[HN Gopher] Danish Data Protection Agency concludes Google Analy... ___________________________________________________________________ Danish Data Protection Agency concludes Google Analytics cannot be used lawfully Author : ZacnyLos Score : 216 points Date : 2022-09-21 18:19 UTC (4 hours ago) (HTM) web link (www.datatilsynet.dk) (TXT) w3m dump (www.datatilsynet.dk) | aurora72 wrote: | Anything related to Google can't be used lawfully because Google | acknowledges no law. | [deleted] | kmeisthax wrote: | No, the specific problem is that Americans can't comply with | GDPR because they are American. | | This will be the state of EU law until America either repeals | the CLOUD Act and shuts down the NSA, or copypastes GDPR into | local law. I would prefer either to be honest. | dataking wrote: | I'm not sure this is correct. The EU and US agreed "in | principle" on a new privacy shield in the spring of this year | [0]. Maybe third time is the charm? (I think this is the | third attempt.) | | [0] https://www.politico.eu/article/privacy-shield-data-deal- | joe... | Deukhoofd wrote: | The CLOUD act is one thing, but Section 702 of the Foreign | Intelligence Surveillance Act is a far bigger problem. | Allowing the FBI, CIA and NSA full access to all data | regarding every non-American without a warrant required on | every US internet service is a massive breach of privacy, and | will always be a GDPR breach. | senko wrote: | I'm a happy Plausible (https://plausible.io/) paying user. | | Simple to use (few features compared to GA, but exactly those I | need), respects privacy, and has fair pricing. | AdriaanvRossum wrote: | For who needs a summary of what is happening in the EU [1] | | 1. Since 2020, it's illegal to send personal data to the US | because of the invalidation of the Privacy Shield [2] | | 2. Google said it was okay in the EU to use anonymized IP | addresses | | 3. The Austrian Data Protection Authority (DSB) [3] ruled | differently and waived most of the arguments raised by Google. | The DSB ruled that even anonymized IP addresses are personal | data. | | 4. The Data Protection Authority of The Netherlands followed by | implying that the use of Google Analytics might be banned in the | future [4] | | 5. In February 2022 The Data Protection Authority of France | (CNIL) followed [5] | | 6. In June 2022 the Data Protection Authority of Italy (Garante) | followed [6] | | 7. Now, September 2022, Denmark - after already banning Google | Workspace for municipalities [7] - considers Google Analytics | unlawful as well [8] | | This is a sound decision, but not a new one. It's a confirmation | of what has been ruled in July 2020, but now it seems to have | more impact. | | PS: I'm the founder of Simple Analytics [9] - the privacy-first | analytics tool that, unlike other privacy tools, does not use any | identifiers. | | [1] https://blog.simpleanalytics.com/will-google-analytics-be- | ba... | | [2] https://iapp.org/news/a/the-schrems-ii-decision-eu-us- | data-t... | | [3] https://www.data-protection-authority.gv.at/ | | [4] | https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... | (in Dutch) | | [5] https://www.cnil.fr/en/use-google-analytics-and-data- | transfe... | | [6] https://www.gpdp.it/web/guest/home/docweb/-/docweb- | display/d... | | [7] https://www.simpleanalytics.com/blog/denmark-bans-google- | wor... (includes translated version) | | [8] https://www.datatilsynet.dk/english/google-analytics/use- | of-... (this thread) | | [9] https://www.simpleanalytics.com/ | dataking wrote: | Thanks for you summary! I, for one, needed it. Can you comment | on why the BSB found that anonymized IP addresses are personal | data (3rd point). Is it because the anonymization is too weak? | | Edit: seems GA only masks the last octet of an IP4 address. | AdriaanvRossum wrote: | See the PDF from Google as a response to Austrian DPA [1]. | See heading "Technical and Organizational Measures" on page | 23 and "Optional Technical Measure" on page 26. | | More you can find in the NOYB blog post [2]. NOYB is the | organization who imitated the complaints towards Google | (Analytics). | | > While Google has made submissions claiming that has | implemented "Technical and Organizational Measures" ("TOMs") | [1], which included ideas like having fences around data | centers, reviewing requests or having baseline encryption, | the DSB has rejected these measures as absolutely useless | when it comes to US surveillance (page 38 and 39 of the | decision): | | > "With regard to the contractual and organizational measures | outlined, it is not apparent, to what extent [the measure] | are effective in the sense of the above considerations." | | > "Insofar as the technical measures are concerned, it is | also not recognizable (...) to what extent [the measure] | would actually prevent or limit access by U.S. intelligence | agencies considering U.S. law." | | > Max Schrems: "This is a very detailed and sound decision. | The bottom line is: Companies can't use US cloud services in | Europe anymore. It has now been 1.5 years since the Court of | Justice confirmed this a second time, so it is more than time | that the law is also enforced." | | [1] https://noyb.eu/sites/default/files/2021-05/2021-04-09_Re | spo... | | [2] https://noyb.eu/en/austrian-dsb-eu-us-data-transfers- | google-... | [deleted] | ZacnyLos wrote: | There are tons of alternatives: https://european- | alternatives.eu/alternative-to/google-analy... | skybrian wrote: | And yet, has anyone ever been harmed by Google Analytics? How | would we know? | spookie wrote: | This has been answered in the thread, but the tl;dr is that it | compromises European rights. | | Poor Google :'( | skybrian wrote: | How important can these rights be if compromising them harms | nobody? | | You could have the right to name an asteroid, but it's not an | important right. | belorn wrote: | We know from scandals and leaks that google has access to | citizens sensitive data from multiple nations, with privileged | access that handles medical, military, political, commercial, | and legal information. | | No one should hold that much power. | skybrian wrote: | That's not what I asked, though. Those aren't examples of | people being harmed. | V__ wrote: | > This has been particularly relevant as Google, following the | first Austrian decision, has begun to provide additional settings | in relation to what data can be collected by the tool. However, | our conclusion is that the tool cannot, without more, be used | lawfully. | | Even though Google has branches in Europe, again the website | owners will get in legal trouble and not Google for offering a | product which cannot be used legally. | | Is there any other industry where the client is responsible for | making sure the service or product is legal and not the producer? | googlryas wrote: | You can use google analytics legally in all of these areas that | have deemed it illegal, because they're just saying it is | illegal for common public-facing internet usage. You can still | use google analytics for, say, corporate intranet sites in | Denmark if you'd like. | Xylakant wrote: | I doubt you can. If the data collection is illegal under the | GDPR (or it's incarnation under danish law), then it won't | help if you don't use it in a public facing context. The GDPR | doesn't make any difference between subjects that are | employed by the entity collecting the data and others. | V__ wrote: | Sure, but that is not what Google is advertising, and it | should be Google's responsibility to inform users about that. | | Exaggerated example: If I would buy a car which by design | isn't road legal, and this design flaw would cause an | accident killing someone. Normally the carmaker would be | responsible. The carmaker couldn't say, well technically, | it's only for use in your backyard, but you have to be a | lawyer to know that, and our advertising isn't reflecting | that at all. Somehow, Google get's away with such logic. | stickfigure wrote: | > Is there any other industry where the client is responsible | for making sure the service or product is legal and not the | producer? | | Pretty much all of them? Let's say you buy a humble walkie- | talkie. It is your responsibility to operate it in regions | where the specific RF bands it uses are legal. | V__ wrote: | And you as a customer are clearly informed about such | limitations. No walkie-talkie would advertise themselves as | free to use anywhere. Also, no walkie-talkie sold which by | design uses the wrong frequencies would be allowed and would | make the user liable and not the producer. | PeterisP wrote: | No, that's not true, if you buy a walkie-talkie, the seller | has all kinds of obligations to ensure that it follows the | requirements. | | Radio devices are a good example where it fact is illegal to | make, sell or import transmitters that do not conform to | permitted RF bands. | | IIRC in USA there is an exemption in FCC rules if you're | importing a device for personal use by e.g. buying it online | from abroad (and then you're responsible to use it properly), | but if you'd want to resell that device, you can't just | transfer the liability to the user, you are responsible for | ensuring that the transmitter follows FCC rules. | trasz wrote: | Not true - you can easily buy unlocked Baofeng radios in EU | and nobody cares. FCC cared because American manufacturers | couldn't really compete on market terms. | dataking wrote: | > Is there any other industry where the client is responsible | for making sure the service or product is legal and not the | producer? | | Let's remember, for context, that the EU is saying that the US | is an "unsafe" third party country. While this is certainly | true under a given definition of safe/unsafe, I doubt (m)any | European citizens can point to harm as a direct result of their | data being subpoenaed under the US CLOUD act. I am not saying | there isn't a real problem but as I mentioned in another | comment, the US and EU have agreed "in principle" on a third | privacy shield to satisfy concerns on both sides and we are now | waiting for it to be codified and tested in courts. | dahfizz wrote: | Its easy to buy car parts online that are illegal for road use. | Same concept applies - you can build whatever kind of car, or | website, you want. But there are rules about how that car or | website must be used when around the general public. | V__ wrote: | Can you buy illegal car parts (sold by a European entity, for | example) which advertise themselves as road legal but aren't? | Nextgrid wrote: | Does Google Analytics advertise itself as legal? | | As far as I know they never explicitly say that - they give | you all the details you need to make the determination | yourself, but never explicitly give you the answer. | V__ wrote: | I don't think that distinction legally matters (in | Europe). Every product or service in Europe has to | "ensure that your products meet the EU requirements to | protect human and animal health, the environment and | consumers rights." [1]. This means every consumer buying | a product in Europe (from a European entitiy) can assume | that the product or service is legal. | | [1] https://europa.eu/youreurope/business/selling-in- | eu/selling-... | bloppe wrote: | There's nothing wrong with Google allowing a website to | use GA. The problem only arises if that website then | serves end-user traffic to EU citizens. Many European | websites may choose to only use GA if the traffic is | coming from outside the EU. | V__ wrote: | I'm not sure if that's true. I might be mistaken, but I | think European companies have to abide by GDPR even for | non-eu personal data. | | But let's say it is, then still Google should make that | very clear or even adapt its script to prevent a | connection if an EU ip is recognized. | hef19898 wrote: | You just described absignificant portion of the EU based | car tuner scene. | markstos wrote: | They don't have to advertise that they are legal for road | use to sell them to people intending to use them on the | road. Another example: a number of e-bike suppliers sell | parts that are explicitly described as not road-legal. | People may buy them precisely because they are advertised | as being faster or more powerful than what is sold in | retail stores. | V__ wrote: | > a number of e-bike suppliers sell parts that are | explicitly described as not road-legal. | | That's fair play. The user knows exactly that he is | breaking the law, and he can be punished. Google | advertises Analytics for online-shops, websites etc. | Cases in which the product can't be used legally and the | user doesn't know it. | spookie wrote: | It's not the end user, it's the website owner. And yes, | you are responsible for your website. | V__ wrote: | The website owner is the end user of Analytics, but even | if not: Why should the distinction matter? | | For example: I'm also responsible for my car but if it's | (by design) not road legal, why should I be responsible | to be sure of that and not the carmaker? | spookie wrote: | Idk where you live, but I'm responsible for making sure | that my car stays road legal. And I would be responsible | to make sure it was from the start if I had built it | myself _wink_ _wink_ | V__ wrote: | Of course, but if you bought a brand new vehicle and it | wasn't road legal by design you wouldn't be. | dom96 wrote: | I keep seeing these and wondering why Google isn't doing anything | about this. Surely it should at the very least tell Google | Analytics users based out of the EU that they need to stop using | its services? Isn't Google in hot water here for not doing this? | anothernewdude wrote: | More people that actually use GA, the less bad it will be. If | everybody does it, it becomes De Facto legal, and makes it | clear how little authority the Danish government has. | | Laws that aren't enforced, or that have little bite, aren't | really laws. | Bakary wrote: | So far the fines have been laughable compared to their revenue | openplatypus wrote: | In case of GA be aware that Google is merely a Data | Processor. You, the website operator are the Data Controller | in this relationship. | | If you use GA for web analytics it is website operator | problem, not Google's. | giuliomagnifico wrote: | Stop using GA in Europe. There're lots of other analytics | services, don't gift European data to Google. | adrr wrote: | Are they free? | cgraf wrote: | Here is a good list of European alternatives to Google | Analytics. The products with free plans are marked as such in | case you are specifically looking for them: https://european- | alternatives.eu/alternative-to/google-analy... | | There are also some that are open source and can be self- | hosted. Those are marked with an "open source" flag. | giuliomagnifico wrote: | Some yes, some not. Im using https://umami.is/ that is free | (but I'm hosting it DigitalOcean VPS for few $/month). Better | than pay a fine for using Google Analytics. | wombarly wrote: | >There're lots of other analytics services | | Not really. The only actual competitor to GA is Matomo | Analytics, the rest are just copies of each other with the same | very basic feature set. | that_guy_iain wrote: | Yea but most of us only need a very basic feature set. | Therefore all these other competitors you say aren#t actual | competitors are competing and taking users away from Google. | cgraf wrote: | Here is also a good list of european alternatives that can be | used instead of Google Analytics: https://european- | alternatives.eu/alternative-to/google-analy... | drukenemo wrote: | Adobe Analytics is a fantastic web analytics platform. You | seem to be misinformed. | Kye wrote: | I'm always wary of a price of "Get in touch." At least give | me a range so I know if it's worth getting in touch. | | https://business.adobe.com/products/analytics/compare- | adobe-... | yakkomajuri wrote: | Actually there's a broad spectrum of alternatives out there | covering different bits of functionality. GA4 particularly is | a much broader product than the original Google Analytics. | | We keep a list here: | | https://isgoogleanalyticsillegal.com/alternatives | closewith wrote: | Google Analytics is outclassed by many other tools, but it has | two features that make it essential (along with its brethren, | Google Ads tracking) for most enterprises. | | One is the Search Console integration, which is the only way to | see what Google search queries led people to your site. | | The second is Google Ads conversion tracking and remarketing, | which is de facto required to advertise with Google because it | can easily 10x your Return On Advertising Spend, which is a key | metric for digital marketing teams. | | Without those two features, Google Analytics would be easy to | drop. Many big companies already have other first- or third- | party analytics tools they prefer. | that_guy_iain wrote: | > One is the Search Console integration, which is the only | way to see what Google search queries led people to your | site. | | Don't most analytic tools have this? I know Plausible has | Search Console Integration. | | The Google Ads conversion is the killer feature Google | Analytics has in my opinion. But the reality is, most use it | because it's defacto and free. | erik_seaberg wrote: | Didn't Google add a hop so the Referer header no longer | provides the actual search URL? | kurikuri wrote: | Breaking standards to protect a moat | | Ew | that_guy_iain wrote: | Yea but plausible integrates with the search console. | Google probably has to provide some intergration ability | which is why it's possible. | daniel-cussen wrote: | How can that be if companies don't get a good ROI from online | advertising? So that means you need to get Google Adwords in | order not to waste practically all your ad spend? | the_duke wrote: | Maybe I'm missing something, but you can use the search | console just fine without Google Analytics? | openplatypus wrote: | We are adding Google and Bing search console integration to | https://wideangle.co, should arrive rather soon :) | | As other posters mentioned, there are numerous GA | alternatives, with varying degree of compliance and features. | tannhaeuser wrote: | Search Console is reporting how many Google searches have | resulted in page impressions or clicks to your site, with | what ranking on the respective search query (keywords/phrase) | etc.; works without ga. | endisneigh wrote: | I wonder if the conclusion of these sort of laws is just a | segregated internet | zeruch wrote: | It's already here. (Web3 will exacerbate it). | | Seriously, in terms of a 'segregated' network, we already see | giant walled gardens and their pseudo-kin everywhere, and | web3's sole focus seems on monetization of anything online, | which won't help that one iota. | throwaway5920 wrote: | It is inevitable. The only question is to what ends. EU is very | focused on a maximalist vision of privacy. US is focused on | security with a touch of woke censorship. China couldn't care | less about privacy but is obsessed about keeping out foreign | influence and heavily censoring cultural and political content. | spookie wrote: | I wonder who is in the right here | dmitriid wrote: | > US is focused on security with a touch of woke censorship. | | The US couldn't care less about security. Their approach is | "we buy and sell your data and if you are in the US the | government can use any and all data at any point for any | reason". | | European view isn't maximalist in the least. Europe, | thankfully, still still remembers lessons learned from data | exposure to Stasi police. | bee_rider wrote: | Hopefully European VPN providers can capitalize on this. Even | if it is just a tiny boost to the local economy, always nice | when a populace is rewarded selecting reasonable politicians. | wazoox wrote: | I removed GA from all my websites a few months ago. It didn't | provide any interesting information anyway. I actually get better | data with Webalizer and a couple of custom scripts. | djbusby wrote: | Care to share these script? | ghostpepper wrote: | Do they say why it cannot be used lawfully or what "more" would | be required to make it lawful? | openplatypus wrote: | Why: ShremsII ruling in essence. Any operator under the | influence of US authorities requires additional measures to | secure data. | | More: add additional measures beyond those provided by GA. | Hosting a proxy and anonymizing the data before it reaches GA | might be an option. | | At this point, it is easier and cheaper to find GDPR compliant | alternative. | basquiyacht wrote: | Using Simple Analytics here. Not self-hosted but privacy-friendly | and cookieless by design. | RileyJames wrote: | GA4 seems to be a big shot in the foot too. I'm sure it's | powerful, but by default it doesn't show me what I need to know. | | The old GA did. | | And now I've moved to paid, but basic products (plausible) which | do show me those important details, instantly. Traffic trends, | sources, referrers, goals. | bigwindow1 wrote: | I recently removed Google Analytics from my websites and set up | the self-hosted umami (https://umami.is/) analytics. One of the | best things about it is how fast it opens, while GA is so laggy. | jdthedisciple wrote: | Umami seems perfect! Thank you Ive been looking for something | good other than GA to use on my clients WP site. | djbusby wrote: | Can't tell from the demo - has ability to track 404s? | mcao wrote: | Yes, if you display a custom 404 page. | lwn wrote: | >> One possible technical measure that may be relevant when using | Google Analytics is pseudonymisation. | | Under GDPR pseudonymisation is considered to be reversible and | therefor still falls within the scope of personal data. [source: | https://ec.europa.eu/research/participants/data/ref/h2020/gr... ] | lmkg wrote: | Whether it's personal data is not the issue. | | The issue is whether _US law enforcement_ has unrestricted | access to the data. They are considered to have unrestricted | access to any data on Google 's servers (even their EU | servers). But if re-identification requires a piece of data | which only lives outside of US jurisdiction, and accessing that | data requires going through appropriate channels, then the data | is considered safeguarded. ___________________________________________________________________ (page generated 2022-09-21 23:00 UTC)