio devices are a good example where it fact is illegal to
| make, sell or import transmitters that do not conform to
| permitted RF bands.
|
| IIRC in USA there is an exemption in FCC rules if you're
| importing a device for personal use by e.g. buying it online
| from abroad (and then you're responsible to use it properly),
| but if you'd want to resell that device, you can't just
| transfer the liability to the user, you are responsible for
| ensuring that the transmitter follows FCC rules.
| trasz wrote:
| Not true - you can easily buy unlocked Baofeng radios in EU
| and nobody cares. FCC cared because American manufacturers
| couldn't really compete on market terms.
| dataking wrote:
| > Is there any other industry where the client is responsible
| for making sure the service or product is legal and not the
| producer?
|
| Let's remember, for context, that the EU is saying that the US
| is an "unsafe" third party country. While this is certainly
| true under a given definition of safe/unsafe, I doubt (m)any
| European citizens can point to harm as a direct result of their
| data being subpoenaed under the US CLOUD act. I am not saying
| there isn't a real problem but as I mentioned in another
| comment, the US and EU have agreed "in principle" on a third
| privacy shield to satisfy concerns on both sides and we are now
| waiting for it to be codified and tested in courts.
| dahfizz wrote:
| Its easy to buy car parts online that are illegal for road use.
| Same concept applies - you can build whatever kind of car, or
| website, you want. But there are rules about how that car or
| website must be used when around the general public.
| V__ wrote:
| Can you buy illegal car parts (sold by a European entity, for
| example) which advertise themselves as road legal but aren't?
| Nextgrid wrote:
| Does Google Analytics advertise itself as legal?
|
| As far as I know they never explicitly say that - they give
| you all the details you need to make the determination
| yourself, but never explicitly give you the answer.
| V__ wrote:
| I don't think that distinction legally matters (in
| Europe). Every product or service in Europe has to
| "ensure that your products meet the EU requirements to
| protect human and animal health, the environment and
| consumers rights." [1]. This means every consumer buying
| a product in Europe (from a European entitiy) can assume
| that the product or service is legal.
|
| [1] https://europa.eu/youreurope/business/selling-in-
| eu/selling-...
| bloppe wrote:
| There's nothing wrong with Google allowing a website to
| use GA. The problem only arises if that website then
| serves end-user traffic to EU citizens. Many European
| websites may choose to only use GA if the traffic is
| coming from outside the EU.
| V__ wrote:
| I'm not sure if that's true. I might be mistaken, but I
| think European companies have to abide by GDPR even for
| non-eu personal data.
|
| But let's say it is, then still Google should make that
| very clear or even adapt its script to prevent a
| connection if an EU ip is recognized.
| hef19898 wrote:
| You just described absignificant portion of the EU based
| car tuner scene.
| markstos wrote:
| They don't have to advertise that they are legal for road
| use to sell them to people intending to use them on the
| road. Another example: a number of e-bike suppliers sell
| parts that are explicitly described as not road-legal.
| People may buy them precisely because they are advertised
| as being faster or more powerful than what is sold in
| retail stores.
| V__ wrote:
| > a number of e-bike suppliers sell parts that are
| explicitly described as not road-legal.
|
| That's fair play. The user knows exactly that he is
| breaking the law, and he can be punished. Google
| advertises Analytics for online-shops, websites etc.
| Cases in which the product can't be used legally and the
| user doesn't know it.
| spookie wrote:
| It's not the end user, it's the website owner. And yes,
| you are responsible for your website.
| V__ wrote:
| The website owner is the end user of Analytics, but even
| if not: Why should the distinction matter?
|
| For example: I'm also responsible for my car but if it's
| (by design) not road legal, why should I be responsible
| to be sure of that and not the carmaker?
| spookie wrote:
| Idk where you live, but I'm responsible for making sure
| that my car stays road legal. And I would be responsible
| to make sure it was from the start if I had built it
| myself _wink_ _wink_
| V__ wrote:
| Of course, but if you bought a brand new vehicle and it
| wasn't road legal by design you wouldn't be.
| dom96 wrote:
| I keep seeing these and wondering why Google isn't doing anything
| about this. Surely it should at the very least tell Google
| Analytics users based out of the EU that they need to stop using
| its services? Isn't Google in hot water here for not doing this?
| anothernewdude wrote:
| More people that actually use GA, the less bad it will be. If
| everybody does it, it becomes De Facto legal, and makes it
| clear how little authority the Danish government has.
|
| Laws that aren't enforced, or that have little bite, aren't
| really laws.
| Bakary wrote:
| So far the fines have been laughable compared to their revenue
| openplatypus wrote:
| In case of GA be aware that Google is merely a Data
| Processor. You, the website operator are the Data Controller
| in this relationship.
|
| If you use GA for web analytics it is website operator
| problem, not Google's.
| giuliomagnifico wrote:
| Stop using GA in Europe. There're lots of other analytics
| services, don't gift European data to Google.
| adrr wrote:
| Are they free?
| cgraf wrote:
| Here is a good list of European alternatives to Google
| Analytics. The products with free plans are marked as such in
| case you are specifically looking for them: https://european-
| alternatives.eu/alternative-to/google-analy...
|
| There are also some that are open source and can be self-
| hosted. Those are marked with an "open source" flag.
| giuliomagnifico wrote:
| Some yes, some not. Im using https://umami.is/ that is free
| (but I'm hosting it DigitalOcean VPS for few $/month). Better
| than pay a fine for using Google Analytics.
| wombarly wrote:
| >There're lots of other analytics services
|
| Not really. The only actual competitor to GA is Matomo
| Analytics, the rest are just copies of each other with the same
| very basic feature set.
| that_guy_iain wrote:
| Yea but most of us only need a very basic feature set.
| Therefore all these other competitors you say aren#t actual
| competitors are competing and taking users away from Google.
| cgraf wrote:
| Here is also a good list of european alternatives that can be
| used instead of Google Analytics: https://european-
| alternatives.eu/alternative-to/google-analy...
| drukenemo wrote:
| Adobe Analytics is a fantastic web analytics platform. You
| seem to be misinformed.
| Kye wrote:
| I'm always wary of a price of "Get in touch." At least give
| me a range so I know if it's worth getting in touch.
|
| https://business.adobe.com/products/analytics/compare-
| adobe-...
| yakkomajuri wrote:
| Actually there's a broad spectrum of alternatives out there
| covering different bits of functionality. GA4 particularly is
| a much broader product than the original Google Analytics.
|
| We keep a list here:
|
| https://isgoogleanalyticsillegal.com/alternatives
| closewith wrote:
| Google Analytics is outclassed by many other tools, but it has
| two features that make it essential (along with its brethren,
| Google Ads tracking) for most enterprises.
|
| One is the Search Console integration, which is the only way to
| see what Google search queries led people to your site.
|
| The second is Google Ads conversion tracking and remarketing,
| which is de facto required to advertise with Google because it
| can easily 10x your Return On Advertising Spend, which is a key
| metric for digital marketing teams.
|
| Without those two features, Google Analytics would be easy to
| drop. Many big companies already have other first- or third-
| party analytics tools they prefer.
| that_guy_iain wrote:
| > One is the Search Console integration, which is the only
| way to see what Google search queries led people to your
| site.
|
| Don't most analytic tools have this? I know Plausible has
| Search Console Integration.
|
| The Google Ads conversion is the killer feature Google
| Analytics has in my opinion. But the reality is, most use it
| because it's defacto and free.
| erik_seaberg wrote:
| Didn't Google add a hop so the Referer header no longer
| provides the actual search URL?
| kurikuri wrote:
| Breaking standards to protect a moat
|
| Ew
| that_guy_iain wrote:
| Yea but plausible integrates with the search console.
| Google probably has to provide some intergration ability
| which is why it's possible.
| daniel-cussen wrote:
| How can that be if companies don't get a good ROI from online
| advertising? So that means you need to get Google Adwords in
| order not to waste practically all your ad spend?
| the_duke wrote:
| Maybe I'm missing something, but you can use the search
| console just fine without Google Analytics?
| openplatypus wrote:
| We are adding Google and Bing search console integration to
| https://wideangle.co, should arrive rather soon :)
|
| As other posters mentioned, there are numerous GA
| alternatives, with varying degree of compliance and features.
| tannhaeuser wrote:
| Search Console is reporting how many Google searches have
| resulted in page impressions or clicks to your site, with
| what ranking on the respective search query (keywords/phrase)
| etc.; works without ga.
| endisneigh wrote:
| I wonder if the conclusion of these sort of laws is just a
| segregated internet
| zeruch wrote:
| It's already here. (Web3 will exacerbate it).
|
| Seriously, in terms of a 'segregated' network, we already see
| giant walled gardens and their pseudo-kin everywhere, and
| web3's sole focus seems on monetization of anything online,
| which won't help that one iota.
| throwaway5920 wrote:
| It is inevitable. The only question is to what ends. EU is very
| focused on a maximalist vision of privacy. US is focused on
| security with a touch of woke censorship. China couldn't care
| less about privacy but is obsessed about keeping out foreign
| influence and heavily censoring cultural and political content.
| spookie wrote:
| I wonder who is in the right here
| dmitriid wrote:
| > US is focused on security with a touch of woke censorship.
|
| The US couldn't care less about security. Their approach is
| "we buy and sell your data and if you are in the US the
| government can use any and all data at any point for any
| reason".
|
| European view isn't maximalist in the least. Europe,
| thankfully, still still remembers lessons learned from data
| exposure to Stasi police.
| bee_rider wrote:
| Hopefully European VPN providers can capitalize on this. Even
| if it is just a tiny boost to the local economy, always nice
| when a populace is rewarded selecting reasonable politicians.
| wazoox wrote:
| I removed GA from all my websites a few months ago. It didn't
| provide any interesting information anyway. I actually get better
| data with Webalizer and a couple of custom scripts.
| djbusby wrote:
| Care to share these script?
| ghostpepper wrote:
| Do they say why it cannot be used lawfully or what "more" would
| be required to make it lawful?
| openplatypus wrote:
| Why: ShremsII ruling in essence. Any operator under the
| influence of US authorities requires additional measures to
| secure data.
|
| More: add additional measures beyond those provided by GA.
| Hosting a proxy and anonymizing the data before it reaches GA
| might be an option.
|
| At this point, it is easier and cheaper to find GDPR compliant
| alternative.
| basquiyacht wrote:
| Using Simple Analytics here. Not self-hosted but privacy-friendly
| and cookieless by design.
| RileyJames wrote:
| GA4 seems to be a big shot in the foot too. I'm sure it's
| powerful, but by default it doesn't show me what I need to know.
|
| The old GA did.
|
| And now I've moved to paid, but basic products (plausible) which
| do show me those important details, instantly. Traffic trends,
| sources, referrers, goals.
| bigwindow1 wrote:
| I recently removed Google Analytics from my websites and set up
| the self-hosted umami (https://umami.is/) analytics. One of the
| best things about it is how fast it opens, while GA is so laggy.
| jdthedisciple wrote:
| Umami seems perfect! Thank you Ive been looking for something
| good other than GA to use on my clients WP site.
| djbusby wrote:
| Can't tell from the demo - has ability to track 404s?
| mcao wrote:
| Yes, if you display a custom 404 page.
| lwn wrote:
| >> One possible technical measure that may be relevant when using
| Google Analytics is pseudonymisation.
|
| Under GDPR pseudonymisation is considered to be reversible and
| therefor still falls within the scope of personal data. [source:
| https://ec.europa.eu/research/participants/data/ref/h2020/gr... ]
| lmkg wrote:
| Whether it's personal data is not the issue.
|
| The issue is whether _US law enforcement_ has unrestricted
| access to the data. They are considered to have unrestricted
| access to any data on Google 's servers (even their EU
| servers). But if re-identification requires a piece of data
| which only lives outside of US jurisdiction, and accessing that
| data requires going through appropriate channels, then the data
| is considered safeguarded.
___________________________________________________________________
(page generated 2022-09-21 23:00 UTC)