I think we (in the EU) will soon realise the bizarre consequences of these regulations. European startups will not be able to use standard SaaS or PaaS tools (like AWS, Azure, Mailchimp, PayPal etc) if they are based in the US (like most of them are). No cloud services, no Office 365 or Google Workspace.
It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.
There must be some reasonable middle ground before we fragment and destroy the entire Internet. Why not start by making a general exception for temporary storage of less sensitive data like IP-addresses for efficiently and cost effectively delivering a web service.
If there is one thing they could start looking in to it would be handling of personal information by governmental organisations. I work a little bit with a few municipalities, and the number of documents with deeply personal information that are just emailed around over unencrypted email is shocking.
On the contrary, it only forces those providers to have a European presence.
We're not fragmenting the internet by looking after our own interests. This wouldn't be an issue if Americans viewed rights (and in this case privacy rights) as belonging to human being as opposed to Americans citizens. The US's policy is what led to this:
> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information
We had PII on Azure. We wanted to do business in France. We had to fork our services, and run a full stack on a crappy provider in France. They charged a lot more, would take weeks of vacation with zero support for us. It was a freaking nightmare.
EDIT: I love the responses I'm getting. People are in absolute denial that this does in fact fragment the internet. You may believe that's a good thing, and that's a rational discussion we can have. But don't lie to yourself, or to me, that this doesn't fragment the internet.
There is so much I want to say about this comment! First of all, it sounds like you had a terrible experience because you picked a bad ISP. I sympathize. But then you generalize from that and imply that anyone wanting an EU host will experience the same. Obviously that's not true - or do you believe no good ISPs exist in France? Second of all, why did you fork your code? Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity to incrementally extract the proprietary apis out of your application and replace them with processes you actually own? This will allow you to undo the fork and continue on, able to deploy your application anywhere you want.
We did our research, and settled on the French cloud provider that fit our parameters. They made promises about support hours that they did not keep. Changing cloud service providers is not cheap. We were a small team, and this cost us lots of effort.
We didn't fork our code, we forked our services. We ran everything on Azure. Then we had to configure our kiosk devices to either talk to Azure, or to talk to our servers in France.
"Did you write your service to use proprietary Azure APIs without regard to vendor lock-in? Why not take this as an opportunity"
I'm sorry, do you have any idea of the cost of doing these things?
If you have 6 developers, total, how many of them are you willing to allocate to rewriting your stack, so that you can sell your product in Europe?
>I'm sorry, do you have any idea of the cost of doing these things?
Oh indeed yes, which is why for years now I've been warning people to not write to proprietary APIs in the first place. It's a faustian bargain and sooner or later the bill is going to come due! If not because of legal requirements, then because MS or Amazon saturates the market, and has to increase revenue somehow. This is an example of where an ounce of prevention is worth a pound of cure. The upshot is that ignoring the warnings of people like me was a mistake.
(It's funny how people have moaned for years about "vendor lock-in" WRT Oracle. "They charge for every core!" But the cloud providers charge for every invocation, which is infinitely worse. And yet no-one seems to worry about it. It's really odd.)
So yeah, using HTTP to connect to a server that happened to be in the US...
That's the thing that prevented us from selling in France.
But thanks for lecturing me that "vendor lock in" was what killed our 6-developer team that was developing hardware, and computer vision, and 3D computer graphics, while developing a health care product under the tons of regulation that comes with that.
Hey, I feel your pain. Companies are like children to a founder, and you have described the heroic acts you've taken to save your child. It absolutely sucks to be in your position.
I think it's important to warn "parents" (or future parents) to avoid this particular tragedy, which I think is quite avoidable. I want to encourage people to question the orthodoxy around cloud, that everyone is doing it so its fine, and worse is better anyway, yada yada. It may be insensitive to use your situation to illustrate the downside of cloud vendor lock-in, but my motivation is not to look down on you, but to warn others about this very real, very painful outcome that they court when they make the popular choice.
I wasn't a founder. I was one of the 6 developers.
We happened to not use any vendor-specific APIs.
And it still killed us to fork our stack, and to teach our kiosks to be able to talk to the right server, and the extra cost of the servers in France, and the lack of support we saw from the provider in France...
Many noble efforts fail this way. You are not alone. This is one of those lessons you learn in regards to keeping your audience narrow, and executing on one thing at a time.
It's embittering, hardens the heart, and makes you want to give up, but you've gotta redouble and bust through it.
And by all means, shame the provider if they didn't live up to their end of the bargain.
Sorry if I don’t follow your reasoning, I’m still stuck at this piece of USA policy you seemed to have glossed over:
> Sec. 14. Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
"Agencies" refers to parts of the US govt; that is a US govt regulation for its own agencies with respect to its own citizens and the regulation of immigration. It has nothing to do with e-commerce, cloud storage, start-ups, web services, etc.
Just as France accords its own citoyens rights that foreigners aren't entitled to.
your frustration is justified. azure/aws is the entire environment. i dont think you could have implemented the suggested magical suggestion in any relevant or practical way.
Thank you for this response. Calling it a magical suggestion really does feel accurate. I was sitting here trying to think how you would even do this when everything is running on AWS (or Azure).
A better wording would be “don’t make calls into jurisdictions that violate our legal statutes”.
Ok, let me make a simple “marvel comics” example: what if all your calls were funneled through “Putin servers” or “Iran cloud” or “ People's Liberation Army computers”? Would you mind?
I hear you arguing “but we’re the good guys! We’re USA, flag bearers of Democracy!” but no. Really according to EU law, under USA jurisdiction Pricacy Rights are fair game for people like Zuck. The guy that said “ I have over 4,000 emails, pictures, addresses, SNS. People just submitted it. I don't know why. They "trust me". Dumb fucks.”
Now, granted: our politicians likely want to stay on top of the consensus forming media, and make sure it’s within reach of their network. Annoying to see all the action moving to a different platform after all the years spent building relationships with the old media, but that’s the business.
I am so delighted I am able to access blog posts from people in Russia or Iran or China. Otherwise, it would be far easier for human rights abuses to exist. (This is somewhat tongue in cheek. My point is that information wants to be free, and we're all better off if there's LESS friction.)
When I found out Parler was being hosted on Russian servers, I immediately informed everyone I knew who was thinking about switching to Parler that it was a really bad idea. And it's their choice whether to use Parler or not.
I think it's great if companies can't hide that they're doing something like routing data through Russia. I think it's pretty stupid to not let someone use a product that routes data through Russia.
I also think that if Facebook stands up servers in France, it'll still be just as problematic as it is today.
This sounds really americentric. Have you considered that the every non-US citizen'd PII is fair game for US companies one in the county? As a European I wouldn't want my stuff to be routed through the US the same way you don't want your data going through Russia.
Yeah, it sucks that the US doesn't respect non-citizen data. But TBH I really don't think it respects citizen data either. Consider that Snowden discovered all kinds of ways the CIA and NSA were hoovering up data, in defiance of the law. But did the American people get pissed and force a change in those agencies, and call the leadership to account for disregarding the law because it was convenient? No: they successfully demonized the whistleblower who is still on the run. (Although I will say that excessive snoopiness is a lesser evil than censorship).
In the end, though, there is a high-tech solution here, and that's to migrate to 100% asymmetrically encrypted messaging, at the application level, regardless of underlying transport. This would force nation states to risk large scale hacking of devices, but that's more visible and easier to combat, as long as we remain free to make (and buy) the compute hardware we want to make.
The U.S. doesn't even respect Citizen@s data half the time. Remember, the Courts ruled that expectation of privacy, and therefore 4th Amendment protections are waived as soon as you engage with a Third Party.
His whole comment was about how he want to let traffic route through Russia even though he doesn't like it... but it's really Americentric? Could you explain that point please?
Do cloud service providers like Azure not have a way to "pin" some of your service instances to servers in specific countries? Seems like this capability would be important differentiating feature given EU privacy laws about where user data is hosted.
AWS most certainly isn't for as far as the data protection is concerned. An EU entity runs the EU regions of AWS cloud, you enter a contract with that entity and _not_ with the parent and the data is under the EU law.
The core issue here are the CLOUD ACT and FISA Section 702.
Basically the US government says it gets free access to all data stored by any US company or its international subsidies anywhere and that non-us-citizens have absolutely no right to any data privacy at all.
However european citizens do have such a right, and as such, companies can not process personal information using american subprocessors, because those can not guarantee to respect the citizens rights.
For a long time this was all about some contractual clauses between processor and sub-processor: the american subprocessor guarantees by contract to respect the data subjects fundamental right to data privacy.
And then the USA made the CLOUDA and FISA and all those contracts are no longer worth the bits they are encoded in. American companies are by law required to not respect the right to data privacy and can not guarantee to respect it in good faith, as they are themselves subjects of a surveillance state.
Now look at how AWS reacted to this problem: they added new clauses to the contract with their european customers, in which they promise to challenge law enforcement requests, especially those that are overbroad.
When EU goes after FAANG like this, it pushes them to position themselves against mass surveillance and in favor of a global basic human right to data privacy. In my honest opinion this fight is very necessary and i can only hope that humanity wins against surveillance capitalism in the end.
The small startup I worked for in Hamburg had a similar problem. They had to run all their infra on premise due to some wording of some of their largest clients and some odd rulings from BaFin.
The colo/managed provider they chose and had been working with for years was nigh incompetent. I was positive that being able to spin up infra in any of the clouds would have been a ton more reliable.
This completely misses the point, the laws shouldn't be written to accommodate businesses, its the other way around. If fragmenting is a consequence of better privacy laws, so be it.
Laws should be written to facilitate and improve the growth of civilization. This includes practical and fair measures for conducting business.
Imposing byzantine regulations on every webmaster on the planet isn't helping anyone, least of all the European user, who will increasingly be locked out from the rest of the planet.
Depends on your perspective. It might be that American/Chinese predatory service providers are instead locked out of the European market, allowing the breathing space for local solutions to flourish.
If your local providers need the rest of the world to be kneecapped in order to compete, you may want to start with that problem.
The EU consumer will end up with strictly worse solutions and all the rest of the world will “gain” will be the crappy trade-barrier-supported Euro versions of Google and Facebook.
This is a short term view. There's a certain amount of 'activation energy' that a system needs to be able to kick off and become self sustaining. If a giant generalized, subsidized solution already exists PHBs are much happier to spend years trying to knock a round peg into a square hole than take the risk of doing something bespoke for the problem at hand.
Creating an artificially easy sandbox for your local engineers and entrepreneurs by banning the competition will not lead anywhere good. Competing with the best forces you to improve; playing on easy mode leads to stunted skills and inflated confidence - and worse products, companies, and economies.
It isn't banning the competition. It's forcing the external competition to follow the same rules as the locals w.r.t. privacy laws. The fact that the external competition can't comply means that there's a market niche available which locals have an opportunity to exploit.
The cookie banners are a byproduct of companies still wanting to abuse your data, when was the last time you saw a cookie pop-up on HN? Logged in or not.
If only there were some way that European citizens could have told their browsers to not accept Cookies, then maybe we all wouldn't have to click on those banners all the damn time.
If a business pays taxes, and the laws don't take their needs into account to some extent, that's not justice. It's just mob protection with a veneer of legitimacy.
Lots of loaded assumptions there, of course, starting with the first conditional clause.
It's not fragmenting the internet; fragmentation is the whole point of the internet. It's (re-)decentralizing something that has been decentralized the whole time, until these gluttonous whales decided try to eat the whole pie.
It isn't about "one computer talking to another", it's about where sensitive information is stored. It has never been legal to store classified US intelligence on computers outside of the control of the US government. That's an extreme example, but the handling of many types of information is prescribed by laws in different jurisdictions. Does that mean that US computers cannot "talk" to another other computers? No. Does that make the internet invalid? No.
Decentralization of the cloud is a good thing for so many reasons. I think you're deliberately confusing it with your PII issues and not grasping the larger picture.
Those poor small international businesses? If you want to do business internationally, it'll be complicated, and that's fine. The internet has spoiled us by making it so easy for a while.
Seems like it doesn't bother you at all if this hurts competition. Or maybe you don't understand that by hurting competition, consumers are hurt? In our case, with a medical product, it was patients who were hurt.
It just shifts competition into new areas that are compliant with the law. If you can't use aws-us-east from france, then AWS is incentivized to build a (compliant) center in france or else lose that slice of the pie to the locals (or to a potential compliant azure center there).
It's always a tradeoff between racing to the bottom and stagnating. Both are bad, both hurt consumers, and this seems like a good balance between them.
So eventually, we'll all just run a full copy of our stack in each of the 50 United States, plus the few extras for cities that have different laws, and then in each of the other 190 countries around the world?
Does that seem like a good balance of needs to you?
If that's what it takes to allow locals to govern themselves independently, sure.
The technical difficulties seem so entirely solvable, in time (and with that competition you mentioned). Right now it's easy to deploy servers across tons of instances. In the future, if we need to, we can build analogous solutions to the problems you're talking about.
And where we can't build our way to easy solutions, that's fine. Those cases are probably the ones where there are legitimate local differences in what's acceptable, and I want locals to be able to decide that for themselves. It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.
> It's an absurd goal to try to make it easy for six engineers alone to scale to the entire planet.
That's an interesting assertion. As counter-example to that assertion, [gestures at huge amounts of the internet as we know it, which was started by small teams.]
And I'm not talking about scaling to 7 billion users. I'm talking about scaling to all of _my_ users, even though they live in dozens or hundreds of countries.
Your demand of having users does not supersede my right to have laws enforced in my jurisdiction. That's the point of sovereignty.
If that means I don't get your business and I'm worse off for it, I'm happy to have my laws changed. Or maybe someone else will come up with the same service who does follow the local law.
You're basically discovering something that physical stores have had to deal with forever. Gary's International Store of Chainsaws and Weed knows that it can't sell chainsaws in jurisdictions where chainsaws are illegal to sell from stores. The people of that jurisdiction made the decision that chainsaws should not be sold from stores; Gary doesn't get to ignore that. Instead he has to incorporate the fact that not all stores get the same inventory in his logistics.
If that means Gary refuses to open his stores in such jurisdictions at all, that's fine. The people of the jurisdiction can decide whether they're happy with the outcome and change their laws if they're not.
>Gary has every right to object if Indiana says he can only sell chainsaws made in Indiana, as that would be an absurd law.
He has the right to object in any case. That's free speech. But despite all his objections, he either does his business respecting the law or doesn't do business at all.
It's funny that you think that such a law would be absurd, when laws that require a store to sell locally-produced goods over imported ones also already exist in the real world.
>Forcing me to run servers in France is absurd.
You're welcome to think that. Don't run servers in France then.
You're absolutely right. Unfortunately, the little guy is more easily accommodated for with lenoency during onboarding regulation-wise, and the bigger actors can never be brought to heel if something doesn't go down on paper.
And I think your team did not think through before implementing your product. The GDPR and its consequences have been discussed for a very long time. And the product even managed to get locked into Azure.
You are building up a whole strawman here. This is all about sending personal data to a machine in the US, owned by a company, which falls under US law. You don't have to send that personal data to the US, do you? Why would you do such a thing in the first place? Surely informed people would not simply consent to such a practice. And I mean informed. Not just clicking "OK OK next OK" without knowing what actually goes on, just to be able to see the actual content of a website.
It's not a strawman, it was the company I worked for.
We helped manufacture medical devices. We sold a device that took medical images, and then sent the images to a server. The server would do tons of processing on the images, and help manufacture a medical device custom to the patient.
We ran our servers in the United States.
We could not sell our product in France, until we stood up servers in France to store and process the data.
Why would we do such a thing? To provide excellent healthcare to people. Even ungrateful French people. Our product was lower cost and higher quality than our competitors, with better patient outcomes.
What monsters we were for running our servers in the U.S., right?
Why are you so shocked that people want to assert control over their medical data? This is the crux of the problem. You're being absolutely incredulous that someone have a say in data that is about them.
Other people exist and have rights. It's about time that people assert their rights over data that is absolutely consequential to their lives, instead of being tiny pawns of companies who treat them like a highschool science experiment with live ants.
You either trust my company with your data, or you don't.
The idea that storing your data, encrypted at rest, on spinning rust platters inside your country somehow makes it safer than storing that same data, encrypted at rest, on spinning rust platters inside my country, is bizarre to me.
But that's fine. I think giving you the choice makes tons of sense. I'm not saying France should have a law forcing all data to be kept in the US. I'm saying it's bonkers that I cannot offer a product in France that happens to store data and process data on a server in the US. Even with a waiver. French citizens do not have the right to let their health care information be stored on a server in a different country. (As I understood the laws, at least - perhaps our legal representatives were misinformed.)
If you want control over your medical data, then I'm sorry, none of the existing tooling does what you should actually want it to. It should be stored on systems you designate. Not on some lowest-bidder French server that has unknown security practices.
It's amazing to me that you're lecturing me about other people's rights, when you're literally denying French people the right to buy my product, unless I meet some ultimatums. I'm not denying them, you are.
And you talk about consequential to their lives? My product lowered costs and had better patient outcomes, and we couldn't sell it. Maybe try a different argument.
It is kind of a strange idea in the first place, to store medical data outside the country, in a country like the US. I don't know if any country with good data protection laws would allow such a thing. I find the idea, that this could be OK for patients to be weird. I surely wouldn't want my medical data put onto US servers, likely without even knowing, because the hospital stuff does not know themselves and not telling me either. Maybe even worse being put to the choice of having some equipment used on me, which automatically shares that data to the US.
At some point in your project there seems to have been a time, when such basic questions of consent were overlooked and later you paid the price. Your intentions may have been nothing but good, but I for one am glad, that such practice was not allowed to happen.
You're in country X, and the top radiologist in the world dealing specifically with your disease process, is in country Y.
Walk me through exactly what you would like to happen.
If you think the best outcome is that only radiologists who live in country X can look at your medical images, then please really think about what that means for under-developed countries.
Please also think about the fact that people have medical imaging exams 24 hours a day, and think about where radiologists live and sleep.
The next time you get a CT scan and have to wait 4 days for the results, you'll know that your hospital system doesn't have teleradiology.
We absolutely understand patient consent, and then France started establishing laws that denied patients the right to consent to having their data transferred to the US. (As I understood our legal representatives, at least.)
(For the record, in case it's confusing to anyone following along, I worked on half a dozen different medical products in my career, in different companies, in different parts of the body, in different modalities, etc.)
I think that is the crux of the whole thing. You cannot assume, that any randomly selected patient can actually make an informed decision about consenting, when being asked, because people in general are not so informed about these data decisions. Getting informed properly can already take 4 days or more. So what you win on one end you lose on the other end when asking for actual consent.
My guess is, that they want to avoid the situation entirely, in which a doctor (or other people in the hospital or other institution) has to ask the patient for their consent for such a thing. It would come down to things like framing, for example: "The best people for x are in country y.", which might be true or just opinion of that doctor. There are issues with this:
(1) Usually the doctor is not informed about these data protection issues themselves. Usually the doctor did not also graduate in some mathematical / statistical / data science subject or following along the various data protection scandals. Most of the doctors probably have other things to do. Just like the rest of the population is mostly not well informed.
(2) We probably don't want a situation, in which the doctor dangles a carrot (the best people are in country x) in front of the patient, luring them into consenting.
(3) Doctors want to get their work done. They don't want to have to ask every patient for consent for things outside of their own expertise. Even if you transfer the paperwork to someone else, who will want that additional workload? Also the people going to a hospital might not want to have to deal with that stuff.
(4) What is the legal side of this? For example say you send data to the best experts in another country and you get a misdiagnosis and operate based on that. How does this work?
I think it is possible to keep data generally in France for example and only have the experts look at the data via conferencing tools. Then the experts can be made aware, that obviously they may not share any of that data with anyone and that they can only look at it, while it resides in France. For that we need a secure conferencing system, which is not run by big corp living off selling data directly or indirectly. We need capable tech people in the right place to set things up. We might also need Computer literacy on higher levels for the experts.
I wish I had it for you. I'm a developer, and I don't work for that company any more. Our legal representation came in and explained it to our upper management, who assigned projects to us. I don't know the regulation.
This sort of regulation is not new when it comes to health data.
I'm actually surprised storing medical data outside the country was
legal in France at any point, I don't think it would have been in my country.
So blaming the GDPR and new rules, seems a bit weird in this case.
Now, consumer protection regulation is always a balancing act. And most consumer protection laws will hurt some companies that didn't actually do anything bad. That doesn't mean I don't want any regulations. Particularly when it comes to healthcare.
Sorry, I'm talking in general, not specifically about GDPR and new rules. The whole trend stifles innovation because it's literally a barrier to entry.
And my real concern was people who want that cake, and also want to pretend they're not "fragmenting" the Internet. I wish people would call it what it is.
The internet was designed to be resilient in the face of nuclear war. If it can't handle governments that actually protect their citizens from predation by multinational corporations, then we should rethink some things about the direction that we've taken with it.
I don't think that's what's happening here. This is about a French company being disallowed by France from selling French citizens' data to a US Company.
Maybe this decision makes France toxic/favorable to certain kinds of business--much like how many privacy companies operate in Switzerland because the Swiss government is less likely to snoop than certain others, or how advertising companies operate in the US because they'll let you do whatever you want to their citizens. So yeah, fragments.
But you as a user are free to opt-into any fragment of the internet that will have you. If your government wants to stop you from doing so you should either take it up with your government or circumvent those limitations.
I don't particularly like the kind of fragment that France is creating here, the notion that data has a physical location in space strikes me as a rather shaky one, and I think policies following therefrom are likely to create convoluted architecture that exfiltrates the benefits of access without exfiltrating database instances (I've written enough code that tap-dances around the GPDR to know). Since I'm not trying to start an ad supported business in France, though, I'm happy to respect their right to come up with whatever weird policies they want.
Would it be impossible? No. But would it be, say, 5x the amount of effort to build and maintain a federated system with no data stored across boundaries? Probably.
Looks to me like the regulations did exactly what they were designed to do, and Azure implemented support for the EU market. The goal of these regulations is not to make things harder for companies trying to publish products in different regions, the goal is to get the big platforms (AWS, Azure, GCP) to implement systems that are in line with EU privacy requirements.
I'm sorry your business was impacted during the period where the regulations came into effect and the big platforms did not have compliant services ready. It would have been better if the negative externalities of these regulations would be entirely carried by the big platforms who are responsible for consumer privacy in the first place.
However all the GDPR requirements entered into force just in may 2018?
But in any case, the point is that the issue is solved without changing the laws or people having to switch cloud providers, as simply the global cloud providers have started offering compliant services.
Its very interesting if limiting how companies are allowed to track, store and sell private information would be the central issue for which the internet will fragment around. It almost like tracking, storing and selling is the center of the modern Internet, rather than protocols like tcp, upd, https and so on.
In the past people said that the Internet was made for porn. Today the Internet is seemingly made for advertisement and surveillance. It not strange that so many people who worked in this industry for decades are feeling a bit lost in this new horrifying industry, which if the Internet really is made only to do advertisement and surveillance, I honestly think humanity is better off without it.
You should support companies with the best behavior.
I worked at a company that enabled a radiologist in over country to do a preliminary read of a CT scan performed in another country.
Cutting the amount of time for a CT scan, and even connecting a CT scan with a radiologist who specialized in that particular kind of scan, we saved lives.
And yes, there's also furry porn.
It's a tool.
I feel like I'm trying to convince you that BOOKS are good, despite the existence of hentai.
Could that company exist if it wasn't allow to use advertisement or sell private information? In the past I would say yes without question since there is nothing inherently in connecting a CT scan with a radiologist specialist that require Google Analytics. Nothing at all.
The solution to this is to get your government to get its shit together on privacy. This is just a defensive act by the Europeans and to blame it on them is victim blaming.
So why didn't you use Azure resources in Europe instead of "some crappy provider"? Sounds like you made a rod for your own back. If our clients are happy with Azure (in the right region) then I can't imagine many in the EU (other than perhaps national security services and their suppliers) reasonably refusing to allow use of it.
We host in Azure for some pretty significant financial organisations, mostly UK based but spreading our area. Some companies are requiring us to fully host in Azure DCs in their region, and some of those are Eastern, not UK/EU, based companies. At least one US interest that a friend's employer supplies demands data about its employees be hosted over there rather than over here, presumably so they can be assured it is kept to standards they are locally required to follow. Is it wrong that way around in your book too?
It isn't as easy as having everything in one region of course, but not much harder nor massively more expensive (caveat: most likely, as far as I know, I have the luxury of ignoring the bits that don't interest me and money is often one of those things, but I'm also senior enough that if there was something expensive happening, or something not happening due to expense, I'd catch wind as it would affect things I need to plan around) and it can't be as faffy/costly as using different providers in each territory.
If you are correctly following relevant regulations everywhere this does not fragment things any more than other rules that already existed. Aside from the fact things are being enforced this time, forcing companies handling PII to not quietly do things wrong because it is inconvenient to do things right. As an individual I'm perfectly fine with this.
Right. All I have to do is to stand up two complete copies of my full stack, and support both of them. There's no way that adds extra burden to me. My argument is completely invalid. Thanks for explaining that to me.
The purpose of laws is to protect and govern their local citizens. I would hate to live in a world where a law does not get passed because of an argument like "but imagine how much work developers will have to do to follow the law!"
Agreed. But the internet is already fragmented. Each countries have their own laws and other countries no reason to follow them. All kind of content is accessible only in certain countries. It's also true for physical goods. I'm not sure why it's a problem.
I think fragmentation and looking after one's interests aren't even opposites. Analytics in particular seem like a very lopsided value prop: the american entity (Google) stands to gain from collecting analytics but doesn't really provide a perceivable equivalent value through the analytics service to the affected parties (EU consumers) in return, as you'd normally expect in a fair trade policy between two countries.
Looking at it from this angle, it seems perfectly reasonable for the EU to dislike the specifics of the analytics use case while still being ok with something like Google Docs.
But that's not what CNIL is basing their decision on: "The CNIL concludes that transfers to the United States are currently not sufficiently regulated...Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services."
I probably don't understand the legal issues fully, but it seems the worry is that US intelligence services may be tapping the lines and databases of Google, may have agents working at Google as badged employees, or may be able to subpoena Google (or any US service provider). [for the record, I wouldn't doubt if all the above are true]
I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
> "CNIL recommends that these tools should only be used to produce anonymous statistical data"
So the tools are not anonymous because the request headers of the client are being logged and used to identify a session, along with what resources on the site were accessed in that session.
Any site operator has this data on their visitors.
CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly? What's the solution? A site builder can't let web clients make direct calls to any resources in the US? That seems... sweeping, profound, surprising, impactful. Have fun with that.
> because the request headers of the client are being logged and used to identify a session
No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.
> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.
> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?
Almost. They don't want any calls prior to explicit user acceptance.
> What's the solution?
For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.
> That seems... sweeping, profound, surprising, impactful. Have fun with that.
It is, I don't think anyone is denying that. There are several things that may happen here:
1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.
2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.
3. The EU backtracks on this by adjusting their current laws.
For me it's philosophically reminiscent of the Berlin Wall or the Chinese Great Firewall. Personally, my knee-jerk reaction is that it threatens certain freedoms, but I am also a liberal raised with a Western education.
I guess I'm seeing more like a huge swath of farmland growing a monoculture for export, versus the same land being used as a patchwork of different crops based on the various farmers' tastes and relationships with their neighbors. The latter is more likely to change gradually as the climate and the needs of the people around it change, while the former is prone to changing all at once, perhaps unexpectedly.
People's ideas about how their technology should serve them will change over time. I don't want to have to overthrow the old internet before we can try something new, I want it to grow with us--the parts that aren't serving us die off, the parts that address new challenges flourish. If its all one thing, subject to one set of rules, that doesn't happen.
>I am also a liberal raised with a Western education.
Lucky you.
We need more Western education, not less, which is why fragmentation is a bad thing. My country of birth - in Africa - is aligned with the formerly communist nations; if they had to opt-in to a fragment, it wouldn't have been to the Western one. I might have never been able to emigrate.
Fragmentation seems like a leap backwards in time and a slap in the face of the promise inherent in the free flow of information.
> We're not fragmenting the internet by looking after our own interests.
Of course you are. This is the only possible outcome of any attempt to impose national rules on an international network. Instead of one global network, we'll end up with several local ones.
The internet is among the most incredible achievements of humanity. I'm glad I got to experience it before they destroy it. By now it's only a matter of time.
At the end of the day we should be doing what is good for the People and somehow its always assumed that they will/should be the ones impacted when policies like these are enacted.
But Europe has leverage here - I don't think Amazon would want to miss out on a giant market base out of some moral principle and there are probably other levers to be pulled here to encourage that.
Anyway, not adding much to your comment other than kudos.
Nothing, this is now a solved problem. The EU didn't want the entire internet being hosted from the US. They designed policies to force hosting within EU countries. It happened.
The only people still moaning are Americans and hold-outs like Google refusing to move data.
> On the contrary, it only forces those providers to have a European presence.
If the EU has this much power to regulate operations that happen in America, then imagine how much worse it's going to be if you relocate your operations to the EU? In that case you actually become one of their subjects, rather than simply recording information about their subjects.
If by those providers you mean Google, AWS etc. then that might not solve much. As subsidiaries of American corporations they would be obligated to hand over data to the parent corp, especially if the US DOJ required it.
I think the only solution would be for them to not collect and store data from GDPR jurisdictions that would violate the GDPR if they were forced to hand it over to the parent American corp.
No, the subsidiary would be governed by European law, and would be prohibited from handing data over to either the US parent company or the US DOJ if that violated GDPR.
The US parent company could not compel the subsidiary to violate the law of the region it was located in.
Yes, I suppose you're right, at least so long as they actually host their data in the EU.
But what happens when senior data scientists at Google want to do some analysis? Each dataset for each global region can't remain fractured from each other. The subsidiary may not have to hand it over to the US government but does the GDPR prevent data from leaving the EU zone? If not, then local copies in the US would be exposed.
I think there would be a lot of loopholes that needed to be closed. "Will be" a lot might be the better choice if words if France's decision becomes guiding legal doctrine in the region.
I don't think Google would willing give up that data either so they could be forced to change their practices to at least get that which allowable under EU law. And I don't want to get too slippery slope in this, but that could mean privacy-minded services begin using servers in the EU as an added layer of user privacy.
You're making the mistake of assuming that "something can't happen" if it is inconvenient for the business. The convenience of the business is irrelevant - it must operate within the law.
And yes, GDPR prevents data from leaving the EU zone if there is then a possibility that GDPR could be violated. That's the crux of the recent court cases in Austria and France. You may not collect GDPR protected data if as a consequence of that collection there is a reasonable prospect GDPR will eventually be violated by ANYONE.
For your example case, all initial data processing would have to physically occur within Europe, performed by a subsidiary not subject to US law, and only after they had reduced it to aggregate data that could not be reverse engineered to get GDPR protected data would they be permitted to export it to America.
It's at 15% and forecast to go down to 12% by 2030. Also they're raising hell for corporations in the form of regulations and taxes. Why would any entrepreneur even bother?
> like AWS, Azure, Mailchimp, PayPal etc [...] No cloud services, no Office 365 or Google Workspace.
Maybe an unpopular opinion, but imho AWS, GCP and Azure are popular with startups because of their generous free credits, not because they are good tools for startups. As a startup you are typically better served by a DigitalOcean-level of complexity, and there are plenty of such offers in the EU (Hetzner Cloud, Gridscale, OVH, etc)
For Mailchimp you have plenty of competition, some of it in the EU (SendInBlue and Mailjet come to mind).
For payment processing there are also plenty of offers, Adyen is probably the biggest European alternative but there are countless smaller ones.
Microsoft Office 365 can be replaced by (shocker) Microsoft Office (the offline version). But most of your documents probably don't even contain PII and would be fine in Office 365 or Google Workplace. The exception is obviously email, but the market is flooded with E-Mail services from any country you like (and your preferred Hoster probably offers an email package too).
So I'm not really sure what part of the ecosystem we are missing here? European companies often have the smaller advertising budget and mindshare, but it isn't like they don't exist.
> As a startup you are typically better served by a DigitalOcean-level of complexity, and there are plenty of such offers in the EU (Hetzner Cloud, Gridscale, OVH, etc)
As an actual startup founder who started as a 1 man startup, strongly disagree.
Spent maybe $200 a month on Google Cloud, got an actual production ready cluster. Scaled up to Millions in revenue, never had to deal with any Linux Server admin BS.
More time on business, less time on Linux Sysadmin.
> never had to deal with any Linux Server admin BS.
Oh, you just had to deal with a different flavor of BS. Or you was lucky and everything just worked out for you (but why Google Cloud and not some PaaS like Heroku, so you don't have to deal with cloud infrastructure/servers BS altogether?)
I've been both a system administrator, managing GNU/Linux and FreeBSD servers in the ancient ages, and DevOps guy doing all sort of stuff in the clouds. The complexity is still there, it hadn't disappeared in some magic cloud pixie dust, even though sales would wanna tell you that fairy tale. But here's the thing - you never get to dive into those waters (or hire someone to do it for you, be it an employee, contractor or paid support) unless shit hits the fan and forces you to.
You must've cheerfully walked through a minefield and haven't stepped on and even seen any mines. Honestly, I'm happy it worked that way. And hopefully, this minefield is sparse enough those days so you're a rule not an exception - I don't have meaningful statistics. It would be actually interesting to run a poll or something. I just happen to have seen a few companies/people for whom clouds weren't all unicorns and rainbows.
And as for the flavors - it just happened that you knew how to set up stuff in Google Cloud. Would you happened to know how to spin a simple instance on Digital Ocean instead and went that way, and be lucky to not encounter any serious issues, it would've been the same painless experience, just different flavor.
My server load was not the size I needed 20 dedicated servers, but far too much for Herkou. Just running a 120 core 24/7/365 on heroku is like.. all of my revenue. (Vs 1% on google cloud and maybe .1% on hertzer).
100%. The hidden part here is "DigitalOcean-level of complexity" is actually "DigitalOcean-level of features."
The big cloud providers have a variety of offerings of different complexity. Using GCP as an example: want k8s with all it's flexibility and complexity? You have GKE. Want to still run containers, but abstract away all the cluster resource management? CloudRun. Abstract away the container itself? CloudFunctions. AWS has EKS, ElasticBeanstalk, etc.
I understand people get overwhelmed the first time they're dropped into the console of these cloud providers but really it just takes a bit of reading to figure out what you should/shouldn't care about. And the benefit of doing so is enormous.
Privately I host nearly everything on a shared host in Germany (that is everything I can host without sudo) [1].
For company policy reasons I must absolutely use AWS or GCE.
For an internal project I need to setup Matomo. Something I did thrice in the last few month on [1].
OK login through SSO into AWS. Look around, ask Google, find the bitnami image, click few buttons. Done. OH shit. Now I need to somehow make it publicly available. OK. Google again. Ah this is the way. Few hours of reading and clicking later I have a publicly reachable Matomo instance. Oh hey. It warms me that it is not ssl encrypted. OK. How to do let's encrypt? Google again with my second batch of coffee (or was it the third). Found an easy way, just enter a command in the shell. Oh hey, how do I get my ssh pub key into my EC2 instance?
Damn the day is nearly gone and I have yet to deliver this tangential asset to an internal project while killing my CCI (how much I am booked on client work) for something that the first time took me 30 minutes with the great documentation from [1].
To me as a meager Data Analyst the complexity of cloud offerings is a nightmare. And the documentation is written for other echelons of tech understanding most of the time.
If you’re a data analyst, then of course infra and sysops activities on cloud seem complicated. I’m sure a sysadmin could run/write sql, but would find the rest of your domain complicated too.
Yes, OVH experienced force majeure episode. I didn't follow exactly how the compensation was rolled out. I know it was messy. I am not going to defend their actions, I am sure they could always handle this better.
Disaster recovery planning is practice we should all adhere to. Hindsight is 20/20. Not trying to be a smartass. I know it was painful for a lot of folks.
At the same time, unless you paid for managed service with clear SLAs, then responsibility is yours.
And power to you. You did what you though was best in your circumstances.
Today circumstances have changed. You need hassle free scalable DB, then AWS RDS might you best choice. Maybe.
You need open standard IaaS, well, there is ton of options.
Even before K8S, you had and option of Openstack with Ansible. Yes, very different beast, but still much _simpler_ and _cheaper_ than stocking on large number of IT professionals.
We colocate about 20 servers and in any given month, spend no more than 1 person-days worth of time dealing with it. Many months we spend no time. That includes both sysadmin and hardware. But this requires knowledge that most devs these days probably don't have.
We might spend more time messing around with AWS than our colocated servers.
Right, if you legit need 20 servers than it might make sense for you. I would fit on like 2-3 decent sized servers if I did co-location, and would save not even 1 developer-day of salary...
I would guess that if costs is an issue then it must also be balanced compared to the potential profits. If your current $200 solution only allowed you to have US customers, while a $300 solution would allow you to have both US and EU customers, which one would you choose?
>I would guess that if costs is an issue then it must also be balanced compared to the potential profits. If your current $200 solution only allowed you to have US customers, while a $300 solution would allow you to have both US and EU customers, which one would you choose?
Whichever one let me pay rent at the end of the month
That seems good. Someone could copy your business and spin up on the EU market. If its profitable its profitable and its no worry for you. If its not profitable then the EU market is not large enough to carry the product on its own. GDP of the US is around $25 trillion, and EU is around $18 trillion, and population wise there are around 300 million people in the US and 400 million people in the EU.
Might I ask you what kind of product your 1 man startup have?
I am not 1 man anymore, we grew up a bit. But we are an ecommerce platform, basically centered around the big US marketplaces (Amazon, eBay, walmart.com). Yes Amazon and eBay are in Europe, so we are there.. but no say UK or France specific markets at this time.
Just make sure your BCP plan includes other provides. HN is full of stories where peoples' accounts are blocked with no reason and without means of effective contact.
Tangential, but assuming you're talking about Listing Mirror? I considered working on a similar product a few years ago, but felt the market was too competitive. Interesting you were able to compete with the plethora of similar services.
From day 1, you KNOW there is demand for your product. You can look up Channel Advisor and see the revenue. And 20 smaller companies under fighting for the rest.
Cons of course being, you have to figue out how to compete with all of these guys ;)
Working on a consumer SaaS startup and I strongly disagree. A virtual machine on something like DigitalOcean does not provide any of the nice abstractions that something like a Google Cloud Run (or similar on AWS/Azure) provides. The amount of time a cloud provider can save you administratively is difficult to exaggerate. That is from day 1. Should your startup succeed, and you need to scale, the real savings start to kick in since scaling to a large degree is handled for you. Good luck re-architecting your app into a kubernetes cluster and handling load balancing manually while your competition gets all that with almost no effort.
I've worked on so many small teams where dealing with AWS/Azure etc was a huge part of their day, for very very simple products.
I still remember arguing about bloating a web app with a 1mb package from AWS so it could use their serverless authentication offering.
Common theme as using those lambda function - sometimes paying quite a lot of them - to serve requests that would be twice as fast on the proverbial $5 linux instance.
So yeah, looking from the sidelines it feels like a huge amount of added complexity for small teams, "just in case" they need to scale. Which given how fast modern hardware is way further off than they think.
(unless they use lambda functions for every API request. in which case they better learn to scale in a hurry)
Can't find any references to that except that each doc has a GUID.
A GUID on its own is not PII - just some random number, so are you implying that MS collects every GUID along with author identifiable information?
I just got off the phone with a lawyer to talk about this exact issue.
If the GUID is related to the user (like user ID), then it is Personal Information - EVEN if the GUID is random. The distinction that is easy to miss is that a User ID GUID might be very low risk (compared to, say actual User Id or user name) - but is is still Personal Information.
If the GUID is for the document (and anyone can edit the document), then it is no longer PI.
Of course, all of this ignores things like the contents of the doc. If the doc is "SSNs of my customers", well... don't do that
The free credits are nice, but run out quickly. Azure is expensive, but has a lot of nice tools from key vaults, log analyzers, CDN, databases, pipelines, to firewalls. I mean, yeah, you can implement similar stuff on a DO platform but you're going to be wiring it all up yourself, taking on the liability for keeping it all secure, and providing the warranty for its availability and effectiveness. The value to AWS/GCP/Azure is far beyond free credits. They've commoditized services - it rarely makes sense to pay for in-house expertise in managing those services yourself.
Also, the offline version of Office is going away, to my knowledge. I think the current boxed version is the last boxed version they plan to sell.
I would say that looks at the state of things as they are today, which may not be the case as technology advances. If there's a service that provides a real competitive advantage that is only available outside of Europe, then this might exclude businesses in Europe to innovate and compete.
> Maybe an unpopular opinion, but imho AWS, GCP and Azure are popular with startups because of their generous free credits, not because they are good tools for startups.
That’s a complete misunderstanding of the cloud’s value proposition. The point of the cloud is to have things “just work” so you can spend more time shipping features and innovating. When I see startups not using it and “rolling their own cloud” by being their own sysadmin I question the strategic decision. To me it’s generally a sign that they failed to raise the appropriate amount of capital and are therefore trading velocity and agility for cost savings.
> So I'm not really sure what part of the ecosystem we are missing here? European companies often have the smaller advertising budget and mindshare, but it isn't like they don't exist.
Also because they can’t scale within a mostly unified 300 million market like US companies can, they have to special case and deal with all special snowflake regulations in every small European country they want to serve.
Plus, that’s not even touching on the engineering talent gap.
I'm pretty sure Microsoft 365 is GDPR-compliant and is storing data in whatever jurisdiction you set it up to.
I know we've had a lot of issues with an European company we bought; we're both using Microsoft 365 but they're set up in France. I don't think the IT folks ever figured out how to merge them (even though we probably pay a shitton to MS for support), so those folks keep using their old domain (but we can share documents and whatnot, so at least that's set up).
I would call fragmenting these things rebuilding the internet. Not sure how consolidating everyone on a few Mailchimp type services is in anyone's interest.
Exactly. If this make European startups build their own ecosystem and provides me with an alternative for the services I use but don't track me, I'm going to switch - simple as. I see this as a win for the internet.
> Why limit it to the EU? Shouldn't every country have their own AWS, Azure and Google Cloud?
That is completely unrelated though. The only thing this ruling confirms is that you can not process data of EU residents when you can not be adequately protect them due to local laws i.e. the CLOUD act. If your laws allow you to keep the data safe, you can offer your cloud services to the EU market as much as you want. If they wanted to, the US could easily allow companies to guarantee those protections too.
I would not be surprised when, if no solution is found, some of the major cloud providers in the EU end up being e.g. japanese, israeli or canadian.
The EU as a block is pretty comparable to the US, so it wouldn't be that surprising if they came up with their own information infrastructure. I think you've answered your own question: why limit it to the EU? No moral reason, but it is a difficult project, you need a US/EU/China sized economy to have a good chance to pull it off.
> Why limit it to the EU? Shouldn't every country have their own AWS, Azure and Google Cloud?
Careful, there is such a thing as network effect for knowledge. More fractured systems mean more different approaches means less aftermarket documentation means less people being able to work for you.
I happen to be European but with that said, I also get the feeling that many western European HN-users here seem to fancy the idea of having many small local service providers that have challenges providing anything beyond basic hosting.
And that totally fine, if you think European companies have no competitive disadvantage on the global market to being forced to use traditional VPS providers or build and set up everything themselves. But I imagine it'd be very challenging if other companies outside the EU can go to market faster, deliver better services for lower cost, etc. than their European counterparts because they can use American cloud providers like GCP or AWS.
In all fairness, the faster, better, cheaper argument sounds too much like marketeese to me, and I have not yet seen that effect in real life. You can find dedicated people who are sufficiently good to manage some Linux server infrastructure relatively easily - all while AWS consultancies seem to pop up all over the place like mushrooms after a rain.
Or by making getting citizenship something that's attainable in my lifetime. Everyone complains about the US immigration system and of course it's not great but when I came here I kinda knew what the path forward was and how long stuff will take, for a lot of European countries there's no way to ever get citizenship and the path to permanent residency changes every three or four years.
I emigrated to Canada pretty much on a whim (using a fiance visa) and have fared quite well there. We (my partner and I) are weighing the possibility of emigrating again to Portugal which offers a rather reasonable golden visa - with a wide variety of European countries offering "trial" visas for workers under 30 with the most bare of requirements.
As a US citizen I've contemplated getting my wife residency down there and it's simply ridiculous - as are the hoops I'd have to go through to relinquish my US citizenship and that only matters because the US feels entitled to own me even though I haven't resided there for nearly a decade at this point. US immigration, from the working visa angle, is extremely unpredictable and only really estimable if you've got a large corporation with a whole bunch of lawyers to get your back - spousal visas aren't terrible but most come with some seriously onerous lifetime costs to execute (like taking a year off working).
I know there are a bunch of European countries and they've all got their quirks to immigrate into but you can really trivially get an EU passport and then move around within the EU.
Switzerland and some nordic countries make it impossible. Portugal wants me to marry a Citizen, otherwise it's only residency. Luxembourg and the Netherlands wants me to learn their language, which is not something I would need to work there and in my experience visiting neither to be able to live there. It's not great.
On the other hand Italy denied my application once already, after my great grandparents basically left the country because Italy was not defending their town from Germany. They rejected my application because they say my great grandparents were not Italian but Austro-Hungarians. The lady at the consulate was super racist to my grandmother about it, in my face. After that now there's another way I could get my Italian citizenship by birthright by suing the government because of another racist thing they use to do where women were not transferring citizenship.
Again the US is not great but a lot of this things make me feel whatever "racial tensions" I may be a victim of in the US are mostly the media blowing stuff out of proportion, when most of the "racial tensions" I felt dealing with the EU are actual racial violence or discrimination that either me or my family where victims of.
> Luxembourg and the Netherlands wants me to learn their language, which is not something I would need to work there and in my experience visiting neither to be able to live there. It's not great.
That seems like a very reasonable requirement. How can you expect to participate in society, especially elections, without a decent command of the local language?
> How can you expect to participate in society, especially elections, without a decent command of the local language?
By hiring a local accountant and paying a small fortune in taxes? If I learn the language then yeah cool maybe I'll get into their politics thing but it's not that if I don't vote I'm not going to be a productive citizen. A lot of countries let you become a citizen without learning their language, most notably the US.
> By hiring a local accountant and paying a small fortune in taxes? If I learn the language then yeah cool maybe I'll get into their politics thing but it's not that if I don't vote I'm not going to be a productive citizen.
Being a part of society is a lot more than working and paying your taxes.
> A lot of countries let you become a citizen without learning their language, most notably the US.
Speaking as a US immigrant to Finland (a Nordic country), the citizenship requirements here seem quite reasonable to me. Minimal language proficiency, a civic knowledge exam, and at least 5 years drama-free residency.
Switzerland is 10 years and then you need to pass a language and general knowledge test. The contents of the test depend on the region you live. Honestly I don't see it as that ridiculous.
Well, the exact requirements depend on the canton and commune you happen to be in. If you're in a village in Appenzell Innerrhoden it's going to be more tricky than if you're in one of the more international cities like Basel, Zürich, Geneva etc.
The rest of the world could also brain drain the US if it was easier to get into. The US -> EU/UK immigrants that I personally know have had a pretty hard time getting there permanently.
I moved from the US to the NL. Love it but I can’t get dual citizenship and getting permanent residence requires knowing the language well enough to pass a test, so why stay? It’s kind of a bummer because my son speaks native-fluent Dutch now. Next up will probably be Ireland.
To my knowledge to get naturalization in the Netherlands you must have stayed there for ~5 years and the required language level is A2, which is beginner level.
This doesn't sound like a crazy requirement to me. The giving up other nationalities would be a deal breaker for me thought.
Learning the language to a conversational level as someone who speaks English is exceptionally hard. As soon as a Dutch person hears the accent, they switch to speaking English. Therefore you need very expensive classes to properly learn the vocabulary you’re expected to know for the test. We can stay here forever on our current visa, but I’d rather be a proper resident and be able to take advantage of the entire job market. I’d be happy to pay the money if the Netherlands would let me have a Dutch and American passport. Pre-COVID I didn’t really care, but post-COVID, having a passport to get to my sick family and be guaranteed re-entrance to the US is very important.
The language test is incredibly easy, for what it’s worth. It is nowhere near fluent, or really even conversationally competent. It’s things like saying the correct words when buying an apple at a store.
Sounds like protectionism when they can't compete. The EU isn't exactly a shining star for tech development, probably because the culture there kneecaps it every step of the way.
I already get a lot of "We are sorry, but for legal reasons we are prevented from providing this service where you live" when I'm accessing American websites.
Recent European judgements seems to make it illegal to embed content from YouTube or Vimeo for example.
I don't see how dividing services up by region will help me anyway. I'd rather be able to choose from a few (I imagine there are more than a few at the moment) international Mailchimps than one in EU.
If you flip the scenario around in your mind.. how would you feel if virtually every site or service you visit scoops up your data and sends it to [China|Russia|...] and hosts all your private data on servers operated by the [Chinese|Russians|...] and are subject to [Chinese|Russian|...] rule and disregard whatever laws your country has enacted? How would you feel if you couldn't opt out without virtually opting out of the entire internet, including all the services your friends and family and local associations & companies use for messaging?
That's how the internet has been. That's how I feel about US tech giants getting all my data. They write their privacy policy, they dictate their terms, they follow US laws. I have absolutely no choice or voice or vote, unless one considers "yo dawg just build your own internet" a realistic choice.
I don't feel like the purpose is to drive out foreign competition. I feel like the purpose is to enforce privacy as a right, and I fully support it. I also fully support the right to transmit data across borders as long as the destination country also respects my privacy and rights instead of treating me as an alien and potential terrorist. Is that too much to ask for?
And in general, is following the rules of the country you offer a service in too much to ask for? Local laws apply to brick and mortar business; if Walmart wants to come to my neighborhood, sure go ahead, but please respect our laws. I don't see why internet companies should be above the law either.
GDPR is replacing rules dictated by US corporations with democratically established rules written by our representatives. It's unfortunate that there's now a clash between US laws and EU laws, but it's not the end of the world.
Simple. If you have a free market, I would just use competing services instead of the "Chinese" ones. No one is forced to use TikTok. If people really wanted a privacy focused service, a new one will arrive. DuckDuckGo's success is an example of that.
imo it's just a thinly veiled protectionist law that will fracture the internet all for the sake of propping up EU incumbents who can't innovate.
Yes it's simple in dreams and an economic theory stuck in an era where a potato is a potato and it doesn't matter much whose potato you buy. Unfortunately the free market tends to be a race to the bottom, for complicated reasons. The market is also not effective nor is it rational, nor is it good at displacing entrenched players and natural monopolies, least of all ones that don't give a crap about ethics. It's not effective against deliberate lock-in and network effects, nor against externalities and exploitation. It's not effective where effect requires individual sacrifice multiplied by millions.
If free market were effective, we wouldn't have needed labour laws to keep people from dying in factories where they work 16 hours a day, we wouldn't need laws to make vehicles safe, we wouldn't be desperately looking for agreements to curb pollution and climate change, we wouldn't need laws to protect minorities against discrimination.. hell, I don't think we'd need laws at all because everyone would just rationally and effectively choose good actors & displace bad actors.
I don’t believe your parent is arguing for centralized planning in any shape or form.
Even the US knows rules for markets - it’s never entirely free. European laws just set more rules and give the consumers more rights - something I consider useful where there’s a strong imbalance in knowledge and power between the consumers and the companies offering a service.
TikTok was nearly forced to sell parts of its operation so it could continue operating in the US, in India it's actually banned.
> DuckDuckGo's success is an example of that.
As good as DDG is, it's not that great of an example as all the background tech there still relies on Microsoft's Bing, which means there is very much a US-centric search engine monopoly in place.
> that will fracture the internet
Maybe the Internet needs fracturing, we've reached a point where a handful of US corporations control the vast majority of the web traffic [0], that kind of massive centralization is the absolute antithesis to what the web is supposed to be and presents a massive filter bubble in-itself.
> TikTok was nearly forced to sell parts of its operation so it could continue operating in the US, in India it's actually banned.
Yes, that's a great example of protectionism that was reversed.
> As good as DDG is, it's not that great of an example as all the background tech there still relies on Microsoft's Bing, which means there is very much a US-centric search engine monopoly in place.
DDG is not the only privacy focused search service. There are others with their own homegrown search engines. I believe some of them are French. This also reflects consumer demand. DDG only able to evolve and grow based on how many people want to use the service.
As a counter point - I think it's fair to view the extreme lack of consumer protection laws in the US as protectionism for domestic tech companies. The US has been extremely resistant to roll out consumer protection laws and that's shifted it into being the equivalent of a pacific island nation with extremely lax tax laws - it's the wild west of the internet where all the sane laws don't exist that attracts all the companies that don't want to play by the rules.
The US could coordinate and work with the EU to try and craft laws that span both regions in a unified manner so that businesses can operate more freely but instead they're choosing to subsidize a protectionist agenda by levying a cost on the privacy information of its residents.
> The US could coordinate and work with the EU to try and craft laws that span both regions in a unified manner so that businesses can operate more freely
I love your wording. Regulation mixed with "operating more freely" is oxymoronic. The same can be said with your argument of "subsidizing a protectionist agenda" when you're referring to the lack of regulation and legislation.
> As a counter point - I think it's fair to view the extreme lack of consumer protection laws in the US as protectionism for domestic tech companies. T
The spat between US tech companies and France's ancient media companies is not new. It's very disingenuous to pretend that the purpose of these laws is just to protect consumers.
To be honest, it's really only oxymoronic in a very limited slice of America. It has come up a few times on HN that the definition of freedom varies wildly in different parts of the world. As an example, take healthcare: in the US market driven healthcare might be the freest freedom that ever freedomed - but elsewhere social safeties that allow residents to live the best quality of life they could are considered to be the highest freedom you can achieve. While health issues are a regrettable part of the human condition, a society might want to strive to minimize the amount of stress spent by individuals on particularly bad die rolls by their bodies and fate allowing individuals the freedom to spend their time more according to their wills. Even "free market" US healthcare comes with a number of regulations - I'm not certain if you were alive (and paying insurance) before pre-existing condition coverage was guaranteed but a lot of people ended up unable to even secure insurance in that world, it was awful.
Regulation is a firm requirement to a free market, without regulation of any kind you will pretty quickly descend into authoritarianism as whoever has the biggest stick will just take everyone else's stick. While there definitely are dangers at the other end of the spectrum if you're fanatically at either end you've got to ignore a whole bunch of pretty well known issues.
It’s oxymoronic everywhere based on the definition of the terms, and not just in “limited parts of the US”. It’s Orwellian doublspeak. No amount of mental gymnastics changes that.
> Regulation is a firm requirement to a free market, without regulation of any kind
I agree, but there are lines that when crossed either negates or greatly lessens the overall benefit for most people outside of vested interests.
> you will pretty quickly descend into authoritarianism
Moreover, historically speaking - centralized economic planning tends into devolve into tyranny vs systems with primarily free markets.
This is also much less about protecting consumers than it is about protecting old French incumbents who are unable to evolve.
> Regulation mixed with "operating more freely" is oxymoronic
Common regulation between jurisdictions allows businesses subjected to the regulatory oversight of multiple involve jurisdictions to operate more freely than if the jurisdictions did not coordinate and instead adopted regulations where it was impossible to comply with one without violating the other.
You shouldn't just pick one word from one part of a statement and a two-word phrase in another part and ignore the rest of the statement in order to create your own argument to respond to.
You’re just cherry picking an even worse example of regulation. The core definition of regulation is the limitation of what an entity can and cannot do ie operating less freely. Your argument doesn’t change that
> You’re just cherry picking an even worse example of regulation
No, I’m pointing to the exact subject of discussion, the suggestion that the US and EU, who currently do regulate and do so independently, could coordinate regulation.
Yes, that's the overall discussion, but that's not this specific sub-thread is about. This subthread was about addressing the strange, oxymoronic doublespeak being used by someone responding to one of my comments. Maybe you meant to respond to a different comment?
It actually isn't oxymoronic though - I like being alive and my freedom to remain alive relies on the regulations and laws that discourage people from murdering me. Regulations aren't the opposite of freedom except in an extremely narrow view - regulations often help to make free markets more free.
This isn't a case of doublespeak at all - it's just that the world isn't a simple place.
This is not a "all regulations are bad or all regulations are good" argument. This is about an oxymoronic statement. I feel that you and previous commenter have trouble differentiating the two.
> regulations often help to make free markets more free.
No. They do not. That's nonsensical. The whole point of regulation is to exert control over something for better or for worse, depending on the situation. That's the exact opposite of freedom regardless of the consequences.
Your analogy is poor because it doesn't mirror the original quote. A better analogy that mirrored the original quote would be, "We need to murder people in order to save their lives." It makes about as much Orwellian sense as saying, "There's freedom in slavery."
It’s not a non sequitur. It’s a response to a nonsensical argument ie “regulation makes markets more free” It’s oxymoronic.
There are many good arguments in favor of regulation, but that is not one of them, despite all the mental gymnastics being done to pretend that it’s a good argument.
Perhaps unpopular opinion, but I don't want a fragmented internet, where I have to remember 10 different options for every single service I need to run a startup. Is that really the hill we want to die on?
I have enough things to worry about, I don't want to consider 10 different cloud computing options, 10 different database options, 10 different analytics services. I want to just go with the big popular option.
Heck I'm willing to bet even if more options come up, the most popular option will be some aggregator site that tells you which one to use.
>I think we (in the EU) will soon realise the bizarre consequences of these regulations.
Could this not also be said about US regulations such as CLOUD act, Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333.
I don't think it's accurate to solely blame the EU when this is in response to legislation that gives/gave the US access to all types of personal data on European citizens.
> I don't think it's accurate to solely blame the EU when this is in response to legislation that gives/gave the US access to all types of personal data on European citizens.
I would argue that the Americans getting better privacy protections and working with other countries instead of forcing American companies to behave illegally abroad would be a much better solution than the Europeans watering down their privacy laws.
American companies will set up independent shell companies or subsidiaries to serve European customers anyway. Microsoft and Amazon are never going to voluntary leave a market of 400M customers. Doing so would leave too much room for a competitor to grow and then threaten them. So if fragmenting the web means that Europeans get the same services as Americans, but with better privacy, then I am all for it.
Europeans are to blame for the flaws in the GDPR, not for doing their thing without the blessing of the Americans.
Maybe that's true for the Microsofts and Google's of the world. But for smaller companies trying to provide SaaS or PaaS it totally keeps them from entering the market. So in the end it only increases the difficulty to compete in EU and increases the power of these mega corps.
It’s a simple shell game. Meta US can very well become a subsidiary of Meta Bahamas, and still get licensing fees for its brands and IP from a nominally independent Meta EU.
I agree. Hopefully this is temporary and they can figure out a reasonable compromise. As a Swede I do feel that parts of the EU (with Germany and France) are heading in the wrong direction. Those are not countries famous for their entrepreneurship and it seems like their first instincts in relation to the US are usually protectionist.
I'm also European and I completely agree with you. They're basically taking the whole EU as a hostage to protect their own inefficient domestic companies =(
I can tell you that there's a deep-seated suspicion in the US that for France, much of GDPR's purpose is about enabling protectionism.
The logic is understandable. Surely, if you just get rid of the abusive American monopolies the home-grown companies will take their rightful places... right?
That doesn't seem to be true though. There are multiple countries outside the EU that have an adequacy decisions regarding their privacy laws like: Japan, South Korea, Canada, UK, Isreal, etc. They can host EU data without issues.
The only reason the privacy shield agreement was thrown out was due to lack of safe guards from US intelligence.
Even without the privacy shield, US companies would still be able to store EU data in a country with an adequacy decision if it wasn't for the CLOUD act. This seems more to do with US law wanting access to EU data.
Is there anything restricting US companies from first transferring EU data to a country `A` with an adequacy decision and then transferring that data to the US (assuming `A` allows this)?
I wouldn’t worry too much about AWS or Azure. When AWS realised how much money the European Public Sector spends on the public cloud a good few years back they went from being behind Azure in terms of complaisance to now being ahead.
I’m Danish and as we’re a notorious Microsoft country I have the most experience with everything Azure, but the fact that Amazon was so quick to ensure that 100% of the workers who ever come near the services they sell within the EU are EU citizens is something that we still looks somewhat envious toward. It’s actually an area where Microsoft might eventually run into some trouble if they don’t work on their compliance but I can certainly understand how it’s hard when one of their key selling points to Enterprise is that we can call Redmund.
I don’t think the EU will get into much trouble over this, however, and I don’t think it will have too much of an impact on our tech industry. I do agree that it’s not likely to help European alternatives to Microsoft or Amazon, but that’s not exactly the point or the legalisation is it? It’s there to prevent EU citizens and our personal information from becoming the primary commodity that is sold between giant companies.
Advertisement companies like Google will no doubt struggle with this going forward, but is that really a loss for anyone?
Shaking up the current situation doesn't seem to be an entirely bad thing. As it stands, the majority of the internet is depending/residing on datacenters provided by a handful of companies. I'm not sure that's a good thing.
Building satisfactory alternatives to Office, Workspaces etc. isn't a monumental task by any stretch. With the sudden demand that you predict, they'll spring up like weeds.
This might be ham-fisted and crude, but in the end I see a lot of positives.
If replacing Office / Workspaces is not a monumental task, why are there only two good options? Workspaces is only just becoming a viable replacement for enterprise because pivot tables are hard.
A big reason is that competing with them on equal footing is a monumental task. You are working against network effects, heavy duty marketing, integrations into other products and a whole army of developers.
But network effects and marketing are irrelevant for products that can't be used in your country because they violate local laws. If some Google product can't legally be used in the EU, then it has zero network effects there and Google wouldn't waste money marketing it there.
Also, the competing EU-based service might be strong competitors to the ones in the U.S., among people like me who are privacy conscious. I don't use Google services, but I'd be happy to consider using GDPR-compliant services based in Europe.
I think you misread the comment thread. You are just restating my point. I agree with you. I was talking about the current (previous?) situation, where US and EU companies are on equal footing on the european market.
> Could you sustain a development team capable of creating this with a limited market and revenue stream?
Market wouldn't be limited and potential revenue streams would be huge. So yeah. Just as a reminder, this is still assuming that there is a significant window where the big options aren't available for Europeans.
Sorry I wasn’t clear. The reason there are no competing products isn’t because it is hard. It’s because they keep getting bought as soon as someone does “good enough”
Would you turn down a "name your price or we'll run your business into the ground winkwink" (by disabling app store, never getting on the first page to results, etc). Not saying that is what is going on or anything...
In most cases the underdog is running on investment funds, and has handed over a significant amount of the company control to investors. When a buy is proposed, those investors have to weigh the really quick (probably really large) profit of selling versus playing the long game fighting an uphill battle against the giant.
This is how promising companies are swallowed by the market leaders.
> There must be some reasonable middle ground before we fragment and destroy the entire Internet.
Elsewhere "fragmentation" is called diversity and competition. It's sad that it has to come about due to regulation, but it's a good outcome nonetheless.
The familiarity and precedence of current offerings becomes a kind of Stockholm syndrome for people. More options mean more chance of valuable improvements, and geographical diversity means different mentalities and points of view, instead of more "me too" options.
What is the alternative? We are going to go back to 2005 where we send docs over email? Files end up being too large, nobody knows what the latest copy is, etc.
The EU is big enough that companies like Microsoft will find a way to offer their services legally, and if they wouldn't, it would be a huge opportunity to EU based competitors. It's not like we don't have any software companies in the EU.
Also, there's no reason that collaboration tools must be hosted on a US cloud. Especially Microsoft traditionally provided tools for their customers to host their own infrastructure -- it's only a recent phenomenon that everything is hosted by the vendor themselves.
I think you’re right. Microsoft is perfectly able to split its operations. They’re doing it now in China in a much more drastic fashion, and they seem to have been preparing to do it in Europe for a few years now.
Just that two ships are departing from a location does not mean they heading in the same direction.
It is true that both the EU and China are swiftly heading away from this unprecedented era of technology companies being able to act as they please abroad without impunity. It is an era that the US, which benefits from this arrangement greatly, understandably does not want to leave.
But what matters is why they are doing this, not that they are doing it. And in that regard it is much harder to find similarities.
"protectionism" is morally neutral to anyone except a hegemon. A nation can decide to protect itself from free expression and abolition of slavery just as it can protect itself from unsafe food imports and price dumping. It all depends on who is being protected from what.
You know exactly what kind of protectionism we are talking about here: economic protectionism. The kind that has to be employed by a decaying empire whose populist, anti-entrepreneurial, anti-business and anti-innovation policies led to it losing the high-tech race and now instead of working together for progress is walling itself off to dream of the memory of its lost glory.
It says quite a lot about American imperialism, actually. These developments were basically guaranteed the moment the CLOUD act passed, and after the adventures Microsoft had with the DoE.
Or people get fed up with cloud companies like Google (already happening) and people realize self hosting is becoming more and more simple (also happening) to the point where anyone can do it.
IPFS and other tooling could push a decent portion of users to this. We can already see some of that effect with things like mastadon.
If European startups end up starting companies in the US, and the US companies can't operate in EU, there will either be a massive vacuum to serve the European market ($15 trillion in estimated GDP), or there will be companies that like profits and want to earn some money by providing products in EU.
We can create a middle ground. When ever information about a EU citizen that get transferred to the US, a similar information about a US citizen get transferred to the EU as hostage in case there is a data violation. A list of IP-addresses accessing usa.gov in return for a list of IP-addresses that accessed europa.eu. Surely a deal can be made that give both sides equal power.
I think we are already dealing with the "bizarre consequences" of having our personal information uploaded to servers in a foreign country without consent.
Privacy abuse on such a massive scale, never before seen in human history, requires action.
And it does not matter how normalised this has become for the people in the valley of the clueless.
We already had a good sneak peek in Germany, when schools closed last year for some weeks due to the pandemic.
Popular video conferencing solutions weren't allowed due to privacy issues. The official "Lernraum" platform that have been used for this did not work most of the time.
I understand where these laws come from, but it's sad that there often is no European alternative
Why would EU building it themselves going to happen? Either it could be profitable for company to operate in EU or it is not. Assuming current US companies are efficient enough and if they couldn't be profitable, why could be a same thing built by EU is profitable there. In fact it is opposite as they couldn't track as much as American companies even outside EU.
Because US companies are hamstrung by US laws that prevent them from complying with EU law (i.e. US govt says you must give private data to us and EU says you can't give private data to non EU govt). Other companies not based out of the US can guarantee privacy that meets EU spec if they don't have local laws compelling data access. So it might not be EU companies that capatilize on it but there can be a market opportunity that US companies can't fill.
Because the US companies are bloat with their bureaucracy and structures.
A Google is not able to pull a startup thing.
See Stadia or the other short-lived projects, they all suffer from a lack of skin in the game - so to say.
I don't think it can. Maybe they can buy yandex, but i think europe has drained its talent tothe US. And even if they build it, how will they monetize it?
Europe isn't drained of talent by a long shot. It has surely been tapped to some extent by the bay area exodus, but there's plenty of tech success stories and talented people here still.
I don't belive that to be true at all - EU have a lot of great SaaS/tech companies that emply a lot of really talented people. What EU need more of however is vc money.
That's just ridiculous. It's a miniscule portion of the total talent that has left to US, and Europe draws many people in constantly as immigration is easier.
Why is it on Europeans to weaken their privacy regulations and not on Americans to strengthen theirs? Why should we bend to the lowest common denominator instead of lifting everyone up?
> No cloud services, no Office 365 or Google Workspace.
I think you are overestimating the problem. Before Facebook decided that it wanted the European market we had hundreds of similar services. We will have local replacements the moment these US companies with their near unlimited war chests finally fuck off and give European companies room to breathe again.
AWS has always had a very clear region system which let's you decide the location where you store your data and run your services. Most popular region here in the EU being eu-west-1 (Ireland), which usually gets new features and updates first. Once you choose a region for your application, it takes some effort to store data outside of it.
It's sad but predictable that the top response amounts to "Forcing companies to act ethically and legally would just push them into the USA".
That's not exactly a great argument here, given that this French court has objectively made the right legal decision here in terms of EU privacy law, and the rights of their citizens.
Microsoft has done the leg work for this already. They currently have a completely contained Azure environment in Germany. I think it was deployed to ensure compliance with german/EU health data protocols.
I have first hand experience of this, migrating between their global PaaS and the contained German one. The bulkheads are quite air-tight (much to my personal detriment).
They also had a completely separate o365 offering called Microsoft Cloud Germany that failed due to lack of interest (and the fact that it was years behind the global platform, I say), which was finally shut down last year, with everyone who renewed their contract automatically being migrated off.
They're working on it, but still not everything is entirely regional.
These tools have EU versions of their services with servers in Ireland or other places so that the data does not leave the territory. There will be absolutely no consequence to these regulations.
> No cloud services, no Office 365 or Google Workspace.
For quite a lot of business data, the "do not export data out of region" thing is nothing new. Which is why it is not actually unusual to be able to select where the servers are located.
That being said, if this made Microsoft Teams impossible to use, it would made a lot of us happy. That thing is crap.
> I think most successful European entrepreneurs will just end up starting companies in the US instead.
If these companies end up banned in Europe, that's not really a problem from Europe's PoV. Europe may end up deciding that US companies not coming is a problem in itself, but that is already the case imo.
Honestly, if this policy is actually enforced, it's very hard to imagine how the landscape would shift. Maybe Europe would be brought to its heels, and be forced to remove the law. On the other hand, maybe the US would be forced to renounce their cloud act, which is a large part of Europe's privacy issues with US companies. A third path could be companies reverse-incorporating in some place that would let them keep in business.
The UK market for digital products won't stop existing just because a few UK entrepreneurs move to the US.
These regulations are the only way to dismantle US big tech monopolies. The US government won't do anything about it on its own accord because it's too profitable. Other countries need to neuter the influence of US big tech first. Then the US can police their own better to encourage intl competition if they want to.
The EU combined is the largest economic region in the world. With backdrop the other huge one China where doing business has become increasingly difficult and volatile.
Tech giants cannot afford to pull out of the EU. Call their bluff, they won't. They can't even if they wanted to, as shareholders will skin them alive.
If we don't count money printing, europe would probably be in an even worse shape. Remember that the interest rates in the big Western European countries have been negative for years with still almost no economic growth, and that was pre-covid! Even the FED isn't technically directly buying US bonds from the market like the ECB does to prop up the debt sales of its weaker members. Even the historically low current FED rates, I think are still higher than the peak of most European central banks rates of the past 5 years. Again, all of that did very little to prop up their economy (which usually indicates it's pretty zombified) so they couldn't even start hiking the rates back in 2018-2019 like the FED did. That means they are now stuck with very few "easy" ways to recover from 2020.
I know you are just joking, but the sheer irony of a money printer joke in this context was just too much for me to not react :')
AFAIK, Microsoft moves most of it's cloud services to Europe by the end of this year for their European clients [1]
So I guess where's a will there's a way - they just need a "little" nudge.
Should be good for datacenter redundancy anyway, no?
But: some datacenters are in fact crappier/slower than others - German datacenters take way longer to implement some new features compared to US datacenters or even those in Holland/Irland. But that's due to slower german regulatory processes
I run multiple organizations just fine without any third party proprietary SaaS like those provided by Salesforce, Google, Apple, etc.
It is crazy to me so few realize it is really not much, if at all, harder to run a business without involving US surveillance capitalism corporations.
Tools like Nextcloud, Matrix, Jitsi, have turn-key SaaS providers or you can self-host them easily as well. Same for many many analytics solutions.
I honestly think every company would be better off having more sovereignty in their tech stacks and data, and it is much better for consumers who may not realize they are -also- sharing their data with third parties like Google who use it sell targeted behavior changes to the highest bidder.
> European startups will not be able to use standard SaaS or PaaS tools (like AWS, Azure, Mailchimp, PayPal etc) if they are based in the US
PaaS and IaaS providers all have a presence in the EU or is that still not good enough to pass the regulation that's in place?
SaaS I get it, they'd have to create a presence in the EU but I don't think that's a bad thing. They will, at least the big ones you mentioned. And if that's a problem for smaller SaaS providers then the market will have a solution for that emerge over time.
> I think we (in the EU) will soon realise the bizarre consequences of these regulations.
Wait until you see the result of the green revolution: you'll pay your energy 3 times more than now.
We'll need decades to recover (if we recover) from this ideological move from people that lives in la la land and have no idea of the consequences of their acts.
It already has started with natural gas prices skyrocketing. The Russians are holding us by the balls and our politicians are spitting at their faces...
It was inspired by natural gas prices that went 3x this winter and an article that said we (French citizen) pay our electricity much more than what it cost us to produce because our production is sold on the markets then sold back to us at an inflated price (deepl should offer an OK translation even if it might lose a bit of the humor : https://institutdeslibertes.org/nous-avons-la-meilleure-fonc... ). I don't have data to say how much more will it be expensive, but I know it will be bad enough that we certainly will have protests.
You can't just delete nuclear, coal and natural gas power plants and think the invisible hand will provide. There is no secret plan behind: we're gonna crash then our politicians will blame the Russians and / or COVID but certainly not their incompetence.
Don't get me wrong, I don't want to live in a polluted world more than anybody else, but I also want to take a hot shower daily without it being a luxury expense. We needed to think the transition and do it progressively before. Too late.
I don't think Google analytics is that essential. It has privacy problems and there are alternatives around. It is just often the lazy choice of developers. They would have to adjust a bit, comes with the job anyway. Not using it doesn't "fragment the internet".
I still don't think laws against specific software is helpful though.
Or... Or... these co's stop mining/saving data on all EU folks altogether. If they could prove to regulators that the tracking and mining and selling of data does not happen at all for EU folks perhaps these cloud players could still sell services to the EU market.
> most successful European entrepreneurs will just end up starting companies in the US instead.
And then they will not be able to serve the european market, nor profit off the european economy. Good luck competing with each other for that US market.
More like they build successful companies in the US which then enter the European markets with a massive warchest and dominate any domestic EU startup in the space.
> It will take forever to build up a similar ecosystem in Europe
And even then it seems risky the EU will deem the business model entirely in violation of privacy laws. It's very chilling
When the EU finally completes their utopian/dystopian ideas of privacy from foreign Internet services, the great firewall of Europe, perhaps then EU regulators will look inward and do the same things?
But for now it all has the appearance of disfavoring International Internet services, as if to encourage regional tech companies to advance.
Which seems reasonable, Europe seems to have lost most of it's Tech companies, and that's a problem that needs to be fixed. It's just weird to go about the problem by claiming International companies are in violation.
It's not Europe who blocks anybody, but plenty of US websites just blanket-block EU visitors because they can't be arsed to create a GDPR compliant website.
Which, as a European, in practice feels like running into a great American firewall.
What's funny is I don't think of the EU was that high on the privacy list? Doesn't govt slurp up data on its citizens in terms of national health care systems, databases on identity, easy access to online records etc? Is there even a trial by jury in the EU? I thought they had a type of prosecutor / judge that could go rooting around anywhere they want pretty much unchecked.
It’s not about what you collect. It’s about consent and transparency. I can log into my government website and literally see anything about myself that is known to the government. If you get arrested, your name isn’t released to the press so you can continue your life afterwards. If you go to jail, and apply for a job afterwards, they do a background check. If the job has nothing to do with what you got arrested for, it comes back clean. These are all sensible things. When I grew up in the US, I had absolutely no privacy or expectation of privacy with the digital world. I don’t miss it.
The point is though that a EU citizen has zero privacy rights when data is transferred to the US. Zero. Not US level protection, not EU level protection - just fair game.
For that simple reason the EU has to step in. There is no other way.
This is entirely untrue. AWS and Azure are most definitely able to offer GDPR-compliant in-region hosting options and I'm sure GCP can to (I just don't know their offering as well).
>It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.
This is what you are wrong about. It would be true if you were from a small country like Sri Lanka or similar but for EU many European companies will smell an opportunity to fill the void.
The activist MEPs in the EU who have pushed for these regulations are overwhelmingly (German) socialists.
I support their work to protect the privacy of EU citizens. But I'm also aware that their goal is to replace Microsoft, Google, Facebook etc. with state-owned European enterprises.
European state enterprises can be surprisingly efficient. However keep the Germans out of it. German government IT is still in the Middle Ages. Let countries like Denmark and Estonia build the future of European IT.
A lot of this seems to be coming due to US regulations that compel US registered companies to hand over data from subsidiaries in Europe markets if asked by US intelligence and law enforcement agencies.
With these various data locality regulations, i wonder if a standard operating approach could be to split tech companies into 3 legal entities, a technology licensing company, a US registered operations company and a Europe registered operations company and hand the shares in all three companies to the current shareholders. This would insulate the Europe entity.
The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.
In fact this is how most of the companies operate already to cheat on taxes.
The way microsoft did it for a while here in Norway was to license azure cloud stuff to a sub operator (EVRY) that is completely insulated except for the licensing agreement.
> The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.
As it stands, the US part can be owned by a EU company. Or, probably more realistically, both EU and US parts could be owned by a mail box in the Caimans.
> The EU part cannot be owned by the US entity since the US government can compel the US mother company to have it's subsidiary hand over data.
Is this true for ownership by individuals too?
If I, an American citizen & resident, owned and operated a company registered to a European nation to serve my European customers (with European hosting), does that make me compliant? Does an American solo founder have a path to compliance at all, or would I be required to collaborate with a completely separate workforce that has no ties to America?
> Another way to be compliant is to not collect PII.
The GDPR extends far beyond the US notion of PII. As I understand it, it covers basically all user-submitted or user-related data if it's possible for that data to be hypothetically tied to an individual in the EU (even if that can be done without your service holding traditional PII).
> As a private individual I suspect you would not have much to stand on if the NSA knocked on your door.
Yeah, a federal agent with a wrench can do anything they want to me (https://xkcd.com/538/), but I'm trying to figure out my options.
It includes IP address... the fundamental glue that makes routing to and from said servers possible. Good luck being able to resolve web requests without knowing where to send the response.
IP address is both personally-identifying information and also technically required to provide computational service.
Just like your name is personally-identifying information and (usually) required to provide medical service.
But being required for service doesn't automatically mean that it can be shared with third parties. You can't share names with third parties. Why would you share IP addresses?
A name is not a requirement to render medical service, so I don't see how that example is relevant. A practioner is capable of treating patients without knowing their name. Laws may compel them to keep track of that data, but it's not strictly necessary.
And the act of connecting to a server hosted in another jurisdiction (e.g. America) would require sharing your IP. This could be directly (the entire web service hosted in the USA), or indirectly (some of the web service's assets are hosted in the USA).
If you put a CDN in-front of your web service, then that CDN will most likely be sharing your IP with the host server too. Especially if the web service wants to do something non-cacheable that they can't offer from behind the CDN.
There are many (!) types of medical treatments. Some require multiple visits. A medical practitioner needs some way to ensure that progress is maintained across multiple visits.
The internet has multiple visits too. They're just called packets instead.
To fall out of scope of the CLOUD act, the subsidiary needs to be independent and prevent any data access by its holding company. The holding company can in no way have "possession, custody or control", which are not well defined so that doesn't make it easier to assess if a subsidiary is out of scope.
So is it likely the European Commission did this in an attempt to block US companies from offering internet services to the EU (or at least, internet services that handle user info)? It's pretty hard to make a profit or operate in the EU if you literally can't control that entity.
Schrems II (and the Privacy Shield invalidation) has been in response to the aggressive data collection by the US government, and the extra-territorial nature of legislation used to achieve this. The US is able regain access to the EU market by repealing/changing CLOUD act and similar legislation, so I personally don't think this is (primarily) done to block US companies. However I am not the one implementing these rulings, so the best I can is speculate.
It seems pretty hard to think the US will drop the legislation every 3-letter-agency had wished for over the decades before it became law. The only thing I can imagine that actually gets the law changed is if the EU heavily invests in prosecuting these cases, to the point that tons of US companies worry they'll lose access to the EU market (with non-negligible fines to back up the law).
> So is it likely the European Commission did this in an attempt to block US companies from offering internet services to the EU
More like the European Commission did this in an attempt to protect European citizens from having their personal data exfiltrated against their will to the US on order of US law enforcement agencies.
No, EU had an agreement with the US called Privacy shield that allowed US companies to process EU data. However this was struck down by US courts and that is what leaves us with this mess.
> However this was struck down by US courts and that is what leaves us with this mess.
According to Wikipedia, it was struck down by the CJEU, not by a US court:
"The EU-US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens on government snooping."
The point is more nuanced: The problem is not the handing over (happens here too), but the fact EU citizens do not get informed this has happend and have no legal way to challenge this (especially concerning FISA/FISC). They have the opportunity to do so in the EU.
Yes, this is what will happen with a setup of 3 entities, b/c FANG will not want to miss EU revenue.
Right but the solution is for there to be a treaty between the US and the EU that allows for this. Putting the burden on every foreign company to duplicate their infrastructure is stupid work to solve a human problem.
Mark one for another American conundrum: having so much distrust for "the man" while at the same time being completely oblivious to the amount of personal data being skimmed off their daily activities. But it's all to guarantee Freedom™ so it must be ok?
Much of the Constitution in the US was written by people who wanted corporations to do whatever they wanted and no government can intervene. You see a lot of this philosophy still living today in rulings and precedent.
The only problem that I see is that it's hard(er) for US companies to collect data about EU customers. That's hardly a problem for the EU customers; they can just buy from EU importers (if there's no equivalent EU product) or rely on EU service providers.
There is no different solution. The EU tried twice to build this kind of solution and EU courts have shot it down twice with the argument that in the face of no legal representation of EU citizens in the US it is not possible.
So the US needs to move here or it can not happen.
We already had two (I don't remember the order, but they were called Privacy Shield and Safe Harbour) and somehow US and US companies "forgot" to upheld their part in any meaningiful way, so there's some mistrust on the whole idea at the moment...
Both were illegal because they did not address the core issue. The EU commission (representing EU country governments) is more business driven and wants it to work, so they created Safe Harbour etc. They also drove the standard clauses which are illegal too (or better: If as an EU company you sign them, it's your responsibility to make sure the US three letter agencies do not access the data of your customers, good luck with that).
The EU parliament have the people in mind, so they don't think it works and drove the GDPR. The EU courts look at the law and see it's not possible to create contracts, so shot down Safe Harbour and Privacy Shields. The EU courts say standard clauses could work in principle, but see above.
Treaties are not necessarily worth much these days, when the next populist can just pull out unilaterally, or decide that following international law is for chumps.
I've read most of the EU rulings and court cases on this topic. The CLOUD Act is basically the only US law that any of them mention or refer to.
And let's be explicit here: The entire purpose of the CLOUD Act is to bypass EU data protection laws. The incident that led to the creation of this law is that Microsoft didn't hand data over to the FBI because the data was on a server in Ireland. This isn't an unintended consequence, this is what the law is supposed to do.
The point of the CLOUD Act was to say that if you are a company in the US you can't ignore an order to turn over a copy of data you control just because you happen to have stored that data with a third party storage provider that is not in the US.
It doesn't matter that the third party storage provider is not under US jurisdiction because the US government isn't trying to compel the third party storage provider to do anything. They are trying to compel the US company to access its own documents that it stored with that third party, using the same mechanisms the US company normally uses when it wants to access its data.
From the third party storage provider point of view there is no difference between the US company retrieving the data because it wants to do something with it itself or the US company retrieving the data because they are being compelled to by law enforcement.
This is really just clarifying that the rules for electronic documents are not very different from the rules for physical documents. If I am in the US and own a document that a US court orders me to produce a copy of I'm not going to be able to get out of that by telling them that the document is in a filing cabinet in a storage unit I rent in Canada or Mexico. No, they are going to order me to either go get that document or have someone go get it for me and give it to the court.
If it didn't work this way every US company that has any documents they think might get them in trouble if they are ever investigated would rent some storage space outside the US, physical space if the documents are on paper and cloud storage space if they are electronic, and store everything there. Boeing for instance would have all its information about the 737 MAX outside of the US. Tesla would have everything related to full self-driving outside the US. Everyone would keep HR records outside the US to make it harder for plaintiffs if the company is ever sued over alleged discrimination.
There's a critical nuance that you're ignoring, which is whose data is being stored. In the incident in question, it wasn't Microsoft's data. It was the data of a customer of Microsoft. You're treating several different scenarios as "data controlled by Microsoft," but there are sharp distinctions between Microsoft's own HR records, vs an email belonging to one of Microsoft's customers.
US law doesn't distinguish these scenarios very much because of the Third Party Doctrine, where data given to a third party has no expectation of privacy. But this is a view rather particular to the US not shared by much of the rest of the world, and certainly not by GDPR (or its predecessors). One way or another, the CLOUD Act is still basically saying that US legal doctrine applies to data stored in other jurisdictions. And GDPR is stating, correctly, that this doctrine is not compatible with EU data privacy obligations. EU policy is very much the opposite of the Third Party Doctrine (and the winds are slowly turning against it in the US as well), and third-party data controllers have positive obligations to safeguard the privacy of data given to them.
Given this scenario, I don't see the nightmare scenario you're posing actually manifesting. EU data protection laws do nothing to curtail Microsoft handing over Microsoft's data. There's just data that Microsoft physically stores which they is not legally theirs.
I'm not sure such split would require sub-companies to be public, they could likely be private, owned by a single publicly traded US company. Tech companies already have many subsidiaries in countries that they have offices in, for example employees in European countries are not employed by a US company, but a subsidiary which is not publicly traded.
They already have EU subsidiaries. The problem seems to be that US laws seem to be able to compel US based parent companies to hand over data from their overseas subsidiaries.
If you make it a EU based public company and give control to your own shareholders, it's no longer a subsidiary and your shareholders are holding shares in a European company.
If someone is running a global web site and wants analytics, which of the 2 entities, or both, would he reference in HTML? Even if we're going to region-lock Europe to the European Analytics servers, analytics today often involves some computation done over the entire data set, including both US and the EU, done on the backend. Which backend would that be?
The privacy aspect has become something of a "think of the children" reason for a sort of "Internet xenophobia", as well as creating huge barriers to entry for small companies which cannot comply.
It's easy to do things online as a company of any size, post-GDPR: Don't scrape user data. Done - no compliance required, because the law is not about you in that case.
I think a lot of the big tech companies are very reluctant to split their operations inside/outside europe.
They gain big benefits by having a single pool of datacenters able to serve users from anywhere in the world. If they needed to guarantee that an EU user would always be served with a machine in the EU, I can imagine it would add at least 20% to their operating costs.
They'd need more equipment both inside and outside the EU to handle failover, maintanance, etc. They'd also have more complexity slowing development down (they can no longer have small services 'mastered' in just one region). And there is substantial extra complexity in application design (what when a tweet from an EU user is retweeted by a US user, but then replied to by an EU user. Where will the text of the tweet be stored? How will deletion be handled?).
For example, will HN have to have seperate databases for "comments by EU users" and "comments by US users"? And will they need a process to migrate your account from one to the other?
It's not only "a machine in the EU" . It's a company in the EU totally separated from the main company in the US to be out of the reach of the US government and legal system. Maybe the EU company could license software and knowledge from the US one, to keep sending a steady flow of cash there. But it's going to have its own goals and it will want to go its way soon. A hard problem IMHO.
When I hear arguments like this I always think about what it would be if we were to replace 'user data' with 'financial data'.
"It would be so easy if companies could just pay their taxes in one country. Think of how much they could scale their finance department."
The same applies for start ups : "book keeping is such a hassle for start ups, why impose that on them? All these financial regulations are really anti business".
Hah, it's a myth that Switzerland is so privacy oriented. They have laws saying that the Swiss intelligence services can access all data, so it wouldn't help.
You gonna have to be a bit more specific than that.
When I think "Swiss", "Germany" and "government intelligence agencies" then the things that come to my mind are Crypto AG [0], how the BND started out as a CIA OP [1] and how the very same BND seems to be more interested in pleasing American interests than protecting Germans [2].
Which is btw the same BND who cooperates with the NSA [3] to help them tap directly into one of the world's largest IXP De-CIX, completely legal in Germany [4].
The US made sure of that by pressuring the West German government into watering down the G-10 law [5] during the cold war.
So whatever "delusions" you are referring there to, you have to be a bit more concrete about them.
Why tho?
Do you think German citizens have more privacy in Germany than in the US, where the US legislature clearly states that non US citizens have zero privacy rights whatsoever?
I don't think it's delusion, I think it is literally correct.
Right now, the data sits where it “loses” the least amount of money (I.e. where it is most efficiently spaced). If we start arbitrarily forcing companies to move their data elsewhere, then they’ll incur serious costs without any real benefit.
I’d almost rather just give a French company control over some section of the US warehouse if I’m Amazon.
Note that Wikimedia has been not using Google Analytics since forever because they're concerned about precisely the same privacy problems as the regulators.
It would seem Wikimedia is still violating the law as they keep Analytics data/data of users[0], but haven't yet pulled the Microsoft move of creating a separate EU company that the US-based entity has no control of.
If someone adds <img src="http://blah.us"> to their website, and that image is hosted in the United States, how does that not also violate French data protection?
The user's browser makes a request to a US server, including the user's IP address.
I legit do not understand how to make French people happy with these laws.
> how does that not also violate French data protection?
The regulations don't ban collecting IPs (nor any PII). They just regulate it to the point that it must be deemed necessary according to certain criteria. I would imagine linking an image may be fine in 95% of cases, but what it would mainly depend on is the logging practices of the image hosting company. Their business would be bound by EU regulation if they are choosing to sell service to an EU-based website, and it's likely that image host that would be liable for compliance.
It's worth adding quite a lot of the regulation here is tied to company size, revenue and scale of data sharing in general, so if you are for example a small business/non-profit you're very likely to be fine either way.
It would probably depend on the purpose. If the purpose is the show the image and all logging is done to an access file and not processed into advertising models I'd think it would be ok.
if the purpose is to collect PII and build advertising models like it was with the google fonts or the 1 pixel images then it is not ok.
>Their business would be bound by EU regulation if they are choosing to sell service to an EU-based website, and it's likely that image host that would be liable for compliance.
Is the image hosting company really _choosing_ to sell service to an EU-based website if someone adds <img src="http://blah.us"> to their (French) website? It seems like it'd be an unreasonable expectation upon a company (especially one in a completely different country/jurisdiction) to e.g. ensure their existing logging practices _also_ comply with French, Austrian, etc laws.
Surely the user who adds/posts the image on a French site would/should be liable here, not the host of the US-based image (service?), no?
This largely depends on whether the French website is a paying customer hosting their own images in a deliberate fashion (e.g. Amazon being responsible for facilitating GDPR compliance of S3 logs), or if it's a randomly hotlinked non-owned image.
In the latter (hotlinking) case the French website would almost certainly be entirely responsible if they operate at scale (excepting user generated content). In the former, it's obviously less clear cut (and also as mentioned revenue & scale are going to be very relevant).
Practical example: a private individual posts a hotlinked image on a French forum. Relevant questions:
- is that user profiting at large scale from data logged on the image server? No.
- is the forum website owner? No.
- is the image host deriving revenue directly from proactively collecting, analysing and profiling user data from readers of that forum post who are based in the EU? Possibly.
- is the image host doing so at large scale? Maybe.
3 & 4 are definitely true of Google Analytics, but broadly won't be true of many image hosts, so your image linking example won't be an issue most of the time.
It probably does violate French data protection. There were similar lawsuits in Germany over the use of Google Fonts. Making a users browser interact with a US-based or US-owned service is currently very thin ice.
Yep, next to be banned is fake news articles, then entire sites that contain some fake news articles, then sites that contain links to other sites that have fake news....
To be fair, nowadays there is hardly any benefit. Since browsers use cache partitioning (mostly because CDNs were tracking users) there is no benefit in not serving it yourself (although yes, licensing restrictions now apply but there is plenty free fonts to use).
Just two weeks after Austria, another EU country has deemed current Google Analytics implementation illegal in EU.
From the article:
> "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."
I am really looking forward to seeing how this will play out in the rest of the EU, and which practical consequences it will have.
And, as usual, fellow EU citizens, support NOYB work, if you care about data protection: https://noyb.eu/en/support-us
Is the CNIL actually starting to do its job? Since the early 2000's they were doing literally nothing against the many crimes against users committed by big tech. In the past few years though they started to distribute fines when the law was obviously and willingly broken (eg. Google)... did they suddenly start to care for users? or do they care that they can fill the pockets of the government (who doesn't dare to tax those evil multinationals) while making it look like they care for users?
I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data. For their defense, their budgets and prerogatives have been cut so many times they probably couldn't investigate/fine anyone if they wanted to.
> I mean CNIL does not exactly have a reputation of helping/protecting users... they more have a reputation of being a watchdog who sees no problem with government surveillance programs and does not react when you send them reports of illegal activities surrounding personal data
> Every time I hear about them, they're either giving GDPR fines or signalling illegal government activity
Yes, now think about all the times we don't hear from/about them. It seems that they are doing more as time goes, but they have done little to stop dragnet surveillance, racial/religious/political profiling by the authorities, the deployment of CCTV all across France, (il)legal ⁽⁰⁾ obligations for ISPs to track their users, school restaurants requiring fingerprints to get a meal (yes that's a thing), public services using Google Analytics / Zoom / Microsoft / Doctolib, stingrays operated by police for political repression, and the list goes on and on...
In "digital freedom" (LQDN, FFDN, April, Framasoft, etc) the CNIL is (or at least used to be) rightly regarded as a joke when it comes to human/user freedom, despite having very noble goals. The fact that the press only talks about them when they're doing their job doesn't change that they've clearly failed their mission to protect civil rights in the computer era, despite very good and reasonable legal guidelines dating from 1978.
⁽⁰⁾ French data retention laws are illegal by european standards.
Not sure why you're being downvoted. People from such non-profits were key to european institutions developing a proper understanding of the problem space, which directly led to GDPR legislation.
If you're rich enough, be sure to donate some money to LQDN/EFF and others to protect human rights in the digital realm.
Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
Also is it illegal because there is an anonymised id number created when you send data. If that's the case then it's not just GA that's a problem but any tracking system i.e. Plausable.
Furthermore given that a randomised unique id is personal data then there would appear no way to use any websites analytics on any website as you have to store this in a DB which will require a unique id per row by design.
What about other data for example a webserver log will contain similar data is that not allowed? If it's not allowed how can I ensure my site is protected as I need those logs to identify and ban hackers.
> Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
Yes, because you're still passing personal data to the USA, which means US intelligence services can access it.
If my website is hosted on a server located in the US, then is this illegal? Serious question. Assume it's a static site and that I don't collect any data myself whatsoever. But who knows what the server operator could be doing covertly?
If this doesn't cut the internet in two, I don't get where the line goes.
Is that the case for any data that is passed into the USA then rather than just GA?
So if I hosted my servers in any of the AWS US regions that too would be illegal if they have any personal data in them. In this case personal data is a randomised unique id. So say I have a table of users and all I have is a username and a password and a unique id for the record that's personal data and the customer is not allowed to give their permission for me to store that in a US data center ?
Wouldn't that cut off a vast swath of the internet from France though ? Some of the main big providers of internet services use US based data centres. I'm meaning:
* Amazon
* Google
* Facebook
* Netflix
* Microsoft
* Twitter
* Uber
I mean the list goes on but these are a really big part of the internet.
That might be a good thing. New data centers would be constructed in France and the french people would have more jobs. It’d also be a national security boost because France would be less reliant on external data centre providers.
It’s a geopolitically grounded form of Protectionism.
I don’t like that smaller countries have to rely on larger countries that don’t have their best interests in mind. Not only should France buid its own tech infrastructure but so should every other country that can build it.
In the post-NSA age this is vital if you want your country and its population to be secure against cyberattacks and mass surveillance by great powers.
this isn't just 'jerbs' rhetoric. Having French data on French soil guarantees that if push comes to shove French authorities are in control of their citizens' data. It's a matter of national sovereignty. If companies have billions of dollars worth of physical infrastructure located in the countries they operate you can be sure compliance with local laws will actually happen.
Yes, of course. It's possible that the they will sue every single big company, but quite possible. I think it's a good way for the EU to build pressure against the US to revise the CLOUD act.
This will only happen if the EU makes a true effort to go after as many big US companies as possible. If corporations actually start to lose access to the EU market, the US will follow suit and change its laws.
If enforced thoroughly and by the letters of law. But the authorities in EU has control over selective enforcement of laws(that there potentially won't be by 26th century) letting the law spun as an open negotiation.
a randomised unique ID and username/password are not personal data if they can't be used to identify a person. IF you associate that uniqueID or username with something that can identify the user (like IP/ Personal name etc) than yes it's illegal for you to store that data in US even with the consent of the user.
I feel like this is either a mis-interpretation, or the scope of this law would prevent 95% of websites from existing in the EU (including hackernews which stores your email).
So any US company cannot store PII on an EU citizen?
If someone from the EU comes to my site to make a purchase, I can't allow them to do that?
The key is consent and right to deletion. GDPR is ok with you storing data if the user consents, you list all the data, you list who you share it with, and you have a contract with anyone you share data with so you can comply with a deletion request.
The US government won’t honor deletion requests for any IPs it requests from GA, therefore you can’t comply with GDPR if you use GA.
If you don’t share data it’s much simpler. You collect just what you need to do the processing the user consented to. And you delete it when a user asks.
Edited to add: I should say the 2nd paragraph seems to be the regulator's position. It seems a bit extreme to me and I don’t fully endorse it. But my main point was to try to highlight why most essential and consented processing is unaffected by this ruling.
Yes that is my interpretation of it. The whole point being that any data stored in US can not be guaranteed to respect GDPR because the US government can request access to that data and the EU citizens don't have a recourse to that.
any US buisness that want to have EU citizens PI needs to have a host in EU.
Not just a host, but the corporation in control of the data can't be controlled by a US corporation at all, lest the US corporation be able to pressure the EU subsidiary into handing over that data.
Exactly. Maybe it was intentional in an attempt to get the US to claw back the CLOUD act, which is the point of contention here. Until that happens, US websites (see: big businesses with a legal department) are likely going to block storing any EU citizen data, which might (but probably not measurably) help prop up local EU services.
It will likely become even worse: it is not just AWS US regions, but any region. AWS is a US based company falling under US legislation, and (as far as I know) also owns its EU regions. So basically you cannot use AWS to store content of EU citizens.
You know any other US based companies? They have to follow the same reasoning.
It might even be if you are a US based company, you have to follow the same reasoning.
As a US company, you are not allowed to store or transfer data considered personal by GDPR of EU citizens, as your company can be compelled by the US government to hand over that data through an opaque/secret order where the EU citizen is not notified nor has the option to challenge this.
> If it's not allowed how can I ensure my site is protected as I need those logs to identify and ban hackers.
Server logs are allowed as "technically necessary" as long as you show "good will" (I'd call it that way) in keeping the saved data to a minimum. 14 days of log keeping? Fine, that's cool for technical reasons. 14 weeks of log keeping? That's excessive and could get you in trouble.
There's no hard limit here provided by the law or otherwise. Some of the local data protection offices say that they find something of "up to 30 days" reasonable, so I guess that's a good starting point. Cutting that time in half will show good faith and you'll still be able to analyze logs, I think.
Well, you'll for example find the 30 days in this document of the data protection office of Bavaria: https://www.lda.bayern.de/media/muster_1_verein_verzeichnis.... (It's a sample for sport clubs etc.) and it's also what our lawyer has recommended to our company as the upper limit.
With GDPR and personal data, if you can justify your use then it's legit. Working out which justifications are acceptable is left -- at least partly -- as an exercise for the reader ('s legal team).
But we may observe that some practices are easy to justify, while others are more challenging. Some attempts at justification have been rejected, which means that trying to rely on them in the future is a bad plan.
Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.
>Also, intent matters. If you're trying to do the right thing, you're unlikely to get into real trouble. The most likely consequence is that you're told you should stop, and given a deadline. If you don't stop by the deadline then it's fairly obvious that you're now not trying to do the right thing.
The vague, uncodified "intent" is my biggest problem with GDPR and GDPR-like laws, especially when it comes to small businesses. Even with the best intent, I've seen startups in my community get into "real" trouble trying to comply with mixed results. Not every company can afford to allocate the time/money necessary to comply with sudden deadlines and/or new technical requirements. Not every company can afford to take the risk of "I think this PII is absolutely necessary, but... could I prove it in court? Can I even afford the lawyers to try?" If I didn't read HN, I doubt I'd even know laws like this new French one even existed; I can't afford to dedicate someone to monitor changing laws around the world.
Saying "it's important for businesses to allocate sufficient resources toward researching evolving law in every country they might do business in, and it's okay if businesses fail if they can't afford to do so" is reasonable.
Saying "if you're trying to do the right thing, you'll be fine" is, quite frankly, the complete opposite experience I've seen from most well-meaning companies in my sphere trying to accomodate GDPR rules with limited budgets.
Of course, I am located in the US so maybe this is the intended result.
IP addresses are PII when they can identify a person, and that's not always the case, e.g. a company network using NAT for outgoing connections so that dozens, if not hundreds of people appear from the same IP address.
There's no way you can make that decision, which is why the simplest course of action, or the less risky one, is to treat any IP address as it actually conveyed PII, even 192.168.0.1.
This whole set of laws is so absurd. I should have the right to retain my server logs as long as I want. I bet in the future in Europe people will have the right to have others' brains forcibly zapped to remove embarrassing memories.
The whole point is that "your" logs contain personal data about others. That data is theirs not yours. Moreover if you get asked about "your" logs by the US government you have to hand "their" data over to them, for which there is no legal recourse for the person owning the data.
To make this more obvious, the EU is essentially saying that you can create a post service that routes all their letters through the US where they can be opened by the FBI, without any legal recourse.
I'm always amazed how people (even very technical) argue that things are perfectly fine for electronic data when they would completely oppose the same thing for physical things, e.g. letters. I guess years of propaganda have worked
I fundamentally disagree. You can't come to my house with a red hat then demand I never tell anybody you have a red hat and forget I saw it. That's absurd.
No, you shouldn't. If I make an observation, that's my observation, my data. I should have full rights to observations I made myself, regardless of if it involves you. Europe has this 100% backwards.
You can likely still do analytics if you don't collect an identifier that persists through multiple sessions. That's a big hit for ad-tech, but plenty other use cases don't really care for that property.
You can also collect that identifier if 1) you have a legitimate reasons to do so and 2) don't share it with third parties.
> Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
If you've sought the visitors consent then yes it's legal
This court case makes it illegal since, while the user might consent to GA tracking, they legally can't consent to giving up their GDPR rights. Given that, the US law enforcement could still break GDPR by forcing the US corporation to hand over EU citizens' data.
Seems like a nice opportunity for a browser extension to automatically detect sites using GA, and also automatically report them to EU authorities. Zero clicks needed!
But that also remains true for the website themselves, since there is proof that the website illegally sends data of any EU citizen to the US. This really is pretty wild regulation.
> Can we cut through the clickbait and see what's wrong here. If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
From what I can tell: If you ask your users for permisssion ("informed consent"), then no, it is not illegal. The way I understood the court case in Austria, the disputed point was whether or not the use of GA falls under the GDPR. If it does fall under it, then you are obliged to ask your users for consent ("opt-in"). If it does not, you can use it freely without consent.
Because analytics data isn't worth that much if you collect only part of the data, most collectors of data do not want to ask users for their consent, because most users would reject this.
But IANAL. In any case, please stop using Google Analytics, and self-host your analytics using Matomo, Plausible, or something similar. Matomo can also be configured to use server-side analytics, in which case your analytics become both less invasive (no client-side JS needed) and more complete (can't be blocked by ad-blockers).
I think this is basically a fat EU lie - that if you pop up a cookie popup most users say no to cookie banners.
I've heard that if you do a non-modal cookie banner, 75% of people just ignore it rather than go into it to deny cookies. About 12% (half of remaining) click accept all cookies. The rest close it again without taking action if they can.
I realize there are folks who go into things and customize everything on every website - most users I think don't care enough.
What's funny -> your ISP might be selling your browsing history. Your TV is selling your watching history and no one cares. But cookie pop-ups everywhere is all these privacy idiots can think about. It's performative privacy, that annoys the heck out of a lot of users and wastes a ton of time.
My hypothetical ISP and TV would also be violating GDPR if they did such things. They might currently face fewer lawsuits than google but that doesn't mean that no one cares.
"Internet Service Providers on the European market cannot sell the browser history of their users, without their explicit and informed consent". So they add another paragraph in the sign up screen you have to click yes on to get your discounted service.
This is the failing of the EU model. Users will provide consent to access a service in most cases. To work around that no the EU is jumping through all sorts of highly subjective hoops around what is explicit consent (it's usually pretty darn explicit), coming up with ideas of legitimate interest (talk about subject to interpretation) etc
>If my website askes users for their permission to use GA and they click yes then is that still illegal here? I see this as yes it's still illegal.
The basis of regulations is that citizens are too stupid to consent to things even if they are fully informed. Whether that is a good or bad approach is up for debate.
If this is actually true I think it has far reaching implications. I have many questions about this approach but lets take it slow for the French example:
* Is there a list of these "things" if not how is anyone to know?
* Who is policing this ?
* How do you get advice in your own language (not French google translate does a terrible job at translating lawyer speak)?
Will you defrob my balancator? Of course not, because you don't know what it is. The same applies here: if you don't know what something means then say no. If you say yes then it's understood that you know what you signed up to.
No, this is not how consent works. Consent has to be informed and well-judged: If you don't understand what you're agreeing with, you have not given it (even if you say yes the other party cannot proceed as if they have gotten it).
An agreement requires a meeting of the minds. Blindly clicking "yes, accept cookies" in popups does not rise to that level. People just want to read the article, they do not understand or care about the data retention policy. So it is very hard to claim they consented.
And reading the data retention policy is not enough if it doesn't explain the extent to which the authorities in their country can wipe butt with said policy.
But anyway, I think even that is beside the point. I think the point is that there are things Europe considers fundamental rights. And the concept of a "right" doesn't.. really.. make much sense if someone can go "btw we'll just violate it, click to agree."
For instance, any service that handles health data absolutely cannot have the data be accessible in a way, shape or form by american-owned entities, for any reason.
It's not hard to imagine that, as time goes on, these same limitations will be expanded to other types of decreasingly sensitive data.
And honestly, that's perfectly reasonable. The US government gives itself the right to systematically spy on everything going through US cloud companies. Precedent has shown it can and will use that data against the interests of its supposed allies, even for industrial espionage.
If the US says "every US company must give over european data to the government", then at some point europeans have to say "US companies can't have european data".
Taking this to the logical conclusion: This is the fault of US Intelligence Services for overreaching to the point where it impacts general trust in US companies, and should be solidly blamed on them for being legitimately untrustworthy and exploitive.
Indeed, a French website which keeps private information about its users must not - ethically, morally - use US services which are accessible to US intelligence agencies.
That is irrespective of any legislation or court rulings, it's just common sense.
Definitely USA. My government doesn't drone strike people based on communication patterns or disappear them to black sites without ever being put in front of a judge.
I'm sorry, but are we both talking about france here? The "coup d'etat and murder anyone in Africa that goes against my wannabe reboot of a colonial empire," or is it the "bomb Greenpeace ships in foreign countries" France? If we are being honest, the intelligence services of France have proved to be much less accountable and much, much less constrained by pretty much anyone. It's also completely willing to do the bidding of any corporation the French government's "dirigisme" deems worthy enough to assassinate a few Africans for.
The big difference between France and the USA is that the French people usually either passively or actively support them and do not see any problem with what they are doing and would much rather look at the evil Americans. It's not even a political issue, it's almost seen as a divine right.
That's literally one of the main reason macron has been popular: his wannabe bonapartist "great France" mindset (and even those who dislike him don't usually criticize him on that front) that involves crushing the ennemies of France, and a whole lot of illusions of grandeur.
It's also a country where the literal neonazi FN still gets 40% of the votes, but people still laugh about dumb Americans because they voted for trump. Keep in mind, the only reason we don't see more french droning in Africa is because they lack the ability to do so.
And I'm not American or French, but I've had a lot of first hand experience with the damage France is causing in Africa and I'm very familiar with French culture. Yet I'm almost always amazed by the extent of French grandstanding online.
You are aware that there was a number of completely innocent people who were disappeared int US black sites, because of some name mismatch, something they said somewhere or because their neighbor didn't like them. Now you might be white and have an English name so chances of that happening to you might be slim.
However if you do not believe that this is an issue that we have to work against i suggest you get out and develop some principles. You seem to only have issues with these things if done by communist governments.
You framed the question. Don't push the goal posts around by pointing to past autocracies. It might be a very small risk, but it is infinitely bigger than the risk from my own govenment - where the risk is zero.
Sure. But the original question was: do you think that that should worry regular folks more than the evil and abuse perpetrated by their own government?
I'm not worried about most people, I'm worried about the people that the USA does go after, because the USA usually goes after good people who rightfully criticized what they're doing.
The USA does drone strikes all the time, not only against minor targets, but with egregious collateral damage. Listing examples isn't even worth the energy because this is common knowledge and a simple google search would reveal hundreds if not thousands of these killings.
It was US Military leaks via WikiLeaks that first got Julian Assange onto the USA's hit list, and if and when they get their hands on him, they will make him disappear into a gruesome privatized prison system where he will have no right to be heard, because he published things the government didn't want people to know about.
I don't care if I, personally, will fall victim to this. Trusting the USA is a stupid thing to do, and you have to accept that they are capable of doing a great deal of harm to anyone they want to, regardless of nationality.
Google's CEO has pretty much ZERO powers over me. The USA government is (largely) democratic and (mostly) obeys laws. But my government... is not the one I voted for and I trust it 0%.
Because I do not live in the West but in one of the great majority of countries with a corrupt, abusive government. The democratic governments of the West are the exception, not the rule.
Well, if I may nitpick, it's a federal republic rather than a democracy...
More to the point though, there was this study at Princeton U about the correlation between US government policy and popular opinion on a variety of subjects which found that public opinion correlates very poorly with government policy / legislation passed, but opinions among the very-rich correlate well. Can't remember the exact reference right now.
> and (mostly) obeys laws.
Oh, definitely not. It can well be argued that there is constant mass violation of the constitution. And regardless of this, the US is such a notorious outlaw on the international level that not only does it refuse to accept jurisdiction of the international criminal court, but has in fact threatened action against court staff if the court hears any case against it:
The effect you mentioned (democratic deficit) is also inversely correlated with unionization (which positively correlates with public engagement with government).
So it could be that the reduction in population median household income due to reduction in unionization (and increase in top earner profit / larger inequalities) causes an exacerbation of the effect, with the observation you mentioned.
> it's a federal republic rather than a democracy...
Germany is both a federal republic and a democracy and I would argue the the USA are too. Both countries ultimatively derive their legislation from the general populace and are representative democracies.
I've seen the claim you made several times, but every time I try to look it up I fail to understand it.
What is your reason to think a federal republic would exclude democracy?
Yes this seems to be a common distinction made in the US, which I also don't understand.
What I learned in politics at school (and studying it for a short time) was that republic and democracy are orthogonal concepts (leds leave out the federal which seems to be even another dimension).
A republic essentially means, the state doesn't have a king (head of state by inheritancel, but some sort of president which gets elected in some way (not necessary by the population). A democracy is a category of how decisions get made, i.e. by some vote of the people (demos).
Is there some subtlety I'm missing or is this thing about "federal Republic not democracy" something just always repeated, without properly understanding it.
.
Still waiting for those "pure tyrannies". Meanwhile every damn thing I am using in my daily life, from my car, computer to the furnace heating my house - was made by a corporation.
And I did live under communism, with absolutely zero corporations. Then I knew tyranny every day. And shortages.
Did Noam Chomsky live under communism by any chance?
The french service should expose user information to the French government either. If the government has a public warrant for that information, then opinions might differ about whether or not it is legitimate for the website operators to oblige.
As a US analog, I'm more concerned with my own government collecting data on me than I am about the Chinese. One of those has an entire ocean to cross to cause me IRL problems.
The issue would be, that the website developers / their management contributes to the issue, by enabling partier to do that spying. If no data was send to another party, then spying on that data is much harder and probably unattractive for most use-cases. GA data becomes valuable through collecting from many many senders.
While the people doing the spying are already doing something ethically very questionable, the person deciding what data is collected on a webservice can still make the decision to contribute to the problem, or be vigilant about data protection.
So you are saying the US intelligence agencies have some unfettered access to all of GA data? Or that it is sent unencrypted and intercepted in transit?
It's not the DNS calls or phone companies that are more to worry about?
If US intelligence wants to have access, they will, via their law, as far as I understand. They will require Alphabet to give the data, Alphabet will get it from Google, and that is it. No need to listen or intercept anything.
Best thing you can do is not to make use of GA in the first place, so that no such data of visitors of your websites exists in Google infrastructure.
I think your understanding of US intelligence and forcing companies into compliance needs updating.
First, it is exaggerated, which is not surprising in today's media and outrage climate. Second, things have changed since Snowden and the congressional oversight had been rolled out. Third, GA is not that valuable compared to other sources.
Your chief complaining would be better spent about how Google uses the data rather than intelligence agencies.
Also note that Google fights against overly broad intelligence / police requests and publishes data on how many they get and comply with.
I agree, that one should be more worried about how Google uses the data.
I think I wrote about the US intelligence thingy, because it was closer to the topic. The question, why the court ruling went this way and what it rests on. If there was no possibility for the US to access the data, then Google could probably simply pinky finger swear, that they are not doing anything evil with the data and EU law might be fine with it.
Does it matter, whether the scenario is "exaggerated"? If it is possible, it needs to be considered by the law. Otherwise it might soon become less exaggerated and more reality than we would wish.
If you think that launching your app in a another region is hard, there is currently a case being evaluated in Europe which is evaluating the argument that even if the data never leaves the EU and the provider is a European entity but affiliated with or a subsidiary of a US company, that this is stil considered a violation.
So unfortunately just moving hardware locations may be insufficient, even forming a new entity won't suffice.
In my humble opinion we are witnessing the nationalization of the Internet, in the name of good intent, but eventually the risk vs reward calculation of doing business across the Atlantic (for either side) will tilt in the direction of avoiding the risk.
Although it could be argued that "good, laws are made for people not for businesses" I'd counter that a great deal of the free information published by US companies and non-profits will become unavailable in the EEA.
I'm hopeful that the DPAs and courts in Europe will decide to balance these concerns.
FWIW: I run one of the more popular data privacy platforms, Osano, so this is an area we track very closely and which is near and dear to my heart. I built Osano as a Public Benefit (and certifeid B-Corp) to try and prevent the nationalization of the Internet by giving businesses an easy way to respect the rights of their customers & visitors.
I mean, I assume the US are interested in this exchange as well. If they are, they could lead by example and reform the CLOUD act or implement some more effective data protection regulations themselves.
We aren't in this mess because the EU somehow wants to nationalize the internet, we are because with current legislation, US companies can be forced to hand over whatever data they posess, no matter where it's stored.
Not a lawyer, but my current understanding of the current events is more or less the EU saying "if it's subject to the CLOUD act, it violates the GDPR". That's a pretty clear indication of what's wrong.
We host Matomo (formerly called Piwik) ourselves. And we also host the fonts we use ourselves. Since we are a healthcare based startup we prefer not to share any data outside of our controlled servers.
We even disabled the cookie based tracking inside Matomo at the cost of not linking different visit sessions. Same session visits are fully tracked though. Saves us a cookie warning.
Funny thing... I went on their site (fr.matomo.org here in France) using Safari.
All images are not displayed (? on each images). Tried on Firefox, displays the images fine...
Checked what kind of images are these, all .webp ! :D
They have improvements to do if they want to be "google free" themselves...
This is the way! Glad you went that way, still struggling to get everything set up like this for our company. But marketing will come around the corner soon... ;-)
It looks like self-hosting Posthog (https://posthog.com/) should work, and they look great.
They're a US company, so you can't use their cloud service, but it's designed to be self-hosted and they have a list of EU cloud providers so you can do 100% EU-based self-hosting if you want: https://posthog.com/docs/self-host/deploy/hosting-in-eu
What type of server specs (memory, CPU, disk size, etc.) do you use to self host it?
Based on an open issue[0], it's suggested to run a server with 32GB+ of memory to handle hosting Clickhouse but that would mean self hosting Plausible would end up being $160 / month on DigitalOcean which would make it 10x more expensive than hosting my custom app that I want to see analytics for.
I know you can use less memory but it sounds like using less can result in an unpredictable environment where everything can stop working at any given moment depending on what Clickhouse wants to do. This happened to someone who replied in that issue. Their production set up stopped working because it ran out of memory.
Someone else wrote about it using close to 8GB of disk space to track ~8k page views at https://cyberhost.uk/plausible-3-month-review/. That was only written back in March 2021 too. They said they are going to look for an alternative solution because the the storage costs are too high.
Clickhouse has got a lot better in limited memory environments. They now recommend 4GB minimum.
The production environment that crashed due to Clickhouse OOM was our hosted product a while ago :) After that, we haven't had any downtime on our Clickhouse DB for over a year.
The issue with disk space stems from a bad default configuration. Clickhouse used to have EXTREMELY noisy debug level logging enabled by default with no rotation. This has been fixed in our hosting repo[1] so you get sensible defaults.
If you don't want to worry about downtime, planning disk space or compute capacity, then that's exactly what we offer at https://plausible.io. We process and keep the visitor data on our Hetzner servers in Germany.
The Clickhouse instance run on a Render[0] "Standard" private service. So 1 CPU (no idea what that means), 2GB of RAM, and a 10 GB disk. So far I've been using 10% of the disk and it's not growing very much.
Plausible founder here. There's nothing automatic but you can track your campaigns with utm_campaigns manually.
Google has made sure that analytics for Google Ads works best within their own walled garden. Same with Facebook and Twitter with their Pixel products.
Instead of using the Referer header or utm parameters as intended, these large corps send obtuse random IDs (gclid, t.co/<id> links) which only they can correlate to an ad, search query or tweet using their internal database.
So until there is anti-trust action in this space towards more oppenness and competition, you're stuck with the ad provider if you want tight integration between ads and analytics.
Self hosted Matomo/piwik is pretty good. You probably want to make sure it's on servers in the EU owned by a EU company (Hetzner, OVH, Griscale, etc). Alternatively you can configure it in a way that avoids collecting PII [1] (which also removes the need for consent popup, privacy policy etc). You won't get much info about repeat visitors that way, but I imagine it's quite usable for many use cases.
It's only ok if you self-host on a server in the EU, right? It'll be interesting when different regions of the world start having mutually exclusive laws about where data has to be stored.
Self-hosting something is always going to be less complex, but you'll still need to determine what you're tracking and why, write that down in a form people can understand easily, and let people opt in explicitly (with a just-as-easy way to opt out later).
People don't have to opt in for you to keep the data for technical reasons, for instance if you keep IP addresses for while to find and block abuse, but you can't keep data longer than strictly necessary and can't use the data for other purposes than you declared beforehand.
Write down your policies and put them in an (again, easy to read, understand and find) privacy statement and you should be pretty much GDPR-proof.
I track page view counts as simple sums, and it's not feasible to drop an individual user's page counts because I don't have enough info to identify a unique user. In fact, I put no cookies on the user's machine (but that means I have no way to identify a specific user for opt-out purposes for these aggregated page counts).
I'm the creator of Fugu (https://github.com/shafy/fugu), if you're looking for an event-based analytics solution that is open-source, free and self-hostable. Fugu doesn't track unique users, just anonymous events.
I also offer hosted version if you don't want to deal with hosting (currently using Digital Ocean with their Frankfurt data center, but will switch to an EU company soon).
I just started using Goatcounter for a noncommercial site (music history research blog) and I'm happy with it. All I wanted was a glorified hit counter.
It doesn't have the goal conversion metrics and other advanced features of GA, so obviously not a drop-in replacement for all use cases.
Nobody is going to get in “legal hot water” on account of Google Fonts or Google Analytics unless they’re Google themselves or a top 10 ecommerce company some politician wants to make an example of. There’s millions of sites relying on those things.
Is the EU going to drag them all into court?
This is like saying you never jay walk because you want to avoid the legal hot water. The water isn’t even lukewarm!
I would venture most of the internet is not hosted in the EU. You expect US, Chinese, and Japanese citizens to respect an EU fine for a law they have no say in? Sure they are doing "business" in the EU, but many of them are not doing business at all.
> You expect US, Chinese, and Japanese citizens to respect an EU fine for a law they have no say in?
No. What is the EU going to do, besides nothing? If you do business in the EU they will take your business away, and if you don't there's nothing they can do. I'm sure we all break some foreign countries laws every day and there's nothing they can do about it.
I do expect fines to be handed to EU companies and I expect them to pay them though.
> I would venture most of the internet is not hosted in the EU
Most content isn't made in the US, and the US somehow still forced its copyright system on the world.
Not the EU itself... but your competitors, who can not just complain at your respective data protection agency but also file for c&d letters, court injunction orders or penalties.
> The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.
So, if you feel brave you can challenge some courts on this.
GDPR mechanisms are directed at pushing you towards compliance, not getting big payouts. So in many cases you can even avoid any fine if you cooperate on first notice.
> I've already offloaded Google Fonts due to the German ruling. I'm happy to self-host piwik if needed, but could that fall foul of regulators?
Well... if you self-host Piwik or Matomo, you're relatively safe and you can avoid a lot of the bureaucracy bullshit that you'd have with external services.
However, check with a lawyer before setting it up, and definitely get user consent for detailed tracking. There are basically two camps of thought how much is allowed without explicit user consent: the more strict camp (which I belong to) believes that it is illegal to even use technically required data (like IP address, browser agent, date/time of visit, URL/query parameters) for analytics of any kind. The other camp is more relaxed and believes that it is OK to conduct basic analytics on that data (justified as "legitimate interest" of the site operator to provide a good experience to the user), but don't set anything like cookies or localStorage that could allow detailed tracking.
It is not yet clear by a supreme court decision which school of thought is going to win out - personally, I follow the requirement of data minimization per Art. 5 Nr. 1 lit c) EU-GDPR. Data that you do not have cannot be stolen, seized, abused or used as justification for fines, after all.
If the web-page's javascript ONLY stores and processes data stored in the client's localStorage to generate the local page, and sends nothing back to the server, so the web-site operator never sees that data, then is the web-site operator processing that data, or is it only the user-agent's operator ?
The web-site operator certainly wouldn't be a "data controller" since it isn't collecting or storing the data. And it's hard to see how the web-site operator would be a "data processor" in that circumstance.
Never thought about that scenario, I only mentioned localStorage or sessionStorage because it has been abused in the past to get around tracking blockers and to create "supercookies".
I've just asked the UK ICO for advice and got a confirmation it wouldn't be considered as a data controller or processor. I gave this example:
Me: "Effectively, in my case, the user is adding 'post-it' notes of their own devising that remain 'sticky' so the next time they visit the same page they'll see their own notes - but those notes are never sent to the server"
Me: "It's effectively the same circumstance as a classical computer program being downloaded by the user, and then used (locally) to create/save files on their local device. In that case you wouldn't consider the author of the computer program to be the data controller, surely?"
ICO (Flynn): "Flynn: Okay that sounds reasonable."
ICO (Flynn): "So if your product/service is not dependant on personal data and you are not processing it then you appear to not be captured by data protection legislation."
This is really good news for consumer privacy everywhere. I was just in a meeting with some marketers in my org and they were quite dismayed so I'm conversely quite happy. I've been saying for years that content is king and tracking will only be sustainable for so long. It's only a matter of time before laws like this are the norm rather than the exception globally.
Maybe not directly, but analytics is what allowed Google to "see" the whole internet, with some help of Chrome. These 2 products allowed Google to track the majority of the internet traffic for the past 15 years.
For those of you outside of the EU who would like to opt out of being tracked by Google analytics on web pages, install the browser add-on Ublock Origin.
Shameless plug: I have been building a self-hosted-only analytics platform for a long time: https://www.uxwizz.com. It looks like a good time to switch to self-hosted analytics.
Is it really such a rare occurrence for people to want to see statistics for a specific page or compare pages/articles? Because almost all new-wave analytics tools either do not support it, or it’s hidden and not easily discoverable.
Are you referring to stats such as time-spent on a specific page?
From my experience, there are several thousands of people/companies using UXWizz and so far no one has requested this feature yet.
But now that you mentioned, it seems like a pretty useful feature, especially if you can see top performing pages/articles.
I think one reason why people don't care about the specific analytics for a page is that they usually write pages/articles for SEO purposes. To see how well a page is performing SEO-wise, you usually go to Google Search Console (or Bing Webmasters) and see search terms/click-through-rates for that page.
Also, time spent on a specific page is not that useful, typically you want to see: if people are buying stuff, where do people that buy stuff come from and what page do they land on.
General information. How many views/visitors over time, referrers, etc.
I did try to click on the top page lists, but those weren’t links. I found "Add segment" eventually, but at least on the demo page it’s not working (for the pages I tried, eventually I found a page with stats), and the interface is atrocious [0] for finding anything and breaks the site [1].
Our website is not posting articles to get people to buy other stuff, but the actual main part of the website (articles, and free or paid product tests; money is made both by selling tests and ads, with the ads not just being generic but specifically bought by companies with often contextual targeting). So my boss usually wants to know what articles do well (and not just from SE’s, we have a lot of repeat visitors), how soon interest drops, etc.
I will add the per-page stats to the Roadmap, as I think it's a useful feature.
I agree, the UI can be greatly improved, and it is something that I will be working on soon, especially making sure all the edge-cases are covered.
Regarding the screenshots, the long page-name indeed breaks the UI, but normally you wouldn't search for a specific page including all the query parameters, you would add something like "/pricing*" (so it matches all visitors that visited the pricing page, regardless of the query parameters). I am still not sure whether I should separate query parameters from URL path, I did consider it but many pages use query parameters to display a different page/content (e.g. /article?id=5, where changing the id of the article leads to a completely different page, maybe I could by default exclude all query parameters and then have the option to keep custom an allow-list).
Could you list a few of the per-page stats that you would want to see? I can only think of time-spent, which I think I could simply display in the top pages list.
You can already see sessions count for a specific page using the current segment feature, just add that page name to a new segment, and you can see the count of sessions that saw that page and the referrer (for that specific visitor though, not necessarily that specific page).
To talk about UXWizz specifically, I try to implement only core stats (to not bloat the platform). But because you have access to the MySQL database directly, you can always create your own graphs on top of it or run a query to find the time spent on a specific page.
To give a concrete example, a such query would be, which would show all pages and the average time-on-page, ordered descending by time:
SELECT MIN(page), AVG(TIME_TO_SEC(timediff(last_activity, date))) as avg_time
FROM ust_clientpage
GROUP by page_hash
ORDER BY avg_time DESC;
Last night I finally pulled the trigger on becoming a Supporting Member of NOYB¹ (My Privacy is None of Your Business). Seeing this story on Hacker News tonight reaffirms that decision and I’d recommend that other Hacker News users who care about data privacy do the same. Technological solutions that we use (Firefox containers, uBlock, etc.) are band-aids that work for a technically adept minority of citizens. The real struggle is political – and legal when there’s data protection legislation isn’t being enforced.
For who needs a summary of what is happening in the EU [1]
1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. Now, the Data Protection Authority of France (CNIL) followed
This is a sound decision, but not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact.
PS: I'm the founder of Simple Analytics [5] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
Don't be coy. Call it what it is - an analytics service.
And as such it falls largerly in the same bucket as GA, because if someone's using Simple Analytics, my surfing data - against my wishes - is being shared with some random third party. Whether it's less, more or comparably evil as GA is secondary.
Yes, and when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party (the external company bookkeeper).
It's disingenuous to have problems with websites collecting entirely anonymous browsing data -- that goes beyond any arguments for privacy and just steers into "yelling at clouds" territory.
That’s bad too. There are also things happening in the world that are much worse, like people getting murdered. All these things can be bad at the same time.
In what way? I agree that personally tracking an individual and using psychology tricks and whatnot to trick them into buying stuff is bad, but if it's just a company knowing what works well for them, I don't see the argument.
> when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party
Retail stores also use your shopping data to target you with ads. Credit cards also obviously sell your purchase data to anyone willing to pay for it. I wouldn't be surprised if retail stores even sell your cash purchase data to any third party willing to pay for it.
The other replies are missing what analytics is really comparable to. With a standard purchase, we have an exchange of the minimum necessary information at the point of engaging in a mutual financial transaction. The bookkeeper can examine that transaction after. They can look for patterns in what receipts have. That's fine.
Analytics isn't that. Analytics is tracking a customer walking into the store and looking for which store they came from. Analytics is noting down how long a customer spent holding a blue item, if they looked at a big red item, and noting it down because it might matter. Analytics is seeing how the customer went back and forth between one aisle and another. Whether looking at one item made them less inclined to look at the next. Analytics is hoarding all of that information and keeping it even if the customer doesn't make a purchase.
Of course stores have been looking at how and why and when customers shop for years, but through consensual studies. They learnt to put the fruit at the entrance and the sweets at the exit. They learnt to put their high value items at eye level. And they didn't do it through spying and analysing the behaviours of everyone walking through their doors. They didn't keep years of CCTV with the sole excuse that they might want to see how long you lingered between deciding on diaper brands.
>Yes, and when you go shopping and pay with cash in a store with no surveillance, your shopping habits are being shared against your wishes with a random third party (the external company bookkeeper).
How, you don't enter your name when you pay with cash.
Also in EU is illegal to share any personal info in physical world too, say you go and make a subscription to a gym they can't share your data with a third party unless they make you sign a paper first.
>"Oh, it's that one privacy nut again who always wears sunglasses and a hoodie and only pays in cash"
And the store person will then what? Open excel wnd write "a dude with glasses was ehre at 12:51"? and then send the file to 100+ partners?
>You don't need to be identified by name, just by a "fingerprint". If you go there regularly you will be identified by your "fingerprint".
So the physical stores have some shady dudes attempting to lift fingerprints from money then some statistics guy try to put probabilities on which fingerprint matches which anonymous guy?
here in my country you still pay with cash and the store people put it in a machine combine it with money from other people, it will be a lot of work and risk for some shitty nano reward.
And the GDPR forbids them from writing that information (e.g. "the privacy nut bought apple juice") down or passing it to a third party without your explicit consent.
On the other hand, it's perfectly legal (and usual practice) to contract out the operation of people counting devices that just tally up how many persons go through a door.
(By the way, a gym can and usually does share contract data including personal information with numerous third-parties such as external bookkeepers. This is legal under the GDPR without explicit consent.)
>By the way, a gym can and usually does share contract data with numerous third-parties such as external bookkeepers. This is perfectly legal under the GDPR)
Why is it legal, does the gym need those 100 contractors to know my data for it to work? What are those for 100 different accountants? How did gyms or other businesses worked before the internet, did a guy walked to 100 different locations with papers in hand so those "partners" take a quick look?
Yes, before there was electronic bookkeeping businesses hauled stacks of paper to their accountant. This is standard business practice since literally centuries.
If they want to send you a letter, they have to give your data to the postal service. Again, no consent needed.
This is legal because our whole economy is based on devision of labor. Privacy laws account for that.
Maybe you are referring to required data.
I can buy some bread and the store does not need my ID for accounting purposes, so not sure what exceptional stores or gym need to send a copy of my ID and my activities to their accountant.
My problem is with the 100+ partners that are OBVIOUSLy not partners and not required to have my data.
Ok, now what's the difference between sharing "1 bread sold" (with no identifying information about the customer) with a third-party and "1 page visited" (with no identifying information about the visitor) with a third-party?
"1 page visited" (with no identifying information about the visitor) with a third-party?
False equivalence, no online stalking company actually works like that (that would require a server-side hook). They all make the visitor go to the third party's desk and increase the tally themselves (via http request), giving the tracker company access to all the contact details of the visitor.
"Why is it legal" is the wrong question. There is nothing wrong with freedom. You already know this. The problem is the lack of competition. You should be asking why is the competition so small for this particular service with bad terms that you can't find a better place around you that provides a better service.
The bookkeeper literally needs access to receipts and invoices to do their job. No bookkeeper is going to work from an anonymous list of payments; that's how you get swept up in a money laundering raid.
Before the internet, the owner took a shoe box of receipts to their bookkeeper every month. Those receipts had your name, date, etc. on them.
How, when I buy stuff in real world and pay with cash I don't ask for an Id Card, so why do you think the store needs names on the receipts? Is this something that happens in your country? For buying cars,land you need an Id, if I buy even an expensive electronics no Id is needed I just return the product and the receipt that has no name on it back.
I remember when my grandfather was doing accounting for a bar before Internet days, they papers were about the stuff not about people, like how many bear was bought, how much was sold stuff like that.
>your shopping habits are being shared against your wishes with a random third party (the external company bookkeeper).
GDPR requires data sharing to be done for a defined purpose.
The purpose of sharing data with an external company bookkeeper for bookkeeping is not remotely connected to any purpose an analytics service fulfills. So while the shared data is capable of the same insights, it's explicitly illegal for it to be processed that way without a defined purpose (which is it's own can of worms).
>entirely anonymous browsing data
It's never entirely anonymous, because how useful data is, is inversely related to how anonymous it is.
ergo it would only be truly anonymous if it was truly useless.
It's still legal to ask your bookkeeper to go through the books and give you a list of your 10 best selling products broken down by season (given you have all the right paperwork in place with them etc. but no consent of the customers needed).
Well, it's not necessary to process any personal data in order to calculate that.
Can you ask your bookkeeper to tell you the top 3 best selling products for your top 5 customers without declaring that the purpose of the data transfer to the external bookkeeper is also to run sales analytics?
It is necessary to process personal information for that purpose. That's what the sales records are.
> top 5 customers
You probably have to declare that the data is processed for that purpose in general terms but I don't see why consent would be necessary. Anyway, this analytics service claims it doesn't do this kind of analysis.
Obviously it depends on the system involved, but there should be no need to touch any column containing personally identifying information in order to calculate aggregate sales statistics for each of your products.
Nope, the external company bookkeeper doesn't know which of the hundreds or thousands transactions are done by me. He doesn't even know how often I bought something.
And even if, that knowledge is nothing compared to the millions of data points of services like google analytics.
If it were true as AdriaanvRossum said above that Simple Analytics data has "no identifiers" (taking that at face value for now) then that seems exactly analogous to those cash transactions someotherperson describes.
Simple Analytics absolutely does receive identifies (namely IP address). They claim they do not store these address, but that depends entirely on trusting them and their closed source software.
This is very unlike the accounting firm, which never receives any identifying for cash transactions and thus couldn't store it even if they wanted to.
I think you are wrong. What they receive is a set of purchases in a given period of time that allow them to make many important decisions (when people buy most, what purchases are more likely on a given date etc.) but there is no way of finding out my shopping habits.
no - the analysis is done on receipts, not just total products sold. They don't care what you bought, they care to know that people who buy diapers also buy wipes, and people who buy soy milk don't buy butter, etc. The analysis of anonymous receipts still yields very interesting and actionable results in aggregate. Your privacy has nothing to do with how a company analyzes its sales data as long as they don't include your identity and drill down into analyzing your receipt alone.
Yes, I understand that they see patterns and trends and a lot of valuable data: my point is that they have no way of tracking shopping habits of any individual purchaser unless they trick them into some loyalty program, coupons etc.
I think we agree. If the average search advertiser gave me the same benefits that some loyalty programs do, I'd feel a lot better about them. I.e. if I got points for the data I provided in my browsing habits that translated into actual dollars, I'd be game to let them have it. If I wanted to "not swipe my loyalty card for this purchase" to leave it out of my history, I'd appreciate the granular control.
The issue with all the tracking is that most consumers have no choice, no functional UI to interact with the tracking systems, and no clear idea of who they are ultimately transacting with.
With enough good data (so probably not in all sectors) you can also identify people out of the system.
Sure, it's technically possible. But if you would actually do that, you run afoul of the GDPR requirements for informed consent: retroactively identifying people in a dataset requires the same consent as targeted data hoovering, so if an individual has only consented to being included in anonymized statistics that practice is sure to get flagged down as unlawful.
Yes, that's definitely possible, but humans being human I doubt it can be 100% foolproof. If I go to the grocery store every Saturday at 11am and purchase a similar set of items, you can probably single me out and assign some UID to me. However, if I unexpectedly pop in Wednesday evening to just buy a bottle of wine, it would be difficult to assign the purchase to the same UID.
GDPR also applies to the real world. That store is definitely not allowed to share data about your shopping habits with some third party without your explicit consent. For example government departments in Germany have to aks for your explicit permission beforehand if they need to request/share data with a different department.
This is in general not true and German government departments share data with different departments all the time without explicit consent of the affected citizen. This is also not a good example as there are additional legal restrictions for government departments which businesses don't need to obey.
If the sharing is not required by any law they have to ask. Sometimes they do. I'm sure there are cases where they share without either of the precondition met.
GDPR is a standardisation of pre-existing national rules within the EU member states, at the time including the UK’s Data Protection Act. When I was at university, one of the examples of the scope of the Data Protection Act was a barbershop which kept hand-written (no computer involved) records of customers, and one customer used the DPA to demand to see their records and then to have those records destroyed.
GDPR has an exception for things that are necessary for the service the customer asked for. If you ordered something to be shipped to your home then the provider can share your address with the shipping company - that's required to fulfill their end of the deal. Sending your personal information to some 3rd party advertising company? Not so much.
If the seller can subcontract the delivery service, is there any reason they can't subcontract their accounts receivable?
I think the element you're missing is - of course this is OK, it happens all the time. What the comment you were responding to before wasn't making clear is that when it's done, there must be contractual provisions limiting the service provider's use of the data, so they can't use it for their own purposes.
You're within your rights to create and offer whatever kind of service you want. As an end-user, however, any data what-so-ever sent to a 3rd party without my knowledge or consent is too much. There is no such thing as "the right amount."
I'm OK with websites using self-hosted tools such as Matomo as long as the data never leaves their servers. Analytics is important to any business. But I choose to do business with said business, not with Shopify, not with Google, not with Facebook or Twitter (I'm looking at those "sign in with" widgets that run social media code in my browser) or whatever 3rd party "SaaS" service the website is outsourcing my data to for ease of development or convenience. I don't consent to my data being shared with people I don't know about and did not consent to give a single shred of my information to.
This seems very impractical given the way the internet currently works. Most startups use dozens of SaaS products, let alone more basic/foundational things like global CDNs. You're being logged at every step of the process if only to prevent spam/DDoS/etc.
What you're asking for would require a fundamental restructuring of the internet, and of software business models, and a lot of other stuff. I can't see that happening any time soon.
In the meantime you can try using Tor, but good luck not getting blocked on half the websites you want to visit - and you can't blame the website for that (they need DDoS/spam defence).
Not only the internet, this is impractical given how any business works. Even a brick and mortar store is sharing aggregate customer buying habits with its supplier based upon products it buys from them.
When I visit a website of some business, I provide them with an IP address for use during the session (because of the way TCP/IP works). I'm okay with said site using some kind of load-balancer, DDoS protection or what not, as long as the business takes full responsibility to keep my personal information private unless I specifically indicate otherwise (opt-in[1]), for example using a form on the landing page. I believe that this is the true intent of the GDPR in this matter.
No, it's not. Using Matomo on my own servers has nothing to do with the way GA etc. operates - it's an equivalent of going through my own Nginx logs and parsing them to generate diagrams and so on. Of course if I share personally identifiable data with a third party, it's a completely different thing - in this case it does not matter if it comes from Matomo or web server logs.
But I agree with your conclusion: what matters is how it's being used. In this case - whether you share/sell it to others or not.*
[*] But not only: it also matters if you take adequate care in protecting personally identifiable information or not.
In general, under the GDPR it doesn't matter much whether you process data yourself on your own server or contract that same task out to a third-party. Either that processing is legal or it isn't - ownership of the server doesn't play a role.
The problem with Google Analytics here is not that it's a third-party but that it's under US control.
> we want to load JS from a CDN like literally everyone does
Well, carry on and load it, it's your server.
Oh, wait, you mean you want ME to load it, into MY browser? That's a problem - my browser only loads JS from the origin server, and only if I give it explicit permission.
As a developer, I deplore the use of CDNs to serve javascript libraries; you don't know what the CDN is going to serve to your users, it could change without warning and break your site.
You’re just illustrating why this isn’t an issue requiring legislation - anyone can block requests to whatever origin they like. No need for heavy handed gov’t getting involved in technical matters.
So maybe the legislation should be that you have to pass a "internet operator" test to get a license that ensures you have the awareness and the skill. Because even if the current law protects you from GA, there are tons of other companies doing the same things and have no intention of stopping.
Better to protect the people from all the bad companies, not just the ones who do business in the EU, right?
Sounds like protecting the people by leaving it to them, and (somehow) restricting their internet access if they haven't passed a course in internet jiu-jitsu.
And no: the GDPR isn't just about GA, and it isn't just about the internet; it's about any personal information.
Ad-blockers and JS-blockers are essentially technical solutions; but you have to know to install them. If they were integrated into browsers (and defaulted to "on"), that would make privacy less of a technical matter.
Maybe because the two crimes here are (1) breaking and entering (you have to actually break something) and (2) theft. If the window isn't locked, then you don't have to break in; you can just open the window.
It's not against the law to just walk in; or rather, it's the civil offence of trespass - you can sue the trespasser for damages, e.g. causing wear on your expensive carpet (but you'd have to produce evidence of monetary damages). And you can physically remove them, perhaps with the help of a bailiff. But the police won't help with common trespass - it's not a crime.
[Edit] At least, that's how I understand the law here. IANAL.
> The internet is just not designed for privacy at a technical level.
The Internet is A-Ok.
The issue lies with various slimy companies that exploit web developers ignorance, laziness and negligence with free and easy shortcuts in exchange for the private data of said developers' clients.
No one's forcing you to use CDNs in place of a properly setup caching. No one's stuffing Google Fonts down your designer's throat, they are just lazy to add local resources. An analytics service is not required and there are simple self-hosted options. And so on and so forth.
And the most infuriating part is that these companies, Google being the offender, know perfectly well that they are exploiting the ignorance and they are willingly facilitating and encouraging the spread of practices that would've been viewed as wildly unethical not 10-15 years ago.
Just look at the level of general erosion of privacy and nearly universal lack of concern for it in general population. If you reflect on it for a moment, it is plain fucking scary.
> I'm looking at those "sign in with" widgets that run social media code in my browser
Arguably, they provide code that can be run in your browser, but your browser chooses to run it. And since your browser is a user agent, you choose to run the code by way of installing and configuring a browser that makes that choice by default.
> I'm OK with websites using self-hosted tools such as Matomo as long as the data never leaves their servers.
You might never know that they backfeed data into external analytics services. Under this assumption, wouldn't you need to stop using _any_ website, at all?
It's not an "also" analytics service. It _is_ an analytics service.
If a website poped a question saying "Do you consent to your visit data being passed to Simple Analytics for processing?", how many people would say Yes? Close to zero. Just look at the stats on 3rd party cookie refusals - when done easily, the refusal rates are in high 90%. People may be lazy, but they sure as heck know they don't want to be tracked IF it's actually mentioned.
So what you offer is a GA alternative that makes website operators feel better about themselves for not using the GA. The situation with the visitors remains exactly the same - the still getting shafted with something that none of them wants.
The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
This is an argument taken to a naive extreme. You can't expect every business to also be in the business of analytics, it's not realistic. There's a reason companies have business partners who specialize in certain services.
It's why you have accountants, lawyers, marketers, etc.. Not every company can afford to have all these specialists on payroll, so you work with a service provider that lets you afford the services in a fractional way. You give them access to your data, including customer data sometimes, and in return they provide you with insights and information from that data.
Analytics is just another service provider like that.
You should of course work with a reliable and trusted partner that treats your customer data appropriately and has strong privacy guarantees.
The problem with GA is not "third party", it's "third party that uses my data for its own purposes" because that's the actual cost of using a free service.
Saying "no third parties at all" is not how businesses have operated since forever.
Privacy-respecting analytics should be self-hosted. No one's arguing against an average business using an analytics service, but that shouldn't be bundled with any "privacy" monickers.
If Simple Analytics were pitched as "not a Google Analytics", this would've been perfectly fine. But they insist on the privacy angle and it just demonstrates they don't grok what tracking concerns are about.
Oh no I get the context just fine. What you're missing is that "should be self-hosted" is outside the realm of the average business, and it's not realistic to put this as some arbitrary requirement to check the "privacy" box.
You're clearly a tech person so maybe it feels self-evident or easy for you to do that, just like taxes and law seem self-evident to accountants and lawyers, but the average business owner doesn't have time or money - or the skills - to figure all that out on their own, so they hire a service provider.
Do you think accountants and lawyers come to the business and work on their computers exclusively? No, they receive copies of the confidential business data and work on it within their own business environment.
And do you think accountants and lawyers don't include "privacy" in their pitch?
How is that different from analytics saying "we will keep any data you share with us private, and for your use only".
Based on your argument, as a business owner I should purchase and co-locate my own server, because even if I self-hosted my analytics, I'm storing that data on a third party server owned by my hosting provider!
Do accountants and lawyers routinely use or sell their customers' aggregated data for commercial purposes?
Does US law require accountants and lawyers to give the NSA access to their customers' data upon request, with an automatic gag order attached? If it did, would it still be OK for non-American companies to a US-based accountant or lawyer?
> OP was claiming that any third-party analytics are unacceptable
Don't put words in my mouth. I was not claiming that.
Third-party analytics _that bill themselves "privacy-first"_ are still not what any user would consent to voluntarily, so the "privacy" angle is largely irrelevant. What they should be billing themselves as is "not Google Analytics", which will be factually correct and somewhat relevant.
>> OP was claiming that any third-party analytics are unacceptable
> Don't put words in my mouth. I was not claiming that.
You stated that only self-hosted analytics were acceptable. Your exact words were:
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
This implies - to me - that in your view all third-party analytics are unacceptable from privacy perspective.
I'm not sure how else I was supposed to parse that statement?
Either way, I disagreed with that, and said it's certainly possible to work with third-party service providers, of many kinds including analytics, while still respecting your customers' privacy.
I think the big difference here is that this platform sells a product to website owners who want to see how their visitors generally behave on their site, e.g which pages are most popular. That is a legitimate need.
The difference with GA is that GA offers to fill this need of website owners for free while it actually processes and sells the visitors data for immoral ends. The whole "the customer is the product" deal.
I don't understand why simply sending data from one server to another is seen as such a big deal, the problem with Google and Facebook and the rest is how they build extremely detailed personal profiles that they use to cause social harm. Surely that is very different from tracking which pages get the most views or how much time - on average - people spend on your website?
Did you read their docs? They aren’t setting cookies or collecting IP addresses. There’s no question to me that EU authorities would approve this method.
Visitors' IP addresses are provided to Simple Analytics in the course of loading their script and reporting back the results. That's all it took to get web sites using public Google Fonts resources in trouble—note that this didn't involve any actual analytics scripts or overt data collection, just some embedded CSS and font resources.
The only real advantage Simple Analytics has here is that they aren't Google, so they aren't as much of a political target and don't have deep pockets to attract legal predators on the lookout for an oversize payout—which is a pretty thin justification for treating them any differently.
The regional Google Fonts ruling was an odd one. It had to do with Google processing the IP address, not whether the website was loading from any external domain at all. It did appear to be based on the court's misunderstanding of an IP address contacting a server to be data processing, and perhaps we're going in that direction, and won't be able to use even an extremely privacy-focused CDN without a formal data processing agreement, but that is not currently the intent of GDPR.
The advantage of a service like Simple Analytics remains; it does not store or process any user data.
> The only way to do analytics in a way that's respectful to the visitors' privacy is with an installable on-host software. That's it.
How is that more respectful? I can fingerprint you pretty much the same with server logs (IP, user-agent, ...), don't I? I can even use cookies without any JS.
You may have a good/decent/important broad point in general, but it's somewhat off-topic here. EU privacy directives and legislation are not particularly concerned (yet) with banning the sharing of data with third-parties, the focus at the moment is purely on regulating that sharing of data and ensuring it's only being shared with compliant third parties via compliant means.
In this case, Google is non-compliant but the gp's service/tool does appear to be. I think you're underplaying the distinction here quite severely.
TL;DR this is about what's illegal, not what's "evil".
If you walk into a grocery store, and cameras record which aisle you walk down, which items you stop to look at and which things you buy. Is that legal?
What if the cameras block out your face and all identifying features. Is that legal?
Do you own a blob of a person walking down an aisle? Does the grocery store?
> If you walk into a grocery store, and cameras record
In the EU, this would fall under the same data protection regulation as websites, and other local regulations regarding camera surveillance. In short, a store owner can't just secretly record customers.
If you walk into a shop and the cameras record what you do, then there has to be a mechanism in place to ensure that the data is only able to be used for the purpose it was collected for (that is, crime prevention and law enforcement), and that it is destroyed after a defined time-frame. That satisfies the GDPR, as you're collecting the data for a legitimate purpose (for which you don't need to seek consent) and preventing its use for any other purpose (which would need separate informed consent). The destruction time-limit also helps prevent its use for other purposes by reducing the opportunity for unauthorised access. You'd probably (IANAL) still have to have a "Smile, you're on camera" notice up though.
There's a HUGE important aspect that you're missing: The IP Address is NOT the only thing that makes this data into personal data.
Google Analytics generates a visitor ID by rolling a random number and storing it in a first-party cookie. This is how GA tells that two visits a week apart came from the same user. This value has been ruled to constitute Personal Data. This is a very big deal, and only a little bit surprising.
> The IP Address is NOT the only thing that makes this data into personal data.
Can you cite a reference for that? I fully believe that Google is using cookies for this, but that doesn't mean that the legal authority here isn't making the judgment on IP address alone. I believe a recent GDPR decision against Google Fonts was based on IP address alone. [0]
The Google Fonts case was decided based on the transmission of the full IP address in a jurisdiction (Germany) where there are ways to identify a user by means of that address. CNIL's press release follows a decision by the Austrian data protection authority where the Google Analytics cookies were at issue.
If you can read German, you can look at the Austrian decision directly, the complainant has uploaded it at [1] and the relevant section is D.2 b) starting at page 27.
> In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
This is an accurate description of GA's pseudonymous identifier. It is not accurate as a description of an IP address. And if CNIL meant the IP Address, they would have said so, as they did in other rulings.
> The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
Why are anonymised IP addresses still considered "Personal Data"?
Is it because Google is doing the anonymisation?
I believe the issue isn't specifically with anonymised IP addresses in GA. The problem is that the Google Analytics code is loaded from a third party server and, to do that, this server gets your IP address even if the data sent by the GA code itself contains an anonymised one.
I think it's personal data because you can track a visitor across multiple visits. Based on that identifier you can connect all the other data points from a visitor. I think that's not privacy-friendly at all.
I guess it depends what "anonymised IP address" means. If it's still possible to correlate data from visitors across different websites, they might as well log IP addresses directly.
The court disagreed on the basis that US federal law enforcement could force Google to stop anonymizing IP addresses at any moment, not that their IP anonymization[0] is inadequate.
Point 1 isn't true. You've been able to send personal data (PII being the specific US legal term) to the US no problem - as long as you had "standard contractual clauses" (SCCs) as part of your contract with them that the company meets GDPR requirements. This is the same agreement to send data to any country outside the EU where there isn't a pre-existing agreement. I believe this ruling is saying that it's not possible for a US company to comply with the SCCs because US law doesn't allow them to do so.
The original ruling was nuanced, and this ruling is clarifying some gray area inside of it.
The ruling on Schrems II (the court case that struck down Privacy Shield) did not state that SCCs on their own would be sufficient. It said that SCCs + "additional safeguards" would be allowable. There have been several rulings already that SCCs on their own are not sufficient.
The "additional safeguards" must include a risk analysis of US access to EU residents' data. Every court case I've seen from Schrems II onward identifies the US CLOUD Act as the privacy risk to address. CNIL is basically ruling that you cannot transfer data to a US company subject to the CLOUD Act, and an SCC cannot deal with that. This still leaves open the possibility of using US services that are not subject to the CLOUD Act. This is consistent with all rulings to date.
Wait, wouldn't that imply that EU startups can't host their infra on GCP, AWS or Azure? I'm not even talking about analytics - just about simple user email required to login would be problematic now.
Pretty much, it really sounds like Schrems II + this ruling mean that US corporations can't be involved with EU at all besides via licensing software to a completely independent EU corporation (which isn't a given either, though, since the US company could threaten withholding software updates/revoking the software license to pressure the EU corporation to hand over EU citizen data to US Law Enforcement).
> 1. Since 2020, it's illegal to send PII (personally identifiable) data to the US because of the removal of the Privacy Shield Framework [2]
Minor nit - "PII" really isn't the right term to use, because it suggests the info itself must be personally identifiable to an individual. The GDPR covers much more than this, and uses the term "Personal Data".
If I’m not mistaken, isn’t Google now using Google Ireland Limited as the corporation that houses EU-incoming data, and thus they keep the EU data in datacenters owned by that shell company (and physically within the EU)?
I don't think this judgement is about Google Analytics (or any implicit sharing of EU citizen/resident data with Google) being inherently illegal, but rather the current functioning of the Google Analytics service being specifically non-compliant.
e.g. Google could make Google Analytics compliant (likely by, as you say, housing EU data in Ireland), but it seems that currently they are not.
Also, beyond the physical colocation of data, there are ancillary issues around data being readily accessible (either by internal engineers/agents or external authorities) from outside the EU to consider as well.
Doesn't matter one single bit, they are still the 100% subsidiary of Alphabet which is legally bound to provide data at the request of US gov agencies.
Microsoft has seen this one - they have a subsidiary in the EU that holds the EU data. Yes, the US-based parent company is legally bound to provide the data at the request of the US gov agencies. However, the only way that they can get hold of that data is to ask the EU subsidiary nicely. The EU subsidiary is legally bound to not hand that data over.
I think it was set up beforehand. Also, I think nobody really wanted to go as far as setting any precedents, in case they ended up being precedents that they didn't want.
Is that really the only reason behind GA being 'banned'? If google broke off Ireland ltd into its own company and that company simply 'licensed' Google products for $1, would they be in the clear?
Unlikely. The EU courts would reasonably be expected to decide that, as Google Ireland is merely a sham corp for the purpose of operating a codebase that is wholly deferred to the same US control (just as before the sham corp), that this is equivalent to the prior arrangement and still illegal.
What matters is the US CLOUD Act, because that's the thing that lets US Intelligence have access to data stored in EU servers. If legal arrangement is covered by the CLOUD Act, it's a GDPR violation.
IANAL but I don't believe this commenter is correct. If they were, this would essentially prohibit any non-EU company from doing any online business with anyone within the EU.
I suspect the issue is rather that Google Ireland are not in fact exclusively housing EU data within Ireland (or the EU in general).
"The IP anonymization feature in Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics. "
This is a totally different question, in this case what matters is that Google can be compelled to release the full IP address by US intelligence agencies.
Not quite. Google still has access to those IPs when it receives the request from the browser and could be compelled to store them by US intelligence. Thus data are being transferred to a party that can not adequately protect them. So in this case, as I understand it, the solution would have to be something more elaborate, like proxying the analytics requests through the server to strip the original IP address. Which I presume Google isn't very eager to allow.
Lots of other tech companies, as I understand it, choose not to be "compelled" to store something they don't want to store. Apple being the prime example.
Random thought, maybe totally off base. This is Europe, so not equivalent but there seems to be a lot of people in the US as well who want private companies to be compelled to respect your privacy (4th amendment) but also many people who don't think websites should or could be compelled to respect your freedom of speech (1st amendment), I wonder if there is an overlap in these groups...
My (European) perspective is that, just like we need laws to protect privacy online, we do also need laws to institute freedom of speech online.
I'm not exactly sure what the right way to go about it is (obviously we shouldn't and cannot force every company online to publish whatever anyone wants to say), but fact is that right now you are at the mercy of private companies if you want to communicate online, and restricting freedom of speech to the proverbial "free speech zone" where discussion isn't actually happening is not a healthy state of affairs.
I'd probably at least advocate for something like net neutrality.. ISPs and hosting providers should not work as censors and arbiters of good taste. They should be more like utilities; as long as you're not doing anything illegal, what you do or say is none of their business. Unfortunately this isn't a solution for the common person whose communications are limited to platforms like facebook and twitter.
I don't think these concepts are comparable. My First Amendment rights cannot be violated by a private website, because I can always go to another website, or start my own. Being deplatformed isn't the same as being silenced, because nobody is preventing you from speaking, or punishing you legally for what you have said.
My Fourth Amendment rights could absolutely be violated by a private website, as they could hand my potentially incriminating private data over to the US authorities, without a warrant and without my consent, and there's literally no opt-out or recourse for me if that data is then used against me by the government.
One thing I find super crazy is that, while making a big fuss about IP addresses and cookies, the EU forces any website owner to publicly share his full name, address and phone number on the site’s imprint.
If you’re not a corporation or a professional who has an office address, you’ll have to supply your own personal data. Visible to anyone on the internet.
True. But it’s also most often German courts that make headlines because a webmaster used a Google Font. I’d much rather have Google know my IP address than have some nutcase know where I live.
1. The legal definition of what's "commercial" under that law and what's not isn't quite as straightforward as a layman might think. (For one, that law doesn't literally say "commercial" ("gewerbsmäßig"), but rather "geschäftsmäßig" ("business-like"), which doesn't require an intent to make money, but may include anything you plan on regularly doing).
2. Assuming you're referring to the Telemediengesetz, there's a second law (Medienstaatsvertrag) which mandates an imprint for anything that's not strictly for "personal or family purposes". Depending on who you ask, those two terms also require a rather narrow reading, so anything beyond a strictly private family diary (careful not to make references to any outside persons or businesses, though, because those entities will then have a legal interest in being able to identify you in case you malign them!) or family pictures or your private Dropbox replacement (ideally all the above should be password-protected and therefore not accessible by the general public anyway) might again already be in a grey area.
2b. Additionally, blogs can enter another grey area where depending on what and how you're blogging about, they might be classified as a journalistic service offering and therefore require an extended imprint, too.
AFAIK, this could be pretty disastrous for French businesses that funnel conversion data to Google Analytics, which is then used to optimize their Google Search ads.
Switching to another solution for analytics might be ok, but losing the ability to automatically optimize ads based on conversion data is a big pain.
This just reads like "local commenter says trillion dollar industry is a sham".
Targeted ads pay loads more than untargeted, and you're essentially saying all those companies paying more are in the wrong. Some campaigns even manage 10-25% click through conversions, when well enough targeted.
Well, in regards to what the OP said, this whole "we need to track our users" stuff is bullshit. I see those "highly optimized" campaigns too, when something goes wrong and the SEA people start to cry because somebody stepped in their sand castle.
That's a super interesting question. I suspect it is because Facebook dominates the market for advertising-that-tracks. They're just not as good as other players at advertising-that-doesn't-track.
So when they lost inventory (e.g. for retargetting), that is a direct loss of revenue for them. The question is, what did the company with the budget previously spent on those targetted adverts do instead? Did they buy less well targetted adverts elsewhere? Or up spend on offline marketing? The economic question is, how effective was that - more or less effective?
Obviously losing 10b dollars is bad for Facebook. It isn't clear that it is worse overall for ad spend, or economically.
Because FB is a company on the edge of collapsing.
They aren't innovative, the market is saturated, new users in developing countries are not worth as much as those from "first world countries".
As the users in first world countries are getting more and more aware of all the privacy issues, how FB fails to keep their platforms clean (either from spam or fake news) and other companies starting to like the taste of being valued as "privacy-friendly", the business model of FB is starting to crumble.
They have long only made (more) money because they found more ways to put together all the bits and pieces and breadcrumbs and build profiles they could sell to advertisers.
That age seems to be over (soon), so they are done, too.
The EU privacy regulations seem to have a side effect of creating a de facto EU internet, where EU competitors can become dominant because they pay closer attention to changes in law vs north american or chinese counterparts.
It’s almost like a more subtle version of china or russia’s firewall
>The EU privacy regulations seem to have a side effect of creating a de facto EU internet, where EU competitors can become dominant because they pay closer attention to changes in law vs north american or chinese counterparts.
Within EU government and diplomatic circles, there's actually a term for this: the "Brussels Effect". People who use the term "Brussels Effect" believe that by imposing aggressive rules first, the EU software industry will have a first-mover advantage and a kind of partial "firewall" against some foreign competitors.
In my experience, the potential downsides of the "Brussels Effect" are rarely considered by these people (e.g., reduced competition within the EU, leading to increased costs for other businesses; overseas web service providers being forced to block EU customers, leading to reduced availability of services, etc.).
Another area where you see the same "Brussels Effect" in EU policy/legislative circles are recent moves towards rather aggressvie regulation of "artificial intelligence". Not just the recent proposal that was tabled, but also the CAHAI work towards a binding international instrument.
The goal is to create European state enterprises to replace Microsoft, Google, Facebook etc. These privacy regulations were championed by socialist MEPs.
Wondering if this will also apply to gmail, google drive and so on. Also wondering if there is a way to agree to storing my data in the us. Nonetheless it appears that this a good opportunity for an eu based alternative to google analytics.
Also what are the implications of cross eu-us chat apps where a person’s name is visible? Doesnt it mean that when a recipient in the us sees the name, the eu person’s data has been transferred to the us?
Apologies if this comment is ignorant, i am not well versed in the topic, but to me it sounds like this is quite an issue for us-eu chat and email apps.
Yep, and that means, that showing a huge, not easily dismissable popup basically demanding consent, just to watch a video or read an article, for which no tracking or cookies are necessary technically, is not really asking for consent and should be illegal.
Unless the only way for online services to survive is with these targeted ads. Untargeted ads pay a tiny percentage of what targeted ads do, and I'm unsure things like free video hosting with unlimited bandwidth would last long without them.
And though hacker news likes to be extreme and say "good" to things like this, there is an unbelievable amount of freely available information on the internet. If you had to pay a subscription by site, how many sites would you be willing to pay for? More importantly, how many would the average person pay for?
Well, any company worth their salt has a website these days. Not to show ads, but to be visible out there. They obviously gain from having a website, even without ads. They can pay for that.
For other websites, they can ask their community for support. Then maybe we will learn, that we need to pay for good services, or they disappear. That would be better in my opinion than unconsensually becoming the product as the user of the service, because of companies siphoning off personal data and selling to the highest bidder.
Somewhere along the way, we might also realize, that democracies have an interest in having some kind of good news coverage and information pages online. Countries can pay for that. There can be a general tax for maintenance of websites, which are important for the public. I guess this already exists indirectly, because people pay taxes and that money is used to pay people, who work for cities, states and so on and for paying for servers.
I have been running a server for a year or two. Paying for that myself. I get a wage every month from the job, so I can pay for a server. Theoretically I could run lots of services on that server and still only pay the same amount every month. For dedicated people in IT sector wages are often good and they can afford to run a few things out of their own pocket. My guess is many people would do that. Not every website needs to be "financing itself". It is not always about the money. Some people simply want to make a nice thing and are OK with paying for it.
So there are many ways, in which websites can exist without the incessant ads spam and bloat, that we see today.
Besides all of that, ad business is often make-believe by the big players, giving wrong impression of how much an ad actually helps your business and improper conclusion drawing from statistics by marketing departments, instead of data analysts. Funny ones are things like "conversion rate", which doesn't work for a huge percentage of people visiting the website with standard ad blocking solutions. They are not even aware of all those people, because their frontend JS-based tracker wasn't even loaded. In one of my own projects, I saw a block rate of close to 60%. Granted, the targetted audience was quite technical in nature, so they were more likely to have ad blocking solutions in place. But this can show you how far off you can be by just looking at some analytics stats. How many marketing departments are capable of running a proper A-B-test? How many of them have the necessary statistics background to run any study properly and then draw correct conclusions?
>I have been running a server for a year or two. Paying for that myself. I get a wage every month from the job, so I can pay for a server. Theoretically I could run lots of services on that server and still only pay the same amount every month. For dedicated people in IT sector wages are often good and they can afford to run a few things out of their own pocket. My guess is many people would do that. Not every website needs to be "financing itself". It is not always about the money. Some people simply want to make a nice thing and are OK with paying for it.
This does not scale. At some point, you need to make money somewhere.
>Besides all of that, ad business is often make-believe by the big players, giving wrong impression of how much an ad actually helps your business and improper conclusion drawing from statistics by marketing departments, instead of data analysts.
>How many marketing departments are capable of running a proper A-B-test?
Again your just digging deeper, further calling out a trillion dollar business for being wrong. Besides that you would likely need thousands of sources to accurately back up such a claim (since there's people paid much more than you, with access to many more resources than you have, have decided this is worth it). You are literally calling out entire departments that likely have a payroll 1000x your salary.
Even greater their incentive to keep playing the game. Many more wages depend on that than my own. I am not necessarily calling for them being wrong, but for them playing with the numbers and presenting them in a way, that makes many people believe. They have credible deniability as well, because their tracking script didn't even run on browsers, which blocked it, so they couldn't know about those "edge cases". Only that those "edge cases" can make a significant portion of the total visitors of that website.
In the end they profit from telling everyone, that they must use GA (or similar tool) to track what is going on on the website and most marketing people will happily jump on that train, because it gives them any kind of data, which they can use to justify things, even if that data is only half the story and cannot be relied upon to give a true picture. "The data tells us so!" makes the job much easier, unfortunately often at the cost of user privacy. And so the make believe, that you must track your users with third party trackers continues and propagates. Then on the development side of things, developers or their higher ups eschew the work needed to implement first party tracking. They want that cake at no cost. Without strong ehics, the website of such an organization is doomed to disrespect the privacy of its visitors.
Each jurisdiction is going to be slightly different, depending on what the law regarding data protection is like in each place.
Russia hasn't been deemed adequate by the Commission under the GDPR, but it is a member of the Council of Europe (and is thus bound by the ECHR) and it has ratified Convention 108 (and has signed, but not ratified, the modernised Convention 108).
Of course Russia is a deeply authoritarian regime which has no problem violating human rights and international treaties at will so...
For those that missed it and are interested, there was a similar HN discussion around a German GDPR ruling last week. It already has quite a large debate and a lot of opinions on the matter:
The cheapest plan is 19€ / month which is twice what I pay for my VPS. Not realistic. It's very easy to rack up bills while building a website: hosting, domain name, Wordpress plugins, analytics, publicity etc
I don't have analytics yet on my site (it's a very recent side project). I didn't want to go the Google route because ethics, now I don't even have the choice (I'm French).
I looked at the self-hosted options but it seems overly complicated (I'm afraid installing them on my VPS will kill perfs), so now I'm considering just writing a script to parse Apache's logs.
So what primary key are these other analytics using if not IP? (Their docs say they don't store IPs but do store user agents). It looks like it's based on browser fingerprinting - if I'm right OK it's not an IP but it's not much better and if things keep going the way they are pretty sure this will be up for the chop in the future.
So far they haven't solved something that resolves the problem of having US ownership as far as I can tell.
The issue isn't where the servers are. The issue is what parties can compell them to hand over information. As far as I've read on it at least. And if there is US ownership you have US courts that can demand information they aren't legally allowed to hand over according to EU law.
I have just posted this link for everyone on the Slack of the french web agency - specialized in Google/Facebook/Instagram campaigns - I work for.
Not one reaction. I was left on seen.
I've found that most agencies love to preach that they are data driven, but in reality they only care about the perception of being data oriented. They won't care until clients start asking questions, then it will be a panic.
Since most people are still on ipv4, does this even mean anything? You'd need the salt stored in some way to reproduce hashes at all, and creating 4 billion hashes to find an ip won't take any meaningful amount of time. Even with a high cost algorithm, if the government requires finding the ip (because honestly Google wouldn't care here, the unique identifier is what they need), they'll be able to find it. If it's a truly irreversible hash, it would also be impossible too link up two separate requests no?
Guessing IP would be unpractical. Absolutely. But without random component, it could be "reversed". For example, I would like to retroactively check when and where you, ApolloFortyNine visited my site. All I would need to get is your IP (residential IPs change, but not that often) and User-Agent. I could replicate hashing algorithm and identify your traffic.
The random component prevents that. And yes, there is a trust component. You have to trust that we discard these salts after 24h. We operate in Germany in a legal framework that allows you to sue us if we mislead you. So at a certain point, technology must make place for the legal system.
Because salt is rotated every few hours, never more than 24h, we can, with sufficient probability, determine that two requests are from the same visit/session. So have indication of new/unique visit in short window. Not days, but hours.
If you were to transmit a parameter that additionally attached Personal Data (email, User ID) to that session, then that becomes identifiable and is no longer anonymous. But that is strictly AT YOUR DISCRETION. And we NEVER share it with anyone but you. You will also need to inform your guest, that you associate personal data and ask for consent. But until you do, we cannot identify anyone after the salts cycle.
Randomized, daily rotated un-guessable component is added to every hash. There is whole bucket of these such that across single day, per group of users there is small overlap. These are transient, strictly never logged. After 24h there is no way for us to reverse the IP. To reverse the IP we would need this transient value (long gone by that point), the EXACT user agent and the IP itself.
We mentioned "Unlike some other vendors" because we noticed that not everyone is (or was, at the time of our research) adding a random component. Without that component, salt if you like, you cannot guess the IP, but knowing the user IP and agent, you could find their historical traffic, hence attribute the traffic to an individual.
Our solution can't do it.
This practice has been used and documented in software engineering for now.
Now this is just being negative about nothing. Gmail can not be used without the user knowing like analytics or linking to google fonts can. If you don't want gmail is as simple as not using it. Other sites can not call gmail for you in a hidden way.
This was the only sane decision they could come to. Google's evil practices are death to any free society and a threat to the national security of any country but the U.S. where the deep-state pimps are busy siphoning Google's data to use against its own citizens. Here in the US we live in what only appears to be a free country where sociopaths, pimps and whores rise to the top and are protected by the DOJ, DHS and the whole alphabet soup of criminal organizations that protect the wealthy and the powerful. The transformation of the country from 1970 to 2022 is stark. We are headed to a dystopia led by the whores at Google.
Haven't seen mentions of GA itself, but it was obvious from context, as GA is part of wider ad targeting system - and those were explicitly used both by secret services as well as random hackers for target acquisition and initial hacks through vulnerable browsers of social engineering.
That would count clicks, not conversions such as downloads or signups that can require going on another page or doing some other action. Not everything can be put on one page.
Also, Google Adwords counts conversions for visits for 30 days. Which means on the 1st visit from the ad campaign, there can be no immediate conversion (and that's OK). But if the same person returns to the website (not from the ad) and downloads/signs up that would be counted as conversion attributed to the ad.
Sadly I don't see how this decision can be translated into practice, since I strongly doubt the CNIL will be able (or willing) to send formal notice, and fine after a grace period, all French companies that make use of Google Analytics on their website.
Why is the onus on the CNIL to notify companies on the law (which they actually did by issuing this press release) and not on companies to keep up-to-date with the law (which they could to by reading the news)?
This is just how it works. I'm not making the rules. The CNIL send "mise en demeure" to companies that do not complies with the GDPR and even before that with the "loi informatique et libertés" and if the companies ignore the "mise en demeure" after some time the CNIL can fine them.
It also happens that the CNIL is notoriously more and more lenient on a lot of things.
Do they somehow count the users browsers making a request to a US server as the website transferring data to the US? It is pretty clear that the users browser did that and not the website or Google.
And technically if you hit someone in the head with a hammer than it's the hammer that's hitting the head, and not you. It's a meaningless distinction made in bad faith.
The law is clearly meant to protect an average citizen. It's unreasonable to expect them to know how the web and browsers work. When you instruct the browser to display something, you should take full legal responsibility for what you are instructing the browser to do, because from users point of view it's the website owner who is displaying all of that.
There are plenty of privacy respecting analytics out there - Plausible, Matomo or Simple Analytics. Depending on what your actual needs are, you can also just use something like GoAccess, logwatch, Splunk or multitail to check your logs and use those for analytics information.
In one of my previous jobs the marketing department complained about Google Analytics not working on one of our pages. GA hadn't been working for about 10 months when they raised the incident. It was such a low priority that it took another 4 months for someone to fix it.
While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
How many marketing teams/sales teams/etc actually use ALL the information provided by these tools. Aren't there other better ways to measure your campaign and product performance? Do you just want to see time on site/page? Abandon rate? I mean, most of these tools feel like they concentrate the Western mentality of "I need an SUV because I might have to put in more than 2 bags in my car".
> While I get that someone people are slightly foaming at the mouth because of GDPR (and this starts an entire debate about an aging political population that doesn't understand technology AT ALL) going overboard, my question is - do we actually use all the analytics that are provided by GA?
"The CJEU had highlighted the risk that American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated."
I think the main thing is not to send your customers' data to third-parties without their consent. It's usually fine if you use internally analytics for the purpose of running the company, it's not fine if you send those data to other companies that use it for marketing purposes.
Isn't it? Isn't the problem that the data is sent to a third-party service outside EU (in the US) that doesn't offer the same data-protection rules as EU?
I don't get your point, are you saying that the solution as webmaster is NOT to use a self-hosted solution, but to just sit and blame the EU/US legislation?
It is pretty insane we still allow Chinese companies to enter Western markets when going the other way, the Western company has to partner with a local Chinese company.
I don't like Google but seriously this whole GDPR thing is getting out of hand.
Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
Yes, that's happening, and it's a good one. Privacy Shield was cancelled because of Schrems II. The US simply don't care (intentionally?) to protected any data of people not living in the US. With FISA (Foreign Intelligence Surveillance Act) or "Executive Order 12333" they can get every data they want, even silently. Disclosing that a company had to handover any data will get them prison time.
This is against the intention and protection the EU set for european people. So if a company is violating these terms, it's good to take action.
If you want to toss some static HTML into a host, go for it. If you want to record statistics on how many page hits you had, go for it. If you want to add JavaScript for interactions and making it look prettier, go for it.
But if you want to contribute to a privacy-violating network that tracks individual users, then that goes far beyond wanting "just to put up a website somewhere".
> so long as the data is located and processed in France.
... you also have to ask for permission first.
The main difference is that for a data processor in France it seems possible to get all the right contracts in place, while a US based data processor is incapable of doing that thanks to FISA and similar US initiatives.
> you can totally contribute to a privacy violating network … so long as the data is located and processed in France.
While that's not the issue being discussed here, you should by default only collect & process the minimum amount of data needed for the product/service to function. Analytics aren't part of that and would need to be opt-in.
I'd be interested to hear exactly what default configuration violates GDPR, as that wasn't something I'd heard before. However, even if that is the case, that would imply that the defaults should be changed.
Imagine that you run a workplace where floor space is relatively expensive. To avoid increasing the floor space, you determine exactly how wide each hallway must be, exactly how much space is required, and build everything to that specification. Your hiring decisions take the weight of an applicant into account, so that nobody will be too large for those hallways. Then a law comes along saying that your coal mine is dangerous, and your use of child labor is unethical. "But look at the cost!", you cry, "I can't afford to enlarge every tunnel to accommodate full-grown adults!" But there was no reason the tunnels couldn't have been built larger in the first place.
There was no reason why the web and the internet could not have chosen to respect privacy by default, and thereby avoid the current costs of changing their software and business models. If it is true that the default apache configurations violate privacy standards, just as any configuration of Google Analytics violates privacy standards, then that is a sign of just how much the regulation is needed.
It would appear public IP addresses are PII. Apache (and most web servers) log those by default.
A case can be made, on a site-by-site basis, that those are necessary for providing the functionality of the site. But that's a hard case to make if the logs are never actually read, and then if they're collected for that purpose, timely deletion is important (and unless your host also configures log rotation and disposal, timely deletion isn't happening).
I'm pretty sure all of this has to be declared in a privacy declaration anyway, even if they are collected for site operations purposes and deleted in a timely fashion. With all these constraints, probably safer to run in a privacy-configured Docker in one of the big Cloud hosts than to stand up one's own apache install.
Thank you, that was an aspect I hadn't considered. That said, I'm not sure how much I agree with the conclusion of this particular answer. My understanding is that IP addresses are only considered personal data if they either uniquely identify a person (e.g. a static IP address), or can be joined with additional available data to uniquely identify (e.g. a dynamic IP address logged by somebody who also has logs on the dynamic IP assignment).
In addition, that there is an exception allowing the collection of personal data for legitimate interests without prior consent. While that has been erroneously argued to enable a business model (e.g. Facebook's ongoing collection), server security by applying IP address bans would be be a more solid case [1].
And web server logs are fine for troubleshooting and detecting abuse, you don't even need to ask for consent!
Only things like tracking, ads, and sending data to areas without equivalent privacy laws are forbidden. The intent and usage of the collected information is a big part of what is and isn't allowed.
I looked into this at back when the GDPR came into effect [0]. I am not a lawyer but in summary:
Web sites are allowed to log data (including visitor requests and IPs) required for the smooth running of the site. It could be argued that keeping logs allows for trouble-shooting so web server logging is probably OK in most circumstances.
However, there is no reason to keep months/years of logs around. Having this data is actually a liability under the GDPR and you should be aggressively deleting logs after a few days.
I have a collection of small, US-focused websites.
I'm investigating low-effort ways to geo-fence the EU. At some point it just becomes easier to ban Europeans, rather than keep up with whatever they'll come up with next. I saw in this thread that the Google fonts on my website are now a problem as well!? That's the first I heard of it.
This is the perfect example of why government oversight is needed. You run a bunch of websites and aren’t aware that you are inadvertently involved in violating the privacy of the people who visit your sites. How are non-technical people supposed to deal with this?
No, this is a perfect example of the exact opposite.
A bureaucrat on the other side of the planet comes to a conclusion and I, who never voted for this person or knew about their existence, am legally bound by their decision.
On pain of who knows what fines or penalties. I’m nearly overwhelmed by the amount of work on my core product, I can’t add “keep up with European legal opinion” to my todo list as well.
As I said, it’s simpler to just geofence everything.
Overall, yes. At the very least it's been incredibly enlightening. It's amazing how random websites have 50 "partners" all of which for some reason need to know what I'm doing.
So you think your "enlightenment" is worth the millions of work-hours people are putting in just to read and click a cookie banner they give absolutely not a single crap about?
They wouldn't have to do this if they didn't spew personal information indiscriminately to scumbag "partners". So yes, I do think that is worthwhile. The cost is born by the correct people.
Not for nothing, as you can see in this post. Little by little we're stopping to send private data to the US. That's a good thing, even if it's painful at the start.
Says who?! I have zero problems sending my private data to the US. I did it for years and I still think is one of the better places to send my private data to. Definitely better than my own country.
Answering here because there's a thread depth limit.
> Free content and services. What do you lose in exchange?
Privacy. What I do shouldn't really be anybody else's business.
An ad-targeted web. IMO ads are a plague on useful content, because everything is about getting views and clicks. This makes actual content less useful and more annoying to consume. It incentivizes posting low effort, watered down content rather than smaller amounts of great content. It also means content creators are trying to please the advertiser, and not me.
Risk of manipulation. Lots of effort has gone into figuring out how to best manipulate people, and when you know who somebody is and how to best tailor any given message to them, you can get pretty far. I'm quite sure that I also have buttons that can be pushed if somebody knows how, and I don't particularly like the thought of that.
And every single user outside the EU. I never voted for these crazy runaway regulations, but I can’t browse many sites on mobile at all with all the damn banners.
EU bureaucrats are effectively prescribing how the web should work for everyone. Ridiculous.
Never a shortage of people mad that they can't eat trans fats or inhale leaded gasoline exhaust anymore, either. Not great analogies, since giving up personal info to use free services is a reasonable choice for individuals... But in aggregate, it's like giving up a bit of sovereignty to be that transparent. Microtargetting has helped enable some serious societal harms, i.e. spreading lies to the gullible while evading scrutiny from others, and that pales to how intelligence agencies can use the hoards of personal data. I think France and the EU are moving in the right direction, given the CLOUD act exists, and given all the other bad societal effects enabled by a surveillance focused economy. US politics hasn't weathered the shift well, unless of course your fitness function for politics is how resilient the elected government is against voters, i.e. how little can it serve their interests without losing power.
Noone is dictating you how to live your life. The recent EU privacy laws are about giving people a choice how there data is used. You are free to accept the cookies. You are even free to automate that via browser extensions. You are free to build websites in ways that don't require tracking user data and thus don't require consent. You are free to vote for politicans that are against privacy right or even campaign yourself.
But a fundamental issue with freedom is that sometimes freedoms conflict with each other. Here the freedom to do whatever you want conflicts with the right to privacy of others and the EU has decided that in this instance the right to privace takes precedence.
I am not free to use add-supported US services when they stop being provided to EU citizens due the onerous requirements imposed on them by privacy laws.
I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
The right to privacy is not a freedom. I am not sure it's even a real right. But it was easily accessible even before the current privacy laws, even if it needed a little technical competence. It wasn't the default though. And the current laws do not provide me the privacy I actually need: from EU government(s).
> I am not free to use add-supported US services when they stop being provided to EU citizens due the onerous requirements imposed on them by privacy laws.
Those companies are free to not to do business wit you but it is not the EU privacy laws making that decision. Those companies can provide their service in a privacy-respecting way and many will - the EU is not a small market to give up on. You can also use a VPN.
> I am not free to use a website and give away "my data" by default without having to click Allow All on a damn cookie popup.
And don't forget that hose consent popups are likely specifically designed to be annoying in order to get you mad at the privacy laws. Don't fall for it - the EU privacy laws do not required websites to be user-unfriendly.
> The EU politicians unilaterally decided to steal these freedoms from all EU citizens.
I am not going to pretend the EU is a perfect democracy, but ultimately, those decisions are made by those elected by the peole - directly or indirectly.
> The right to privacy is not a freedom. I am not sure it's even a real right.
It is a real right that has historically been enforced in many EU countries. The recent laws do nothing more than update that enforcement to the digital age.
> But it was easily accessible even before the current privacy laws, even if it needed a little technical competence.
No, it really wasn't. You can block cookies but you cannot stop companies from tracking you via the 10 million other ways they have available or to trade information about you with third parties. You cannot use technical means to find out what information companies have collected about you. You cannot use technical means to compel companies to delete information they have already collected. THAT is why we have new laws.
I feel for my European brothers and sisters these days. As an American, I hardly ever see these banners. Went to an EU country for work and... Holy cow. Y'all get these banners every site. How do you tolerate it?
This is so funny. Under GDPR everything is illegal, the only legal website is no website.
Good for Europe, they are just going to law themselves out of the internet. Up to the point were your ISP doing hops to send your TCP packet will be illegal unless you approve them sharing that info with all the shops.
What about clicking or typing in a site? Is your webserver processing those? That means you’re gratuitously using user data to run your for-profit business! That should be illegal!
That ruling declares that a centralized solution is no good.
The predictable outcome from that ruling is a decentralized solution: a few libraries attempting to build frameworks that are compliant, everyone implementing their own one-off versions of permission-granting and cookie consent using those frmeworks as a basis, and the Authority chasing mom-and-pop sites that are out of compliance until the sun goes cold.
In a sense, that may satisfy the goals: the data will be decentralized, stored widely, and harder to aggregate. On the other hand, what we learned from the virus era and the Windows OS monoculture is thousands of nodes running the same software (but not centrally maintained; maintained by people who have a job other than maintaining a website and are therefore slow to patch security holes) will be vulnerable to scripted attacks against frameworks.
My prediction is a net increase in stolen PII and, while individual site-runners will get screwed, the number of sites collecting the data won't go down. It's just too valuable, and the odds you will get hit by a hacker are too low.
This! GDPR is a big block towards technological improvement.
Do virtually any business that involves user registration at some point, and now you need to be sure that you're compliant with all those rules, spending limited resources on that to avoid ridiculous fines.
It benefits only the big players who has lawyers to know exactly what to do and not, and a nightmare for anyone who tries to grow a small business or have a small website.
It was already non-invasive. I, as a conscious human being browse a website, use their (potentially free) services. The website can of course put a cookie and track me. If I'm really paranoid I could block cookies etc but regardless, no one forces me to use their website.
If someone pointed a gun and forced me to go to a website, enter my personal data and give my data to trackers that would be something else (still not website's fault but anyway).
"As regards the limits on intelligence activities, the referring court emphasises the fact that non-US persons are covered only by PPD‑28, which merely states that intelligence activities should be ‘as tailored as feasible’. On the basis of those findings, the referring court considers that the United States carries out mass processing of personal data without ensuring a level of protection essentially equivalent to that guaranteed by Articles 7 and 8 of the Charter."
and
"As regards judicial protection, the referring court states that EU citizens do not have the same remedies as US citizens in respect of the processing of personal data by the US authorities, since the Fourth Amendment to the Constitution of the United States, which constitutes, in United States law, the most important cause of action available to challenge unlawful surveillance, does not apply to EU citizens."
So, basically, the US security services can hoover up data about EU citizens, and those EU citizens aren't allowed any legal redress about it. Which, unsurprisingly, they aren't okay with.
> So, basically, the US security services can hoover up data about EU citizens, and those EU citizens aren't allowed any legal redress about it. Which, unsurprisingly, they aren't okay with.
Nothing about this stops that. Like I said to the other person this is protectionism. Requiring every US-based tech company to duplicate its infrastructure in the EU, Which in turn gives EU competitors an unfair advantage.
The argument is not that Google shouldn't hand over data with a warrant if it resides in an appropriate jurisdiction. The argument is that Google shouldn't have the data in that jurisdiction to hand over in the first place unless an individual user has given consent for that.
Why should every US tech company be expected to duplicate its infrastructure in the EU? Google isn't special, this applies to EVERY US-based competitor to GA. This gives EU competitors an unfair advantage.... and that's the real point.
Because the US cannot implement reasonable privacy laws that give basic safeguards to personal information expected by EU citizens (or even UK citizens).
If anything, EU competitors to Google Analytics are at a _disadvantage_ because they can't apply the same lassaiz-faire techniques for US-based customers that US-based companies get away with.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
No, Germany is a big leader in the EU. They are very sensitive to issues around privacy, from the DDR era.
They don't want private corporations having DDR-like folders of information on citizens.
That's the funny thing: they are sensitive of data collection by corporations when the data collection during the DDR was done by the government, something that they surely dont care about.
Government surveillance on citizens has a long history of horrifying consequences, especially in Germany. What is the worst corporations are doing with our data? Better ads?!
> working from home monitoring, or insurance companies profiling individuals
Comparing that with what governments can do with data gathered about me, I know which ones I want to be protected from. Unfortunately they are the ones writing privacy laws and they leave huge loopholes for themselves.
especially not in systems in which the goverment turns totalitarian. (see, fascism and while stalinism doens't have the concept of a company, many of its state owned enterprises where former companies).
Yup. Governments already can access any data they want anyway. Sure, with access to big data collected from corporations that would be easier, but even without that, government can do whatever they want (unfortunately).
This harms companies, website owners trying to use services, and users (someone using my free site, I need to monetize it, targeted ads was a nice way, now I can't).
I don't see that as a relevant distinction. Democratically elected governments can do really bad things, too, and they have a much bigger tool kit for it than corporations.
> Rest is just making life of web developers/admins/tech company owners harder.
Well, of course, tech companies, especially Google, Facebook, Amazon (and this one doesn't even respect basic work and union regulations and rights) are getting out of hand, making their life harder (if not dismantling them) is the legislator's job.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies.
Again, yes, of course, so what ? The US (tech and government) has been prying on the rest of the world with its tech advance and has been using it to spy and gather data it could not get otherwise. France, the EU, are just defending their citizens' rights and their interests, especially economical, against another threat to civil liberties.
I wasn't referring to FAANG, I was referring to smaller devs/admins who try to keep up with analytics and don't have ridiculous amounts of money to work with lawyers to see what they are doing for analytics for the sake of improving their service might be landing them $1m fines for some new rule in some geographical locations.
Well, if they want to operate somewhere, they have to follow local rules.
I doubt American companies wouldn't comply with American law, European law is no less important than the American one and I don't see a reason why we should be accommodating towards foreign businesses, especially, again, those of a country which is a threat. Big companies shouldn't serve as a model to follow.
That's the problem: web should be global and open: a website shouldn't be bound to laws of somewhere. It's 2022 and forcing following local rules for a web based global service only does harm to users (and the service).
A basic example: government of my country requested all data and payments to/from PayPal to be controlled by them, PayPal naturally rejected it, and they got banned from my country.
Now who is affected? Us! The whole world can use PayPal to send/receive money pretty much everywhere, but we can't.
These regulations and "needing to follow local rules" itself is alone a reason for a completely decentralized-countryless web to succeed.
I don't like the meat industry, but seriously all these food safety laws are getting out of hand.
Anyone who's concerned about salmonella, hormone levels or animal welfare, can just not buy any products that could potentially contain animal products from countries with weak animal welfare or sanitary laws. The rest is just making life of farmers/shops/wholesalers harder.
Especially with these European intentions, I frankly believe that one single country's laws should be universal and no other country may implement or enforce laws that protect their consumers. The onus to protect themselves from harm must lie with the individuals and governments should not dare inconvenience anyone just to protect their citizens' interests.
And governments now outsource some of their functions to bigger corporations as a loophole around human rights- mass spying and censorship, for example.
Then let's fight the actual problems - the governments - and stop going after the decoys. Let's make it illegal for government to access and use business data. That will fight the actual problem while allowing businesses to keep serving us better.
I have somewhat of the opposite opinion. I use Google search and Gmail and think they are good products. When GPDR was first being rolled out I was convinced that it was going to destroy the web and ruin a lot of what I like about it. I was wrong and now I’d like to see the US provide similar protections for consumers.
You need to drink water to survive. You browse web voluntarily, picking the website you want to visit voluntarily and with intention to go there. No one dies if they don't visit a website.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
This requires a level of access and technical skill which most people don’t have. If you have ever tried doing this, think about how many sites break because they have code which assumes GA calls always succeed and then ask what percentage of the population would be able to identify and work around those problems.
Well no one puts a gun on your head and forces you to visit a website. Anyone who cares can always block GA with extensions either. If you are entering my site, hosted by me, owned under my domain, I can put whatever tracking script I want, controlled and used by any company and no one should have a right to control it.
> Rest is just making life of web developers/admins/tech company owners harder.
Seriously? People spend tons money and time to track users. If you want to be GDPR-compliant, simply don't save unnecessary userdata and if you still feel the urge to do so, give users the option to control it. It's that easy. Any problems you get from it are of your own making.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies
We created the GDPR, but then knee-capped it with safe harbor. Then Schrems sued and the courts dropped it, but the EU simply reinstated it under the name privacy shield. Then Shrems sued again and after having to have a legal battle again, it unsurprisingly turns out that it's still illegal. I can't see how you think of the EU as anything but overly lenient.
Many just want analytics and GA is the most convenient option. Though with GDPR now website owners (many offering free content and hosting a site where a user explicity browses into with their own will) need to learn law to make sure they are compliant, which obviously shouldn't be the case for such a simple task.
I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
> Many just want analytics and GA is the most convenient option. Though with GDPR now website owners (many offering free content and hosting a site where a user explicity browses into with their own will) need to learn law to make sure they are compliant, which obviously shouldn't be the case for such a simple task.
The problem is that we made collecting user data the easy task while ignoring privacy protection. The fact that Google spend billions to make spying easy does not mean it should be legal. And it's really easy to be compliant - don't collect data. You don't need it to host your website, you really don't.
> I'm not going into anyone's house and force them to give me their data, I'm collection anonymous data from people who, with their own will, visit my website/use my service. Don't want me to collect your anonymous data? Sure, don't visit my site/use my service then. No one forces anyone. Regulating what tech I can use on my own website? This is ridiculous.
And you're absolutely free to ask people for consent for collecting their data or to simply block visitors from the European union. You can also not collect data or do so in compliance with the GDPR, by the way. All ways are perfectly viable.
But just because I opened a link in my browser does not mean I consent to anything - by that logic, ransomware is perfectly fine, because you visited their website and downloaded their software. This is ridiculous.
GDPR is not merely a list of bad things not to do. You aren’t compliant unless you follow slow, expensive processes to continually demonstrate compliance.
I'd really love to see a quote on the section you're referring to. The GPDR has some processes for larger companies (i.e. DPOs), but they're neither expensive nor slow, and small companies have a lot more leeway.
The most egregious I know of is https://gdpr-info.eu/art-36-gdpr/, which calls for an 8–14 week delay that may or may not apply to any launch. I don’t even think the entire EU must agree on what the conditions will be.
Apart from “a natural person in the course of a purely personal or household activity” I don’t know of any size exemptions.
Have you seen the list of companies that typically show up when you opt-out of data-sharing? It's frequently in the hundreds. I'm incredibly sick of them so frequently starting with "Your privacy is very important to us" immediately followed by "So we're going to share your data with these 100 anonymously named shell and reseller corporations."
It's not GDPR making life harder for companies, it's the shadowy practices of businesses that are finally being brought to light.
When I was young adult, when visitor counter on a website was en vogue, I was building a system that would take note of where user came from, which pages they visited how long have stayed there, which page they exited through. What paths they took through a site.
It didn't go that far. But when I saw people plastering Facebook like button everywhere I knew exactly what that meant. That one random corp now can know everything about everybody's behaviour everywhere.
Then Google put out Google analytics and I just switched my sites to this thing. I didn't mind all that much because it was Google and do no evil was still a thing.
But GDPR is something that reminds me of how ridiculous things we accepted as if they were normal just because they were technically feasible.
The industry standard is to show utter contempt for the user. It's expected that every site will show you tacky and distracting ads and will dump 90 third party cookies on you. It's beyond belief.
Imagine going into a travel agent to inquire about a flight. The moment you step through the door 50 people attach themselves to you. Some start recording your every action in a notebook, others flash torches in your eyes, two of them start showing you a video at the same time. And the rest follow you around holding up large ads. And they carry on following you around even after you leave the store!
Imagine there is another travel agent not doing all that, but it costs money while the first is free. Wouldn’t you like to have the right to choose which one to visit, or do you prefer that choice to me made for you by politicians instead?
I would absolutely like the ability to pay for services which do not track or advertise to me. But they don't exist for the most part, and the existence of those services does nothing to diminish the requirement of the ones engaging in poor practice to make their service "free" to obtain _consent_ for what they are doing.
Then focus on the people that do want it - which by the count of the number of people who say no to Facebook tracking on iOS, is a very high number. Enough to be of material impact to Facebook's bottom line.
The law does not allow Facebook to refuse service to those saying no to tracking. If they were faced with that choice, I am sure most users would've made a very different selection.
Due to a misconfiguration by my local ISP which meant Google services were not accessible, I discovered that the UK government's 'parliamentlive.tv' has a dependency on JQuery loaded from Google's CDN.
You might say that it's up to the UK government to fix that, and I agree, but as an individual with no direct influence on the implementation of this service, it's also clearly not the case currently that:
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains
Or at least, they can, but they may be excluded from civic services they are entitled to avail themselves of, which their taxes go towards paying for.
This is completely unrelated to GDPR. In France, Google Analytics was illegal since it was ever started. French privacy laws from 1978 are still to this day MUCH STRONGER than GPDR which is just salt on the wound and does not prevent malicious collection of data (though now you have to come up with a "legitimate interest" excuse for that).
Google knew they were making an illegal business and still went ahead. IMO they should be charged for being a criminal ring defrauding small businesses for SEO as part of a global scheme... if not for helping genocidal regimes surveil/censor/imprison/murder their population as they have been doing for years.
>Anyone who's concerned about their data being collected can just block Google-or-like-related domains. Rest is just making life of web developers/admins/tech company owners harder.
The GDPR is not limited to the internet. So say you go to make a blood test to check your health, GDPR will apply there too, you don't need to go with a fake ID and with a mark on your face, the law protects you from greedy companies so you and your family don't have to use weird workarounds to protect yourself.
> I don't like Google but seriously this whole GDPR thing is getting out of hand.
IMO it's the other way round: data collection and lack of respect for privacy got out of hand and has been like that for a long time now. It's finally coming under control, albeit slowly. This is not the end of it. And I'm super happy about GDPR.
> Anyone who's concerned about their data being collected can just block Google-or-like-related domains.
Why is it on the victims to protect themselves against illegal practices? We have courts and authorities for a reason.
If it stopped at Google, this would be easy. But GA is just tip of the iceburger.
> Especially with these European intentions I frankly believe this is more of a political war against US and US-based companies. (No, I'm not from US as well)
I don't believe that at all. But ultimately what I believe does not matter. I'm just happy that right to privacy online is finally becoming a thing.
Surely that is to do with her knowledge and education around privacy and data collection. Ignorance to the issue doesn’t mean we should ignore people like this.
I am perfectly educated about privacy and data collection and I completely fail to see the actual harm being done. I am much more bothered by those incessant cookie dialogs.
> Rest is just making life of web developers/admins/tech company owners harder.
there are hundreds of alternatives to Google Analytics, developers/admin/companies should just choose wisely. That's what the GDPR is about: end of free lunch for everybody at the expenses of people's privacy, choose your shit carefully.
The CNIL was created in the 1970s. The main thing the GDPR has done is give it a lot more teeth. So in effect data privacy has been the law for over 40 years now. Ignorance of the law is not an excuse, not for such large corporations in particular.
I don't want to comment on GDPR, but you must be kidding with 'can just block'. Do you expect that average joe can do that ? It like saying, we don't need police you can simply defend your self.
Everything comes at a price. I don't expect every average Joe to be tech savvy to use extensions. Though when visiting a site (an action that a personal deliberately takes) if they really care about their privacy on web, cookies, GA tracking they aren't probably average Joe and can use a blocker.
You are conflating "technically savvy" and "doesn't want to be spied on". I understand that these probably correlate in your world, but a simple moment to think about why most people click "no" to the iOS tracking opt-in prompts explains that these are orthogonal issues.
No, you download chrome. You agree to the analytics when you install/first open it.
This is different from going on the site of your local company and feeding data into Google analytics involuntarily.
The relevant legislation is about whether or not you agree to data being collected and shared, and the issue is that US companies are essentially data funnels for NSA & co.
I contacted them approximately 4 years ago to denounce the developers of TrackMania that don't hash passwords [1]. I have not received an answer since, and I bet they do not even care. I'm sure they are a bunch of hypocrites and now that they've realized they can make a lot of money randomly fining Big Tech, this is just what they're going to do.
[1]: If you clicked on "Password forgotten" on the log in page, they'd just send you your password unencrypted by email.
I've contacted them twice pre-GDRP era, about unsubscribe links not having any effect on some spam emails from French companies, and both time they took actions against the company and reported back to me.
It took some times but they acted on every cases, no matter the company size, I was actually impressed.
The onus is on Google to suspend or anonymize Analytics. Individual Website managers can't be expected to discriminate based on geographical origin, as the document seems to imply.
If Google doesn't offer the ability then it is up to the customer to not use GA until Google complies. I hate this ruling, but implying it's just Google's job to do this and everyone else should just do nothing is crazy.
1. Legal: It's the site owners integrating GA and therefore taking on the liabilities just like they do with every other supplier. When a part in your car fails immediately after you bought it, it's the manufacturers job to fix it even if they acquired the parts from a third party (e.g. Bosch).
2. Practical: A website 100% located in France and catering to 100% french customers is much more likely to fix the problem than the international anonymous machine that is Google.
> When a part in your car fails immediately after you bought it, it's the manufacturers job to fix it even if they acquired the parts from a third party (e.g. Bosch).
And the manufacturer can go after Bosch, who is responsible in the end.
> than the international anonymous machine that is Google.
Except the law applies to Europe as a whole, and it's really not that much to ask one of the biggest technology companies in the world to use European servers and anonymize European traffic by default. They just don't want to or don't care. Which both should be reason enough to stronger regulate them.
I think we will see a two pronged approach to the Problem.
On the EU level, the commission and the states will engage Google directly while on a national level individual companies will be "encouraged" to find alternatives.
> the international anonymous machine that is Google.
Uber, Google etc really wants this to be true.
However, it is trivial for a nation state to shut down Google's commercial interest in the country.
Just have the police lock the door to their office and blacklist a bank account or two. If doing business with Google becomes illegal, they will lose almost all revenue except some indirect shell company ads.
Seems way less work to make Google compliant than to figure out which sites in French are actually French jurisdiction.
It's worth noting that GA4 does this already. GA3 (AKA Universal Analytics) requires owners to set the anonymize_ip flag though. I agree that Google should have retroactively changed this policy for GA3 accounts, even if it would cause some breakage.
The English post from CNIL makes it clear it's not just IP that's the issue:
>In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
If Google does not do so or fails to do so adequately, then the onus is on website owners to stop using a service which does not allow them to meet their data protection obligations. The data controller can't offload all responsibility to the data processor, in GDPR terms.
I both agree and disagree. I agree what Google has been doing for years is morally/legally wrong. I disagree that they should change it, because it would still be triggering 3rd party requests from your browser to Google which is wrong for so many reasons (first and foremost latency and privacy).
IMO we should break away Google entirely and trial their execs for crimes against humanity. They're cooperating with USA, China, Saudi Arabia... by helping murderous regimes deploy their techno-police, how many million people have they helped imprison/murder?
Google Analytics is the best analytics tool out there.
By getting their companies off GA, European governments are weakening their industry.
This probably holds true for many SAAS products. Many of the best are from the USA. Forbidding European companies to use them is a desaster for the European internet industry.
There are many niche systems that fit specific purposes. Sure GA can benefit from scale and existing profiles with user data gatherer in other context, which a self-hosted solution would not have acces to. But does it address every need better than specific systems? And is the added benefit worth sacrificing your users' data to google?
Google Analytics is hugely overrated. Most people don't use it properly, many browsers block it entirely, and you can usually do a better job just by looking at server logs.
Saying so just tells me that you never been analyzing and optimizing websites with millions of users. Websites on which a whole company depends on. It would be a crazy approach to try and do it via server logs.
Actually, there are some nice tools (e.g. GoAccess) that produce pretty graphs. The vast majority of people just want pretty graphs; the more fancy data Google Analytics produces is nowhere near as accurate as the number of trailing non-zero digits would have you believe.
Depending on your userbase, the regular traffic data can be off by significant proportions. I've seen pages where the number of logged-in interactions are higher than the number of Google Analytics hits.
> and you can usually do a better job just by looking at server logs
Yes, if you only want to count visits and don't have a problem having all bot traffic included. For everything a bit more advanced you need a proper analytics tool.
Filtering out bot traffic is easy enough with server logs. A self-hosted JavaScript analytics tool gives you more data, but Google Analytics filters out Firefox users too; contrary to ReCAPTCHA's apparent beliefs, Firefox users are mostly not bots.
So I can take follow someone in public, take picture of them in public places from some distance, follow them into stores, see what they are spending and what they are using, etc. Store owners can have cameras, track the behaviour of customers, etc
But if I use a service which anonymously tracks which pages they opened on a website they voluntarily visited and are exploring, then I'm in trouble?
What you're describing is very illegal in France, and you might have the police called on you or the person reacting aggressively if you're filming them like that. In fact there were a few incidents of that nature with Twitch streamers pointing their cameras at people and complaining online they were being mistreated by the locals.
You're also in trouble if you send the data you collect by other methods without consent, to servers based in the USA for NSA to snoop around on and correlate with all their other data points.
Unless your argument is "but how would they know about it", in which case that applies to any other crime.
You are not stalking, like doing it all the time. And you are not taking closeup in your face picture but from a distance. All that is not illegal in a lot of countries.
In most countries, you may take a photo including some person walking down public space. However, if you follow this person, aim your camera at this person specifically, or take several pictures of the same person it would be considered an infringement of their "right to image" if not criminal stalking.
While i think these rulings are interesting in the sense of providing an opening to EU-grown businesses (if not too late), it does have a comical dimension in it. "Private" information is everywhere, it's in your DNS queries, which also gets propagated to servers in the evil US empire. Are we going to legislate DNS out of existence too? The EU seems to like having a completely private internet, but that's not gonna be possible unless we build one ourselves (how?)
There is a load of hyperbole in the EU privacy business, and it s coming from the german side which is super sensitive to it. But germany is a worldwide exception, their laws for censorship and privacy exist for specific reasons, and they shouldn't be propagating them everywhere.
Specifically in the analytics space, i don't think a lot of people are going to pay for analytics. A free verson makes sense because a lot of websites dont make money. Google provides it for free because they have a monetary incentive to keep marketers in their ecosystem, other companies don't. (Unless the other companies choose to monetize them just as google did)
I think the biggest loser however is going to be the decentralized open web.
> Are we going to legislate DNS out of existence too?
No, but we could ban ISPs from being allowed to log DNS requests. There's lots of things the ISPs are doing that should not be allowed. It's done completely without our consent. If regulating DNS would have as consequence "to legislate DNS out of existence", then be it.
Complicating the matter here is the Data Retention Directive, which while invalidated by the ECJ is still at least partially applied by some member states.
This was the case before da interwebz as well: Your attending physician/doctor, your local grocery store, your local post office, your employer, your school - they all have a bunch of your private information, and should really not propagate it to the evil US empire, or anywhere for that matter.
> Are we going to legislate DNS out of existence too?
Apparently we haven't legislated straw men out of existence, as you seem to be using one very publicly.
It will take forever to build up a similar ecosystem in Europe and I think most successful European entrepreneurs will just end up starting companies in the US instead.
There must be some reasonable middle ground before we fragment and destroy the entire Internet. Why not start by making a general exception for temporary storage of less sensitive data like IP-addresses for efficiently and cost effectively delivering a web service.
If there is one thing they could start looking in to it would be handling of personal information by governmental organisations. I work a little bit with a few municipalities, and the number of documents with deeply personal information that are just emailed around over unencrypted email is shocking.