Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.
Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.
I agree 100% with your second paragraph. I also hope they introduce massive "percent of revenue" fines when Google "forgets" to ban illegal activity on their (near-monopoly) advertising platform. Massive fines has genuinely changed the behaviour of sales & trading at global investment banks. We can do the same for FAANG and friends.
The most difficult aspect is dealing with URLs. But a company that is large enough to be customizing URLs per user, is large enough to make a few JS changes to ensure they aren't sending those details to GA.
Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.
If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.
No one said "quietly" -- but there has to be some threshold of backlash that would knock it back. My guess is that European privacy law could combine with it to do enough impact to large American businesses that they'd use their political weight to do something, whether or not it were to improve matters from the perspective of privacy/sovereignty.
something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.
So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).
CloudAct would (or should) in this case also apply here or what am I missing?
You're not missing anything. A lot of companies just have no idea of the legal landscape, or simply ignore it in the name of convenience. That's because consumers are even more ignorant of their rights around technology and don't sue them. It will take a lot of civil litigation for this to change.
I am only aware of Hetzner. (German) The other day I was checking out there offerings and I was amazed at how easy it is to order a vm. And then it is live the next second. It is amazing.
Obviously they don’t have full range of services the big three have. But maybe just enough anyway.
The watchdogs are extremely slow and have a huge backlog. You’re right that storing that data in the US or without transferring ownership to an EU subsidiary would not be legal.
Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.
> (God willing they repeal it, even if only for the international commerce implications...)
It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...
This then comes down to whether you think the US govt. these past few decades is better at self-perpetuating power or toadying up to the demands of capital. Cynicism vs. cynicism!
If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers
The Italian market doesn’t have to apply to Google USA either.
Companies can always choose to ignore a specific nation’s laws[1], they don’t still get access to that nations markets. At the borders the nation state is the one with the guns and firewalls
[1] unless you piss off a nation that can project global power, lol if you piss off China or America
Chinese and American police forces both operate abroad and like to flex their power. The NYPD was in a similar situation post 9/11 when they started trying to police nearby states and when they sent operatives to other countries even against their own federal government [1].
Russias also sent operatives overseas in some fairly public assassinations. It’s not really surprising that China does this, it appears to be the default operating procedure of powerful countries
Oh yes they do. GA is part of a company that also sells services in Italy. They should follow the law if they want to keep earning that non-US Adwords money that allows GA to remain free.
Yes, the Italian law that prohibits sending data abroad applies to Google Italia, but Google USA is submitted to the USA law, that says that the USA government can request any data from Google Italia and they are required to get it.
So the existence of Google USA makes Google Italia operation illegal.
The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.
The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.
And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.
Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.
IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.
The GDPR is a product of the Snowden revealed pervasive surveillance done by US TLAs. Keeping the data in EU vs sending it over to US under assurances is a big hair.
> just illegal to use in its default state which transmits PII to the US
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
The current issue isn't the lawful basis for the processing, as compliant companies already only use Google Analytics once they have consent. The issue is that without an adequacy decision from the EU to allow data transfers to the US, and with the global reach of US authorities thanks to the CLOUD Act, there's no way to keep personal data safe from US law enforcement.
My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble.
On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.
For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.
I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.
I'm not so sure your take on IP address anonymization. The source states:
The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
The Google documentation says:
The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.
IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.
As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.
That Google documentation is for the IP anonymization feature of Universal Analytics, which is being sunset in about a year.
Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.
I don’t know whether UA or GA4 service was the subject of the Italy case, but I would not be surprised if it was UA. Most sites have not switched over to GA4 yet.
> Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.
So if I go to a website and it has me load code from Google's servers it's still got to send my IP address to them. I'm not sure why we'd take them at their word that they won't keep that data around (I'd like to see that independently verified). but it'll be sent to the server logs if nothing else. What does not storing the IP address even mean? Do they hash it and store that instead? Do they do a quick lookup and just flag your dossier logging the connection and when it happened before dropping the IP info?
If people care about their privacy I think it's probably best not to send information to Google in the first place. There are alternatives to google analytics after all.
In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company, and Google will never see the user's IP address.
There is no real alternative to Google Analytics for most companies because of the Google Ads integration. If you advertise with Google, you need to send them conversion data, which means the GCLID. Without Google Ads, switching would be simple. Most enterprises already pay for other analytics tools.
> In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company,
Thanks! I didn't know that was an option. I haven't noticed sites doing it yet at least, but I hope it catches on even for sites targeting US visitors! It'd be especially nice for government websites using GA.
> Google Analytics 4, its successor, does not log or store IP address at all.
The fact that it receives the IP address at all renders it illegal in Italy, and probably anywhere GDPR is in force. And IP address truncation doesn't get you anywhere; it's Google that does the truncating, so the whole address is actually sent to Goo, by which time it has departed from GDPR jurisdiction.
> For many clients I have set up a cookie compliance tool like Onetrust
Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?
This is actually a setting within OneTrust which has a terrible default. We (had to) use OneTrust on eurovision.tv, but configured it ourselves to have three equally styled options.
If you are breaking European law, you can't operate in Europe? What is so hard to understand about this? Amend your code to not send PII of Europeans outside Europe, or pussy out and give a "451 Unavailable For Legal Reasons".
I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
Congrats. We also chose to do the analytics ourselves. No tracking, no cookie banners, and probably better stats as well. One thing that Google did very cleverly was to only give GA users the search terms that visitors used to end up on their site.
> Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?
You need consent for every kind of storage usage on client side if you create profiles to analyze the them for marketing goals. If not, and no PII is being processed, no consent is required. Eg you could easily aggregate your server logs without a consent.
You generally don't need a consent for gathering data that is required to run the site.
But if you use the data for analytics purposes, you do need the users' consent for that, even if it's the same data that you use for operational purposes.
Just to be clear: PII is not the same as personal data as defined by the GDPR. The latter is generally much stricter as it also includes indirect data. Data which would be anonymous by itself but in a collection uniquely links to a single person would still be considered personal data under the GDPR.
> if you create profiles to analyze the them for marketing goals.
That's not correct; if you collect PII, even if you don't use it, you need consent. Actually, if you don't have a legitimate use for the data, you are prohibited from collecting it at all.
GDPR isn't an assault on online marketing; it's about privacy.
Nope. They forward through an in-between that obscures it. They argue that because search results are personalized, being able to see the search terms can give you information about the visitor that can compromise their privacy. Google doesn't want anybody violating user privacy except for Google.
If you get your site setup on Google Webmaster tools you will still have access to the search terms. Definitely not as precise as with GA, but should suffice. Unless you want to do per user funnel tracking starting from their search term. Which is pretty privacy invasive.
You can only see visitor numbers per search term, but not information like bounce rates or duration of visits. And that would be really helpful to judge if people may get the wrong impression of your page and bounce if they searched for specific topics.
> How are you tracking returning users without cookies?
We're not. And that's exactly the point, because we don't want to track. I make a distinction between tracking, analyzing and stats. What we do is guess who are the unique visitors (and who are not), and I say guess because it's guesswork since the browser can spew out any kind of info.
Persistent preferences require consent and is considered tracking. Only auth doesn’t. Go visit any government site and they have cookie banners for their preferences cookies.
Why would you need that? All businsess that aren't online can't collect that data and we still have newspapers and supermarkets. If you are interested in that data just ask your users.
Supermarkets were the original trackers of users and first to start using personas. They are tracking you with personalized coupons redemptions, loyalty programs and through digital payments. Tesco's personalization is so good they can tell if you started a diet or are dating someone new.
Printed newspapers are disappearing. Ad supported news sites need tracking for ad targeting otherwise there isn't enough ad revenue to support their business.
Unfortunately, you can't self-host the integration with Google Ads or Search Console, which locks anyone who relies on Google (or Facebook, Microsoft, etc) Ads into the use of Google Analytics/Ads tracking.
You can send campaign data that way, but to run any kind of effective campaign on Google Ads, you also need to send conversion data back if the user who clicks on your ad actually does the thing you want. You can either use GA or Google Ads own tracking option to set a cookie with a unique ID associated with that ad click and then send that to Google when they convert.
A privacy-conscious serverside GTM/GA implementation won't leak any personal data like IP address to Google, but there's no way to avoid sending the GCLID if you advertise.
A lot of companies are dependent on Google Ads for demand generation, so it's the reason they are sticking with GA even as the writing's on the wall.
Our definition of "exceptional scenarios" is clearly not the same... The list of scenarios in article 6 are common business operations covering a huge range of legitimate activities where processing might need to occur; there is little exceptional about them.
Plausible et al all are a pale imitation of GA. They all offer a dashboard with some basic filtering. But they offer little in the way of true analytics features, that allow you to slice, dice, and compare data.
I'm working on an web analytics project that gives users more power over the way they slice/dice/compare analytics data. Would you be interested in giving it a try when the project launches in alpha?
Send me a hello email at the address listed on my profile, would be happy to send out an invite when ready.
Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.
Yes, let's all marvel at the accomplishment of making everything funded by exploitative and intrusive but largely useless advertisements.
All digital startups are literally doomed without the indiscriminate collection of personal tracking data.
Side note: thank you modern adtech for consistently recommending me products I already bought days and weeks before. Very effective. Gullible companies just keep paying cold hard cash for these garbage recommendation systems because some sales rep talks fluffy about AI and machine learning, it's so mindblowing....
here I thought maximum exploitation would be selling someones identity on the dark web but I come to find on HN that it's actually hashed analytics data D: !!!
I wish the internet was purely an informational no bullshit interface/store instead of all this crap. I welcome these changes. Convert it back into a piece of furniture. Oh no we can't make a billion dollars for no reason.
Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?
It is. Most startups in the EU have to use more and more businesses in the EU. The selection is little, so way more changes to succeed if your EU based and serve both markets.
I run Simple Analytics [1], which is a privacy-first analytics business from the Netherlands. I see a lot of business from the EU just because we are from the EU as well.
Frankly, as a EU company (based in Germany no less) I'm steering clear of any US SaaS whenever possible. Even if they operate in the EU they're usually a legal headache because privacy compliance is added as an afterthought and they'll often carelessly transfer data to US servers based on assumptions that should have been abandoned when Privacy Shield was torn down in the courts.
Out of the big cloud providers only Azure feels even remotely safe to use (if only because of the privacy reputation of Google and Amazon).
Because their compliance is not an afterthought like the poster above said. You can't even assign an Office 365 licence to someone until you say what country they are in, so their data is kept in the right jurisdiction. I know someone will reply...blah blah no true scotsman...but compare that to most saas that doesnt even give the option
Google is an advertising company that is literally built on non-consensual data harvesting. AWS is an outgrowth of Amazon, which is likewise massively invested in data mining (though mostly on Amazon itself).
Microsoft's telemetry in end user products is known to tech savvy people but the company is mostly known for its operating system and office suite that most businesses already use. Additionally in Germany Microsoft used to offload its enterprise services to Deutsche Telekom (or T-Online I think) operating them for MS under the Microsoft brand, thus appearing even more trustworthy by effectively handing over control to a well-known German company. This changed but reputation sticks.
Microsoft is now double dipping (they charge for the product and also monetize telemetry). They own linked in, github, office, teams and windows, and are combining those surveillance streams.
They continue to support the CLOUD act as a "first step":
A little advantage for EU analytics startups, disadvantage for all other EU startups and SMBs who have less options for figuring out what users like about their website and offerings.
Assuming any of that actually helps to grow revenue, or that it is the only way to find out what your users want. Plus, GDPR isn't making tracking illegal in general, it is just heavily regulating it. If it was just properly enforced, the internet would be a much nicer place...
Side note, I'm slowly getting tired of people ignoring regulations and compliance simply out of laziness.
So due to this legislations it is more costly/less profitable for a company to have a European customer compared to US customer. Things like GDPR/lawsuits/bad PR etc. doesn't come for free for companies. So if some startup has more ratio of European users it is at a disadvantage.
GDPR is rarely enforced, we are still In a transition phase and many who start out choose to just ignore it to a degree.
I don't see how it's more costly or less profitable. Judging by the amount of lawsuits per capita I think it's way more likely to get sued in the US than Europe. And guess what's more expensive or complicated for a European company?
Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.
If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.
take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.
That seems to be a detail that a lot of people miss. Google, Facebook, etc. don't sell user data. What they do offer is services where they use that data to optimize ad delivery.
On my part, I'm not too concerned with that... they operate on a massive scale and no human is looking at my individual data. The result is me seeing fewer ads that are irrelevant, which is good for everyone (for example, no one benefits from showing me an ad for feminine hygiene products, and if Google and Facebook can make sure that doesn't happen, all the better).
or maybe EU is starring to rely on their own startups.
If I had to chose an analytics software for a customer's website, I'd chose someone in EU for the sole reason that it would be compliant in both EU and the rest of the World.
I am no EU citizen, however live in Europe and do tech startups. I welcome GDPR as well as this ruling.
It's unethical IMO to send personal data to countries that have weak privacy laws without making it absolutely clear to the user. Which is rarely the case with GA right now.
I switched most my projects to shynet, for me personally that's more than enough information and I have zero worries about tracking and know that some users appreciate my approach.
Edit:// even before GDPR became a thing I worked with several companies who had strict rules about hosting in Europe or even more explicit not hosting in the US.
Let me guess, you're from the US and user surveillance is beneficial to your business so naturally everyone with non-capitalist (read not $$$-centric) ideology is plain wrong. EU startups don't have to "catch up" or even compete with US start ups.
Does this imply that the EU is "non-capitalist" or something?
"EU startups don't have to "catch up"..." then don't get surprised when EU talent is poached by US and Asian HRs for x2-x3 rates. And before you're gonna talk about all those "free" (taxpayer funded) services and how no European would ever move to Asia or NA, i'd like to remind you that we're in the remote work world now :)
That's one way to read it, except it's more like "replying to a comment stating that EU startups (something that is about money) don't have to catch up to their US competitors with "sure, but don't get surprised when EU startups are going to be at a huge disadvantage when it comes to offering a worthy reward as a result of "not caring about money"".
As an EU citizen, I find it to be a huge improvement to detangle my data from US-American entities. Especially with the election of Trump and January 6th. Maybe Americans haven't fully realized what that meant for US-EU relations for the next hundreds of years. The US is just not a politically stable country until further notice.
Eh? Jan 6 wasn't very noteable (a bunch of disorganized protestors are let into congress, but the state was not meaningfully threatened), the US has long had political instabilities, the business plot was way worse, but who has heard of it now...
> since when EU became politically stable? Last time i checked you were at war with Russia.
Russia's attack on Ukraine has no relevance at all to whether the EU is or isn't politically stable.
There may be other reasons you can cite, in which case fair enough, but that example is a non-EU third party attacking a non-EU third party. And the EU is not at war with Russia.
EU did everything to start it, established economic blockade of Russia and sending weapons to Ukraine.
At this point it is a war between Russia and EU in Ukraine.
And? Even Russians don’t care about what their military believes in - see the hilariously low social status of soldiers within Russian society. Why would anyone else care? As a reminder, we are discussing whether EU is politically stable.
Ukraine is, not the EU. The US is at least as involved in the war as the EU is.
But I wouldn't call many EU countries very stable either. It can still be a win to not send private data to the US though, tracking has become far too precise and omnipresent.
Actually, the cookie layers of Google have become a lot better in recent months. I doubt that is was Googles initiative, so I think that all this legal stuff is making a difference. Yes, it is a very slow process, but what would be an alternative?
Yes it doesn't solve the startup problem, but honestly there also also a ton of other laws and regulations outside of data protection which make it hard for startups to prosper. Web Analytics seems a relatively minor problem.
Yikes... Have you ever heard of some of the alternatives?
I self-host Plausible which is GDPR compliant and gives me all of the features that Google Analytics is actually good for. There is so much bloat in GA that provides absolutely no extra value.
I'm skeptical that this is a bad deal for EU citizens.
Nah. The problem here is Google, not analytics in general. You can still use analytics as long as you do it in a privacy-first approach.
These laws also apply to US companies offering their services to in the EU. Frankly, it's about time American companies get reigned in on their privacy abuses. US startup culture has been playing fast and loose with people's data for far too long to disastrous effects.
That's assuming a European GDPR-compliant alternative to Google analytics wouldn't arise. But of course it will. It's not even a very difficult product to build. If anything this is both sticking it to Google and creating opportunities for European startups to fill the void.
The EU hasn’t shaken off their roots in monarchy. Using the power of the state to go after a single private entity since they have a blood feud with said entity and are now finding all sorts of excuses to hit them economically.
I’ve been following the cases with regard to privacy in the EU and it’s a complete joke. You have all these onerous rules against any web technology making it near impossible for startups to function without an army of lawyers. Think I’m exaggerating? Look up the provisions under GDPR for any business, big or small, to set up a website and then process a single user request for their data even without sign in.
The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
You may be looking at this through a very narrow, heavily politicized lens.
First: GDPR is a compromise, so it's a bit uneven. That's partly due to lobbying by google and friends. Second, privacy very much needs protection. Even if you are perfectly fine giving up your privacy, other people aren't. Third: you can actually process user requests. Depending on how you do it, you don't even have to show a banner. Is that really too intrusive?
I mean, before accusing someone of looking at this politically, please read the comment fully.
You’re taking pains to explain why GDPR is a compromise? Why? If it’s bad law, it’s bad law.
Nothing you said invalidates the assertions I’ve made. Unless you’ve directly experienced the onerous system of regulations in places like Germany, I’d urge you to do more research before the armchair dismissal.
Presumably it's your opinion that it's a bad law. The majority of Europeans think it's a good law - possibly the best regulation the EU has ever promulgated.
Ie, onerous toward regular businesses
Ie, used to greatly expand bureaucracy and overhead
Ie, used by unelected bureaucrats to wage battles of personal vendetta against specific companies instead of doing what laws do, which is set unambiguous standards for all
In fact it's not at all onerous, unless you are determined to violate it's provisions. If your business doesn't depend on privacy violations, then the "bureaucracy" that GDPR calls for is trivially easy to implement. There are no licences, and no registration requirements. Provided you aren't playing fast and loose with the personal data of Europeans, you're fine.
There's no "personal vendettas" going on; can you substantiate that allegation at all? The GDPR applies to everyone equally. And unlike some laws, it's fairly easy to read; it's meant to be understood. Don't bother reading some biased summary of the Regulation; read the GDPR itself. That's the best guidance on the intent, and the best guidance on how to comply.
/me: former data protection officer at a web development outfit.
"iTs nOt aT aLl oNeRoUs" said the DPO. lol, what a clown. So all these companies scrambling to hire lawyers to document every single aspect of the "legal basis" or whatever nonsense is in the language are just crazy in your books?
And that's just ONE sub clause of a hundred or so.
The overhead is both in the arbitrary nature of the requirements (Good Laws are objective, not subjective) and the sheer lack of consistency in the enforcement is ridiculous for any European business. Consider the adequacy clause that's taken decades to litigate and is still fucking criminal as of this writing.
Answer this simple question: "Can I, as a small business use AWS services that may or may not have a compute instance located in the EU?". You know pretty well what the answer is there, so, basically every small business in the EU is in violation right now. And it's bureaucratic assholery that keeps this deliberately inconsistent so they can choose to enforce it at any point of their choosing (read, a negative PR cycle) - Monarchy, inconsistency, arbitrary and ambiguous rulemaking that has tossed out the interests of businesses.
The vendetta against Google is well documented and it's insulting for you to even say otherwise. Look at the most recent example of the CNIL (Frances privacy enforcement body, a part of the executive) choosing arbitrary standards and refusing to even elaborate on concrete standards for recommended analytics solutions that businesses may use. They have gone full psycho with not even wanting to give Google the opportunity to come into compliance with standards that they choose not to reveal and instead openly ask industry to turn Google Analytics off. Its ridiculous and bad for their own economies.
There's a difference between the way French and Germans write laws and the way we write them in the UK; I prefer the UK style, which leaves less room for interpretation.
> basically every small business in the EU is in violation right now
Only if they're handling personal data. Most small businesses don't.
Sure, if your business is collecting personal data, then GDPR is a problem for you; in the same way as the Road Traffic Act is a problem if you're determined to drive uninsured. If you want to sail close to the wind, then it's probably wise to lawyer-up.
And, of course, you don't have to use AWS.
> And it's bureaucratic assholery that keeps this deliberately inconsistent
That's not how I read it. The way I read it, GDPR is astonishingly lenient. Before they prosecute, they'll warn you; provide advice on how to come into compliance; and give you time to do it.
> choosing arbitrary standards
If GA involves depositing personal data in US jurisdiction, then you can't use GA in a GDPR jurisdiction. That's not vague or arbitrary. It may be - um - bold; But this law was flagged up years before it came into force. It's not as if the law came out of nowhere, and suddenly everyone's in violation.
> Its ridiculous and bad for their own economies.
Others have argued that GDPR is an attempt by the EU to steal Silicon Valley's breakfast, implying that it's good for European economies.
> There's a difference between the way French and Germans write laws..(and the U.k.)
Interesting way of saying they are bad laws. If you cannot, as a business have certainty in your prediction of the regulatory environment, you're pretty fucked. I wouldn't expect a piece of the bureaucratic establishment such as yourself to understand the struggles of setting up and running a business. What was your role as DPO again? An ornamental peace offering to the burdens imposed by regulation? Not all businesses have the luxury of throwing money at legal resources.
> Only if they're handling personal data. Most small businesses don't.Sure, if your business is collecting personal data, then GDPR is a problem for you; in the same way as the Road Traffic Act is a problem if you're determined to drive uninsured. If you want to sail close to the wind, then it's probably wise to lawyer-up.
It must take a special kind of asshole to say this. In just another one of your recent comments here you mention that even the mere presence of an IP address that ISNT EVEN STORED would put a business in violation and liable to large fines. So you pretty much agree that all small businesses are in violation if they use AWS in any reasonable way to run their business but you don't want to say it explicitly here since it makes you look bad. Gotcha.
> And, of course, you don't have to use AWS.
And of course, the European people elected you their lord and savior to tell businesses which tech stacks they pick and choose because of your interpretation of arbitrary laws. See the problem here yet?
> That's not how I read it. The way I read it, GDPR is astonishingly lenient.
Is it? So why did other member states of the EU take offense at the decision of the Irish DPA ? The one stop provision clearly stipulates that the onus of enforcement falls to the one stop shop and instead, the arbitrary nature of the law as it stands, other member states and bureaucrats in Brussels seem to deem it necessary to impose their will and personal vendettas against the perceived soft touch approach of an entity fully within their rights to do so.
> If GA involves depositing personal data in US jurisdiction, then you can't use GA in a GDPR jurisdiction
Has there been any warnings against AliCloud for instance? Or all the analytics bundles shipped in Huawei phones?
I can't seem to recall any press release or webpage dedicated to a single company like the CNIL and now Italian authorities have adopted towards Google Analytics?
Is there any oversight to these agencies allowed where these decisions are up to public scrutiny such as the FOIA act in the US to assure the public that these highly paid public officials are not wasting all their time and money chasing personal vendettas as seems to be the case here? Of course fucking not.
Is Google Analytics perfect? Maybe not. But this is the crucial point . . THE LEGISLATURE CANNOT DISCRIMINATE AGAINST A SINGLE ENTITY THIS WAY. While turning a blind eye to practices by Huawei and other companies, it is simply against the rule of law.
> Others have argued that GDPR is an attempt by the EU to steal Silicon Valley's breakfast, implying that it's good for European economies.
A weasel through and through. What else did i expect from someone in your position?
So, illegal abuse of power by Government to target a company is fine by you, Mr. DPO ?
> I wouldn't expect a piece of the bureaucratic establishment such as yourself
Good Lord, presumptions much?
I said I was DPO in my last job. I was also the main sysadmin, and as my main role a website developer. This was a company of 10 people including the bosses. Someone had to take on the role.
> It must take a special kind of asshole to say this.
It must take a special kind of asshole to say that, to someone you haven't met and know nothing about.
> but you don't want to say it explicitly here since it makes you look bad. Gotcha.
Not really; I've never evaluated AWS for compliance. The reason I didn't say that is because it's not something I know about. We didn't use AWS; I've used it, but in someone else's coding shop, where AWS compliance wasn't my concern.
May I suggest that you're a bit hasty with words like "clown", "asshole", "weasel" and "gotcha"?
> And of course, the European people elected you their lord and savior to tell businesses which tech stacks they pick and choose because of your interpretation of arbitrary laws. See the problem here yet?
How are things over there in Conclusions, where you seem to have jumped? I have never told anyone what tech stack they should use.
> THE LEGISLATURE CANNOT DISCRIMINATE AGAINST A SINGLE ENTITY THIS WAY.
Where in the GDPR is GA mentioned? Or AWS, for that matter?
For the sake of clarity, no legislature had anything to do with the GDPR; it was promulgated by the European Commission, an important part of the EU bureaucracy, and I have never worked for any part of the EU bureaucracy. In fact, I no longer even live in the EU.
> A weasel through and through. What else did i expect from someone in your position?
And what position is it, that you think I occupy? FTR, I'm a retired software developer. The position I occupy is sitting in an armchair.
> So, illegal abuse of power by Government to target a company is fine by you, Mr. DPO ?
Nope. In fact I'm also against legal abuse of power, whether by government or anyone else.
You seem to be very angry; perhaps social media is not for you.
The fact that you still can’t bring yourself to admit here what you did in another comment says more than I ever could.
ie, that any small or big business inadvertently sending even an IP address that isn’t even stored to touch a US based resource in something as innocuous as AWS.
Seeing your other recent comment here, it seems you’re just a moron with a nationalistic tendency to support your countrymen (and women). Oh well, objectivity dies and future generations on your continent suffer. Who cares, right? You’re retired.
If it's inadvertent, then they can remedy the error once they've been notified.
If an IP address is sent to the USA, then whether it's stored or not ceases to be a matter that European courts can oversee. Since US courts and European courts are not in accord on these matters, Europeans are faced with either banning the export of IP addresses to the USA, or giving up on legislating privacy at all. We chose the former.
> it seems you’re just a moron with a nationalistic tendency
Oh, more name-calling, and more conclusions jumped to. If you can't make an argument, make a personal insult, and decorate it with insulting epithets based on nothing at all.
> future generations on your continent suffer
Ah, you're not from these parts! I thought not. But in the light of that fact, it's our concern, not yours, right? So why do you get SO angry about European law? If you want to trade in Europe, you have to comply with European regulations. Same wherever you want to trade.
I don't approve of the US trade environment. For example, about half the world is under US trade sanctions; but you don't get me marching around accusing USAians of being morons, weazels, assholes, and clowns.
Perhaps the truth is that it is you that is the nationalist?
I don't care much what decisions random businesses make.
It has been my view for a long time that entrusting your infrastructure to the tender mercies of a firm like Amazon is reckless. Here we have a situation where the legal environment has changed; AWS hasn't changed to match; so those companies that chose to rely on a 3rd-party infrastructure provider appear to have made a mistake.
If I had been advising one of those companies, I would have advised them to bring critical infrastructure in-house. But there might have been other options, like using Europe-based infrastructure providers.
I've never been involved with budgets and so on. It's not my concern how much different solutions cost. I just think the principals of companies have a responsibility to avoid third-party risk - which is what you have, if you rely on a third-party for critical company infrastructure.
That's why I was able to persuade my employers to bring their email service in-house. It worked, and the bosses were pleased with the improved service and reliability. We also constructed our own in-house build and deployment train; that worked very nicely too.
Maybe the cost-benefits vary according to the type and size of business. I'm not a researcher, and I only know about the things I've looked into. But my guess is that AWS works well for companies that are after a quick buck (e.g. an IPO).
Well, read the thread above you. GDPR is so complex that even the people who passed it can’t tell you the scope given the intentional ambiguity.
I have officials in the EU on the record that IP addresses are deemed personal information and if your business uses AWS and unintentionally passed IP addresses over to any resource in the US, you are technically in violation.
Will you be hanged for this today? Probably not. But all it takes is one negative press cycle for the idiots there to interpret and enforce this as they have shown the willingness to do in the past.
The point about unelected bureaucrats isn’t the unelected part. It’s the lack of oversight or consequence or clear demarcation of legislative power from the executive.
The bureaucrats have taken it upon themselves to issue multiple specific rules that go over and beyond the text of any law. See the case of the CNIL in France. They had a court ruling around their rules for cookies on Google go against them and they continued to insist that they would enforce said law. They issued an “FAQ” on their website that indicated threatening language against businesses that flouted their previous comments that were now deemed incorrect by a court of law and had the audacity to press on.
> I have officials in the EU on the record that IP addresses are deemed personal information and if your business uses AWS and unintentionally passed IP addresses over to any resource in the US, you are technically in violation.
Of course, everybody knows that. You have to have good reasons to store people’s IP addresses (ie security logs, which must be disconnected from the tracking/telemetry system).
> Will you be hanged for this today? Probably not. But all it takes is one negative press cycle for the idiots there to interpret and enforce this as they have shown the willingness to do in the past.
If the regulator finds out that your analytics or recommendation system (which again is not the system where you store logs) is collecting and processing IP addresses without users’ consent, they will ask you to stop. If you don’t they will eventually fine you.
> The point about unelected bureaucrats isn’t the unelected part. It’s the lack of oversight or consequence or clear demarcation of legislative power from the executive.
GDPR has been made/negotiated by the European Parliament (which is elected directly), by the Council of the EU, which is composed by ministers of member states, and by the Commission (whose members are elected by the Parliament and the Council). These are the legislative and executive branches of the EU, not a bunch of unelected bureaucrats.
If you were referring to the regulator, well, all regulator bodies are made of “unelected bureaucrats” by design (that’s why they are referred to as “independent agencies”).
> The bureaucrats have taken it upon themselves to issue multiple specific rules that go over and beyond the text of any law. See the case of the CNIL in France. They had a court ruling around their rules for cookies on Google go against them and they continued to insist that they would enforce said law.
It seems that you are very agitated because the CNIL (some unelected bureaucrats) imposed a blanket ban on cookie walls and then the Council of State (some other unelected bureaucrats) held that such blanket ban could not be imposed. An honest observer would acknowledge that these things happen everyday (the Council of State wouldn’t otherwise exist), the matter is quite complex and that the gist of the matter hasn’t changed: “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information”. So one may still be fined for a cookie wall.
If what is upsetting you is instead a court case, the only one I could find is the recent 150mln€ fine that Google appealed on jurisdictions grounds and that was upheld, again, by the Council of State.
Either way, I wouldn’t get too agitated about complex court cases in foreign countries thousands of kilometres from my home and whose language I don’t speak.
> Like I said, the EU is an abusive monarchy
I will point to Proposition 7 of Wittgenstein’s Tractatus and I won’t indulge you further on this.
Lol. Thank you for agreeing. You're completely wrong about the fines part, it is discretionary. ie, if tomorrow, there is a negative press cycle, you will certainly be hit with any punishment of their choosing. The incremental warning and fines approach has no practical or legal basis.
If it does, get it in writing from __ANY__ entity entrusted with enforcing the GDPR, you will be laughed out of the room. Europe is a clown show. Ambiguity rules.
> These are the legislative and executive branches of the EU, not a bunch of unelected bureaucrats.
Oh really? Read my comment again. These assholes in the executive are directly changing the letter of the law. ie LEGISLATING.
They are further doing so with the stated objective of harming a single company. I can point you to the statements of a hundred or so elected officials, not least of all the president of the European Comission who said so in no uncertain terms when she was in the US for SXSW.
> It seems that you are very agitated because
I didn't ask you to diagnose anything, Dr. Phil. Sit the fuck down and read the comment again. The Council of State in France is who the CNIL reports to. They are the administrative justice Supreme Court.
When an agency goes fucking rogue against their oversight body while trying to kill a company, what else is it other than abuse of power? The very fact that you choose not to call this out makes me question your motives and judgement.
We have laws for a fucking reason. Not to print them out and hang them on the walls like ornaments but so there is discipline in the exercise of power entrusted in people with the power of Government. We can't have personal vendettas run through governmental office.
> I will point to Proposition 7 of Wittgenstein’s Tractatus and I won’t indulge you further on this.
Fancy. Should i be impressed? Does that disqualify all the abuse of power in your eyes?
> Lol. Thank you for agreeing. You're completely wrong about the fines part, it is discretionary. ie, if tomorrow, there is a negative press cycle, you will certainly be hit with any punishment of their choosing.
Not any punishment of their choosing, but according to Art. 83, that defines the maximum fine and the criteria to determine it.
This is not different from what the FDA or the SEC do in the USA. Or do you think they define exact fines for all possible misbehaviours up to the second decimal point regardless of mitigating factors or negligence?
> The incremental warning and fines approach has no practical or legal basis.
The legal basis is GDPR, which is a regulation of the EU. Do you mean that it goes against some EU treaties or rulings of the CJEU? Or the problem is that this notion upsets you somehow and you are telling me because you think I should do something about it?
> If it does, get it in writing from __ANY__ entity entrusted with enforcing the GDPR, you will be laughed out of the room. Europe is a clown show. Ambiguity rules.
I don’t understand what I should get in writing. Art. 83 of GDPR?
> Oh really? Read my comment again. These assholes in the executive are directly changing the letter of the law. ie LEGISLATING.
The Commission has the right of initiative, that is they propose laws that are approved by the Parliament. I’m not sure I understand what is upsetting you here.
Who are “these assholes in the executive” you are referring to? Are they the Commission or CNIL or both or none?
I don’t live in France, but I’m sure the CNIL is not making new laws. If it worries you, I can ask around.
> We have laws for a fucking reason. Not to print them out and hang them on the walls like ornaments but so there is discipline in the exercise of power entrusted in people with the power of Government. We can't have personal vendettas run through governmental office.
Which is why the Council of State blocked the CNIL and also why you should not get so upset.
> Fancy. Should i be impressed? Does that disqualify all the abuse of power in your eyes?
I won’t indulge you further on this.
To sum it up, you don’t seem aware of how the EU makes laws but yet you know enough to be very agitated. You are especially upset with French bureaucrats, because some of them made some mistake and other French bureaucrats corrected them. For avoidance of doubt we’ll certify that you are very upset with both groups and that you think something should be done about it.
If you’re illiterate or deliberately avoiding the issues I’ve highlighted, then all the best to you and your kind.
We’ve established that there is presently different outcomes for the same actions under European law. Ie, if you send IP addresses today to AWS, you could be deemed to be doing something illegal overnight subject to 4% of global revenue or 20 million euro fines.
This isn’t about cents or decimals, jackass. You know very well this is about coverage.
Under the FDA or any US agency, you have an option to appeal to an independent branch of government whose decisions are binding. Here, we see the opposite take place in France. Lawlessness. Monarchy. Being run through the bureaucracy. You can’t even bring yourself to admit that the CNIL arrogantly brushed off effectively the SUPREME COURT OF ADMINISTRATIVE JUSTICE. You say it’s a “mistake”?? Are you fucking kidding me? Deliberately doing to opposite of what your oversight agency rules is abuse of power.
Can a European citizen simply ever say “yeah, fuck the GDPR, I know that’s a law, but I won’t follow it, doesn’t apply to me?” Of course not. So what gives the CNIL the power to ignore their responsibilities under French and European law?
Even after being blocked by the Council of state, they chose to target an individual company with the exact thing that they were instructed is legal and they should not be interfering with. Respect laws only when you like them?
Clear abuse of power, horrible precedent for democracies and rule of law everywhere and most European assholes connected to politics i speak to behave the way you do, try to brush it under the carpet? Anyone with half a brain will be aghast at what is happening is the EU and if you clowns think discourse that defends assholery from the bureaucracy wins you any favors or makes Europeans lives any better, you more stupid than I’m giving you credit for here.
> Ie, if you send IP addresses today to AWS, you could be deemed to be doing something illegal overnight subject to 4% of global revenue or 20 million euro fines.
If you are breaking the law, if a regulator finds out, you may be deemed to be doing something illegal overnight. Yes, that’s how everything works everywhere. What is worrying you now? The sound of a GDPR breach in a forest where nobody can hear it?
> Under the FDA or any US agency, you have an option to appeal to an independent branch of government whose decisions are binding.
Of course you can file an appeal, just use Google, you’ll find plenty, some successful and some not.
> Here, we see the opposite take place in France. Lawlessness. Monarchy. Being run through the bureaucracy. You can’t even bring yourself to admit that the CNIL arrogantly brushed off effectively the SUPREME COURT OF ADMINISTRATIVE JUSTICE. You say it’s a “mistake”?? Are you fucking kidding me? Deliberately doing to opposite of what your oversight agency rules is abuse of power.
You are getting fixated on a very minor case of French administrative law, that you didn’t even care to understand. The ICO made a minor mistake in considering all cookie walls illegal. The Council of State said that they can’t make a blanket ban, but that they should evaluate all cookie walls individually. No fine has been annulled and the ICO can still deem your cookie wall illegal. So still no monarchy for you.
> Anyone with half a brain will be aghast at what is happening is the EU
Anyone with a half brain will at least spend some time understanding the issue at hand before getting excessively agitated.
Either you don’t understand technology or you’re a dunce. You’ve made a strong case for both in this thread.
By admitting data flows to us resources are illegal, you’ve just said that what you’re doing right now can be construed as illegal activity on the part of the website you’re on. HN is indeed hosted on us resources. You touch Microsoft excel and guess what? Us resources get your personal data.
So you’ve just basically admitted that under GDPR, all regular internet activity is illegal if it touches a US server. Hence “coverage”. Hence, everyone living under really, the discretion of the monarchs.
"Dunce", "dumbass". You lost this argument a long time ago - hurling insults and epithets tends to have that effect. But I'm sure you'll press on, and invoke Hitler soon.
> guess what? Us resources get your personal data.
From posting to HN? AFAIAA, HN only gets your IP address. GA gets your search history, which is a bit different.
Lol, the person above you admitted that IP addresses are enough to put you in violation.
It doesn't matter post that statement what your conclusions are. You have opened up every business to a liability of 4% global earnings or 20 million Euros WHICHEVER IS GREATER. . .at the sheer discretion of some illiterate fucks like yourself in Brussels.
> If you’re illiterate or deliberately avoiding the issues I’ve highlighted, then all the best to you and your kind.
Perhaps if you were to actually highlight the issues you claim to have highlighted, it might be easier for us and our "kind" (I don't know what "kind" I belong to). You rant about the European "monarchy", and the deficiencies of European bureaucracy; what about explaining your proposals for a reformed GDPR?
But I think you are opposed to any kind of privacy legislation. GDPR steams you up because it is privacy legislation that works. Well, that's fine; there are laws that USAians make that I'm opposed to. I'm not on-board with US lawmaking and judicial processes. That's fine too; I don't have to live or trade in the USA (and I did make a choice; I once lived in the USA).
I suspect that something about the GDPR must have bitten you quite badly - would you consider sharing what it was? It would be helpful if you avoided the "asshole", "weasel", "moron", "dumbass", "illiterate" language, and focused on what happened, and what the impact was.
NOTE: there are people here that don't seem to be good at spelling, but I don't think I've ever come across a post here that I would describe as "illiterate".
I seem to have touched a nerve lol. Here's my reform proposal for the GDPR:
1. Toss it out. All of it. In the present form, it is worthless.
2. Make privacy regulation simpler, not ten million pages and bureaucrats who are RIGHT NOW, abusing the power that all Europeans have entrusted them with.
3. Enable independent oversight. Consultations with technical committees of technology companies, Judicial reform to ensure there is no legislating from the bench, independent whistleblower handling to investigate abuses of power such as the CNIL case.
4. Separate the legislative, executive and punitive functions with very tight rules. We have assholes in Brussels so married to the idea that all tech is bad that they rebelled against the moves by the European Parliament to codify data transfer laws between the EU and US during Bidens visit. I mean, there is a limit to short sighted thinking.
5. Stop the political uncertainty with the multiple changes and the sheer amount of idiotic bureaucracy with multiple conflicting regulations where EVERY SINGLE FUCKING THING is a crime and instead, pick the most pressing issues: Cybersecurity, Data Handling, Data Sharing etc. It's ridiculous that we have 10,000 people obsessing over cookie banners while malicious hackers pilfer 100s of millions of peoples data because of a lack of political will to focus on cybersecurity.
On privacy legislation, my biggest gripe with the GDPR is it HAS DONE FUCK ALL for privacy. Apple has done more with the changes to iOS than the entire fucking EU with GDPR.
I am advocating for MORE effective legislation, not more INEFFECTIVE, burdensome, regressive regulation that enshrines the concentration of powers and makes innovation impossible.
1. Enlarge the definition of privacy legislation to cover EVERYTHING! Do you realize that EUROPEAN Intel agencies are not covered by the GDPR right now? While American Intel agencies are and Chinese Intel agencies are not even mentioned or challenged? How is that good for privacy when Huawei is essentially taking much of European market share while being run by a Govt enslaving a million Muslims in Xinjiang?
2. Make it less reliant on pure punitive measures and more an incentive+punitive set of objective measures to give companies the opportunity to innovate towards solutions. Right now, the stance by Europe has made only investing in lawyers the most appropriate choice. That or leave. No middle ground, no consultations, simply make villains of tech companies and that is the legacy of many regulators there.
3. Term limits on regulators. Limits and regulation on the people enforcing privacy legislation to ensure a balanced mind. Right now, go on Twitter and see the deranged rants of many of the people in these agencies who delight at the market share loss of Facebook or openly express glee whenever there is a bad press cycle outside of privacy for any of the companies they're supposed to be entrusted with passing judgements on. This is not a democracy. It's shameful.
4. Incentives that MINIMIZE liability for companies that meet objective standards that are reasonable. Right now, the approach is to hit them with the biggest stick you can find and hope and pray that it works out.
Many more, but along the same lines.
>I suspect that something about the GDPR must have bitten you quite badly
I've seen people simply struggle to achieve success that other parts of the world take for granted. This is TODAY . . in EUROPE of all places. You need to realize that bad political decisions are bad for everyone. I don't have skin in the game other than the feeling of watching someone drive off a cliff. So many people i speak to/interview/engage with from Europe who are young as SO very bright and talented and it's amazing to see how the very people they elected piss away time, resources and money on depleting the economy that these kids are going to grow up into for personal vendetta.
No one in their right mind will argue that the GDPR does a great job. It is very flawed legislation that will set the privacy movement back decades.
You don't seem to know what a monarch is. You're ranting about a French regulator; you don't seem to be aware that the French got rid of their monarchy before the American colonies did.
> if you clowns think discourse that defends assholery from the bureaucracy wins you any favors or makes Europeans lives any better, you more stupid than I’m giving you credit for here.
The value of your "credit" diminishes with each post you make. Apparently your view is that "Anyone with half a brain will be aghast at what is happening is the EU"; well, either Europeans are, in fact, aghast, or you're really referring to your own "countrymen", which I suspect is a rather small clique of USAian tech bros.
Have a chill-pill, dude. GDPR is European law, for Europeans. You don't have to come to Europe, and you don't have to trade here. If you stick to jurisdictions that don't, in your view, involve assholery, then everything's copacetic for everyone, right?
I have a strong sense that you want to trade in Europe, without having to comply with European law. That's not going to work.
> The EU hasn’t shaken off their roots in monarchy.
I know, right. I mean obviously the world's most famous royal family (our British one) isn't really a monarchy so that doesn't count. And they certainly don't get previews and vetos on our laws, or given hundreds of millions from the licence fees for offshore wind farms, or own a notable percentage of the land.
As for GDPR, compliance is pretty straightforward provided you aren't being shady to begin with.
And the new UK proposals are much worse and if they go through as they stand will be a nightmare for anyone serving UK visitors.
You are right that my point wasn't clear and I apologise for that.
Your comment started by saying that the EU (as a negative) has not shaken off monarchy and ended with a contrast with the UK (a positive comparison). My point was that the UK (I am British) is even more steeped in monarchy/tradition so that can't be the cause.
Then I addressed your complaints in the middle paragraph about the GDPR by pointing out that compliance is reasonably simple for sites already having good behaviour.
And finally as you started with the EU and ended with the UK I pointed out that the new UK proposals are more onerous than the GDPR ones (thanks to the verification requirement).
You're free to disagree, and again I apologise for not being clear enough, but those were my points.
> The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.
I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law. That is: the DPA is normal statute legislation, unlike the GDPR itself, which is a bureaucrat-made regulation. The DPA was passed by both houses of Parliament.
So what are these mysterious moves to ignore the law? The only such moves I'm aware of are some plans to remove the European Court of Human Rights from UK law (ain't gonna happen - the ECHR is written into the Good Friday Agreement), and the UK's decision to ignore the decision of the ICJ concerning the Chagos Islands.
>I don't think so; the UK passed the Data Protection Act 2018 just 4 years ago, to bring GDPR into UK law.
This is wrong.
The Data Protection Act did not bring the GDPR in to UK law, GDPR became part of UK law as soon as it was passed because it's an EU regulation, and regulations have direct effect in all member states (which at the time it was passed included the UK).
The GDPR then became "retained EU law" by virtue of Section 3 of the European Union (Withdrawal) Act 2018, and was then modified (turning it in to the UK GDPR) by the The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. These regulations also amended the Data Protection Act, fwiw.
Instead of resorting to abuse and name-calling, let's hear your proposal for the kind of data-protection legislation you favour. Surely you're not advocating the ideas of the terminally-dim Nadine Dorries?
The simple fact is that if you allow unrestricted export of personal data from Europe to the USA, then European law can no longer control what use is made of that data, because the US courts won't enforce European restrictions. Are you advocating for Europeans to submit to the wild-west regime in the USA?
By the way, if you don't care to read my posts, you can always just not read them; they are all tagged with my handle at the top.
If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".
So this could also apply to any company that sends PII to the USA?
At present, there is no legal basis for a company covered by the GDPR to send personal data to the US or a US-owned company. The US needs to repeal the CLOUD Act, and maybe one or two other things, in order to make this situation work again.
Read these as individual clauses; the Regulation applies if any one of them is met. An Italian company serving customers anywhere in the world is covered by the first clause.
There is nothing in the GDPR about citizenship. GDPR applies to "data subjects who are in the Union" Art 3(2). So it is the physical location of the person that matters. As a US citizen, if you travel to an EU country on vacation then the GDPR applies to you while you are there.
GDPR also applies to EU based companies for all of their activities - so in addition to limiting US business in the EU, it limits EU businesses in the US.
If it is physical location, that is something you cannot possibly know for a user, due to VPNs. You might know that a person is logged in and registered with a US address, but you don't know if they are traveling (they might even VPN via the US because it is convenient for work).
So I guess you need to assume this applies for all visitors.
I think that's correct; and I suspect it was intentional.
I strongly disapprove of extraterritorial legislation (a US specialty). But in the case of the GDPR, if you want to regulate internet activity, then you more-or-less have to go extraterritorial.
No, it covers companies and individuals operating within GDPR jurisdiction. A US company that trades in the EU is subject to the GDPR. This is no different from applying the UK Trades Descriptions Act to US companies that advertise in the UK.
What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?
I co-founded a company called Heap that competed against Google Analytics and we were quite successful. Amplitude, Mixpanel, and others have also done so. GA’s free pricing was not really a big issue for us and customers were very willing to pay 6- and 7-figures for a differentiated quality product.
Loved Heap (Analytics?). I advocated for it while working at my previous employer :) I think we were early customers. At the time, its automatic tracking of all events was a godsend compared to hooking up specific tracking after the fact using GA events.
One broad view is that anti-trust is supposed to protect consumers, not competitors.
If a competitor can't produce a quality product that people will pay for, consumers aren't being harmed by the prevalence of a free good-enough product.
In a consumer-protection world where a free and open source Linux had 98% market share in the OS market, Microsoft or Apple would have no leg to stand on to sue its developers over anti-trust. In a competitor-protection world, they would.
The US views anti-trust through a very consumer-focused lens[1], the EU sometimes views it through a more competitor-focused one.
[1] This doesn't mean I agree with it, and there are obvious problems with trying to prove harm in a court of law, if no alternative exists.
Doesn’t predatory pricing mean “we dropped our pricing below profitability in order to kill competitors (and presumably raise our own prices once they’re dead)”?
I think you’d have a very good case against Amazon, and probably Uber/Lyft, and I’ve long wondered why no one sued them over it. But in Google’s case, Analytics is profitable for the same reason Youtube is profitable—Google makes money off the data they gather.
Google Analytics has an enterprise paid version and it starts at 6 figures, Adobe has a very competitive product in the same space. So there's definitively room for a paid product in the market.
It's not illegal to give things away for free unless it's dumping.
Which is exactly my point.
"[Dumping] occurs when manufacturers export a product... at a price below the normal price with an injuring effect. The objective of dumping is to increase market share in... by driving out competition and thereby create a monopoly situation"
Google prices Analytics at $0 to prevent any competition from starting up.
While an argument can be made that Google doesn't need to charge money for the product because that cost is made up in other areas, there is no way of knowing that, because those costs are not public. We don't know if it's fully made up by other means, or partially made up by other means, or not at all.
Like you, IANAL, but it's my understanding that legally, it's not about the price, it's about the intent.
I would say it has more in common with the Microsoft antitrust case. In that they gave IE away for free.
I think you can show Google has monopoly on search and search data and GA is the only analytics allowed to connect with that.
Is it dumping? Yes. They don’t intend to raise the price, but they get paid not in cash but in terms of increasing their monopoly by having so much data on us.
Now a lot of things are like this (anything where you give your email for a discount code). But they are not intended to get a global monopoly or make it impossible for anyone else to do business competing with you.
The landscape has changed (or to pun... the netscape?).
We now have genuine browser competition. I think Safari and Firefox are just enough to say Chrome is not a monopoly. I write this on FF right now (running on Ubuntu) because it is a viable alternative.
This is the case for now, might be different in 2023.
"X is free" is not enough to be a problem on it's own.
It's like with Cloudflare. The free Tier is what gets small companies and hobby developers in. And as they know your system but not the one of others, they'll recommend it to use when your company grows or their employer looks for an analytics system.
But I don't think it's predatory. It clearly worked for cloudflare and seems to work for Tailscale (they openly said they're using the same strategy). It would be predatory if others couldn't match that, but I'd argue many competitors could offer free plans for small websites if they wanted to.
If we enforced a law that said no product can be sold at a loss, we would get rid of almost every single startup and many recently IPOd former unicorns,
There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.
Yeah, it was another one of those trojan horse programs. Offer something incredibly useful to website owners; something so compelling that they literally can't say no. An oh, it just happens to track the activity of every web user anywhere in the world.
The alternative offerings at the time were fairly awful compared to what google released.
This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.
Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.
It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.
This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).
> meaning that Google itself does not violate GDPR, but only the websites that use it.
This is so baffling to me. Google has subsidiaries in the EU. The fact that it's ok to give a product to a EU client which can't be used in accordance with the law, and the client is responsible, is just idiotic.
To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.
No, they can't as far as I get it. The american cloud act entitles US law enforcement to serve orders to US companies and their foreign branches. So, if you are american with a company in the EU, the important part is that you are an american, not that the company is in a foreign jurisdiction.
Yes, specifically the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which was enacted following a case in 2014 where Microsoft refused to hand over emails stored in the EU (Ireland, in that case) on foot of a domestic US warrant.
The CLOUD Act expressly brings data stored by US-based companies anywhere in the world under the purview of US warrants and subpoenas.
It really makes no difference where the data is stored once it's accessible by a US company:
"The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil."
As mentioned by other commentators, this is not enough. Schrems II ruling exposed the risk here. If servers are in EU but are undereffective control (even via proxy) of country with inadequate control (US, RU, CN), then you can't use data location as argument.
The problem is not only the geo location of the datacenters. As long as these subsidiaries are under the control of a USA corporation, this is illegal, since the USA corporation can be requested by the USA gov to share any data they may have not matter where it's stored. Only options are a 100% GDPR compliant solution (European or from a country with similar laws) or self-host. Hopefully another Privacy Shield like agreement will be in place soon.
Building out the infrastructure necessary for Cloud to be compliant with region-stored data was a multi-year project.
Huge swathes of Google's architecture (especially its legacy architecture) have deeply-ingrained location-agnosticism assumptions. It turns out to be extremely complex and expensive to remove those assumptions given the way Google handles data once it hits their datacenter fabric.
(Not impossible, mind, just that this assertion that it wouldn't be that hard to do is in "I could build Twitter in a weekend" territory).
It’s coming up to a decade since Schrems I, six years since GDPR, and four years since enforcement of GDPR. For a company like Google the writing has been on the wall for a lot longer than a weekend. They’ve simply been gambling that they can get away with it, and now that argument is collapsing.
Oh, no doubt. They've 100% been gambling that they could get away with it. The GDPR has deviated increasingly from what their leadership assumed would be a reasonable position (it continues to drift from the American centroid belief on who owns what data; for Americans, the notion that you can use other people's computers without them keeping records of how you used their computers is kinda weird, and Americans lack the direct historical experience to have the kinds of concerns about mass-citizen-tracking that Europe does).
My prediction is that as things move forward, they're going to find it isn't worth their money to offer Analytics for European customers if the GDPR continues to make that more onerous (especially since the monetization story of Analytics for Google is so threadbare) and just offer it for customers in other countries while Europe does its own thing. Win-win.
It wouldn't be hard for Googs to do this on their own so that they comply with the rules/laws in the markets they are operating vs giving it to the end user as an option in the configs. Most people using GA probably wouldn't know what any of that meant anyways. They just want the numbers so their marketing people can tell them what to do next. I'm talking the people running sites on Wix type sites vs having an actual dev team that can push back against a marketing department
Why do you have to be sympathetic to the client in order to also condemn Google? If someone was selling bleach as a cure for autism through a network of distributors, do you have to be sympathetic to the distributors in order to condemn the manufacturer?
Like most people, I have an IP that is unique to me, and will be for weeks, maybe months, until some event causes my ISP to assign me a new one. Google can track and correlate my activity across all the websites that I visit that happen to use GA. In this way they can build a profile. If I used Gmail, they could include information from the content of my email, which they admit their computers examine. With enough data it would be a simple matter to detect when my IP changed, and continue to amass the profile. If this isn’t spying, then nothing is.
The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).
There's nothing US companies can do to make themselfes legal to use here. The legal framework in the US allows dragnet spying on every non-american and american companies are forced to participate in that effort.
They're perfectly legal if they don't process any PII. If a US company serves static content there's no need to fear the EU; they'll just have to disable illegal external integrations like Google Analytics/Fonts/etc.
A company doing business with other companies might find themselves in a position where they can comply perfectly. Not every company needs to collect PII, though these days every company likes to pretend they do.
When PII includes IP addresses it's kind of hard not to process. How else are you supposed to group metrics over a session (since cookies are also forbidden)?
This seems to ban third-party analytics by any US company. The cynic in me feels this is a little convenient in how it advantages EU organizations over foreign ones...
Session cookies are allowed if the user agrees. And if the user doesn't agree, you have no right to process PII to group metrics over a session. That's the big shift here, assuming you have a right to build a profile on a user (or even evaluate their behavior) without their consent is not legal under GDPR.
And as a European, I'm very glad that's the case. I know, we're still not close to compliance with GDPR, but it has changed the privacy discussion more than any other part.
How is that something that is essential to providing a service?
I suppose that it's somehow "commercially advantageous", but there are many other commercially advantageous techniques that are simply illegal - such as taking a customer's money, but supplying zero in exchange.
A company's profit needs are not an end-run around consumer protection laws (which is what GDPR amounts to).
>They're perfectly legal if they don't process any PII.
Personal data, not PII. The GDPR does not care about PII (except to the extent that the set of things that are PII is a subset of things that are personal data).
So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?
Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?
There’s a bunch of steps, but jumping to the extreme, a foreign gov having access to the data is the awful part.
Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.
Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.
> how about a badge for links indicating whether it uses ga?
Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.
I'm an American, but I occasionally use an EU VPN. I don't understand how EU residents can tolerate the number of cookie/privacy/GDPR/whatever popups every site has, even on the sites of EU companies.
We don't. Outside of a few greybeards the vast majority of the population would gladly send all of their data including dick pics and credit card numbers to remove those popups.
The law was absolutely useless because 99% of the websites have an illegal implementation and still added a major annoyance in the form of the popup / banner.
My impression is the lawmakers assumed that companies would do what they go on about in their blogs and marketing material all the time - ensure the best user experience for their customers, which they could do by properly complying with the GDPR.
Instead, the companies took their masks off and decided to beat us over the head with illegal consent popups to trick us into believing that a damaged user experience is the only possible outcome of the GDPR.
We Europeans are generally used to do whatever the government tell us.
We don't have the same culture as Americans.
Don't get me wrong, you had a pretty bad deal as well: without much fanfare, your government grew up so much in the last 200 years that it became the largest employer in the world. You pay loads of taxes (even more than several EU countries) and get very little benefits.
And yet, I'm sure that if we will get to a political solution to the ever-growing cancers that governments are, that solution is more likely to appear in the states than in Europe.
Europe is a hopeless - albeit beautiful - land. The people gave up change 50 years ago.
Err, just to avoid further misunderstanding: I'm pro-GDPR ;) and think it's right to confront users with the hydra behind the crap on the web. What I think has destroyed the web is attention economy, monopolies, the race to the bottom, and lack of incentive for quality content.
Agree though that Europeans could do with more libertarianism and less trust in state; it's something that's been a big issue for me since at least CoVid hysteria.
I use Ahoy too, but I don't have very good visibility into the data. I should spend more time building queries and creating charts. I should probably set up blazer as well: https://github.com/ankane/blazer
It would be really nice if Ahoy came with a web UI that covered all the basics.
Worth mentioning that DPAs tend to work together to prevent conflicting laws across the EU. Following Austrian, French, and now Italian rulings, it's almost guaranteed that the Dutch authority will come to the same conclusion.
I'd be terrified if I was a EU company at this point. There is not logically way these same rules don't apply to using AWS, GCP, and Azure. There isn't enough other cloud hosting with nearly the same capabilities in Europe to handle that day.
GCP and Azure have options to keep all data within the EU, I'm sure AWS has something to at this point. In France GCP is approved for public business, so it seems to be working fine.
On your general point, we're way past the point where a company is allowed to blindly use any random SaaS without caring about what it does with the data or where it goes. The pendulum is clearly swinging back.
> GCP and Azure have options to keep all data within the EU
I wonder how much of a difference this makes, if the DCs still belong to these american companies and this thing exists: https://en.wikipedia.org/wiki/CLOUD_Act
From memory, gov entities also have deeper customizations, and data centers might be separate from customers and the standard Google operation altogether.
There seems to be a difference between "B2C" stuff like ad tech and tracking and "B2B" like AWS. The latter seems to be more eager to be compliant, I assume only to prevent local / regional competitors to fill a gap but still. Plus all the nice public contracts to be had.
Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.
What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?
Am I also now breaking Italian law by using google analytics?
> Does this mean I’m now breaking the law serving them the website?
As the article specifically states:
The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
So, unless you are collecting EU citizens user data, transferring it to US and have the capabilities to enrich such data through additional information you hold, no.
IIRC, it basically only applies if you're actively doing business in the EU, or courting future business.
So, if you have a personal blog that grabs IPs? Not illegal. If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
> If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.
And you do business in the EU. If you have a merch shop, but don't serve EU users (no EU shipping, not accepting EUR as a currency, no EU specific languages (German, French...), ...) there is no problem.
That is not how law, jurisdiction or sovereignty works.
If I run an export business from my own country, the only law I need to comply with are the export laws of my own country. It's the duty of whoever is buying it on the other end to make sure they are allowed to import and possess the goods.
The EU does not own the right to use languages. I can use German if I choose without ceeding an inch of soverignty to the EU.
The EU does not control what data I collect when running my website. I might be required by my home jurisdiction to collect details on controlled export goods, and I might be required not to tell the user.
The EU controls the Euro currency, but they cannot make it illegal to me to use it, or attach special conditions to its use. They could convince my own government to sanction me, or aid them in sanctioning me, but that would be my own government affecting me, not the EU.
Your countries laws stop at its borders. Stop trying to control other people who have no say or vote in the laws. It's anti-democratic.
> After introduction of the GDPR in EEA it became common practice for websites located outside EEA to serve HTTP 451 errors to EEA visitors instead of trying to comply with this new privacy law. For instance, many regional U.S. news sites no longer serve web browsers from the EU.
As more and more country specific legal regulations are raised, I wonder who will be the ultimate gatekeepers of the general internet when certain actors behave against the "rules". The current landscape is a complex system of seeming contradictions straddling different levels of public and private, centralized and decentralized, anarchical and moderated, etc.
Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?
I'm actually just about to get rid of Google Analytics on DocSpring.com. I set up a self-hosted instance of Plausible Analytics on Render.com yesterday. I really like it so far. I set it up on a custom subdomain so it's not blocked by any ad blockers, so it's really nice to see analytics data that's almost 100% accurate (unless visitors disable JavaScript.) Especially since DocSpring is a developer tool, so most visitors are using an ad blocker extension. Also it doesn't use any cookies, so I don't need to show a cookie banner. It really feels like a breath of fresh air.
Hindsight is 20/20 but wasn't it clear that the company selling ads shouldn't be in charge of metrics for traffic and ads? Just like the TV channels had to rely on media rating firms.
> A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.
> Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.
This follows similar decisions by France [1] and Austria [2].
I wonder what the next trendy thing government officials will pretend to care about/fix in order to garner media attention. Something crypto related, maybe?
The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
That gives you an indication of how invasive it is — that even Google doesn't want to handle the personal information, because it can't be made HIPAA-safe.
Naturally, the majority of healthcare web sites use Google Analytics, because nobody ever reads the Terms of Service.
> The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.
You're missing a key part of the sentence you're remembering:
> If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
Healthcare companies can absolutely use GA on their websites as long as the website isn't involving PHI or ePHI.
European companies are not allowed to share PII with American companies. That goes for companies with a headquarters in the USA or subsidiaries that may be forced to share data thanks to laws like the US Cloud Act.
Previously, the EU exempted the USA through an "adequacy decision". That was later deemed illegal under EU law as American laws could not guarantee the privacy of EU citizens to the extend the GDPR prescribes. Then the EU tried again, and again such a decision was also overturned in court. The EU is working on another attempt at letting the USA track PII of EU users, but until they do that again (probably for another few years) it's illegal to share PII with American companies in almost all situations.
This is the third time a data processing agency has declared the use of Google Analytics illegal so it shouldn't really come as a surprise to those following tech news.
What's important is that the data is PII and that it's going to a place that can't guarantee privacy to an acceptable standard. Business advantage is irrelevant. The intelligence the data provides is also irrelevant. European privacy laws serve people, not businesses.
That does not change the issue: EU microsoft has a local unfair advantage in EU because it has access to the whole database of linkedin (which they own).
Additionaly, denying remote access is almost impossible to enforce. It would require a efficient and permanent deep monitoring of their servers.
linkedin should be illegal since this data should not be privately own.
I’m supporting of privacy, but it’s amazing how heavy-handed European regulation can be, and how difficult it can make understanding even basic metrics about our business and how those metrics have shifted over time. I suppose their intentions are good though.
Suppose you had an internal tracking library, aggragating data fetch from your own site and mobile clients, all data saved in a data center managed by your country's most reliable provider. EU directives would be a no-brainer.
That scenario has always been an option, and would be the most common case if Google didn't provide their own service for free or at cost. What's happening with the EU feels disruptive only because Google had such an unatural position in the market.
All of that is because of the cloud act, non american companies won't have as much issues. The obvious solution is to remove this spying law breaching EU laws and common sense.
15 years ago Google Analytics was cool. But ar some point Google ditched the "Don't be evil" culture and tried to get as much out of Google Analytics for themselves, that it became unethical.
At what point do operators just start blocking access from EU countries. It's hard to imagine its worth jumping through all the complexities here at some point.
Time to get off my arse and write a self hosted privacy oriented analytics tool. Whatever happened to awstats. The question is - how to monetise on it?
Certainly in UK English we use watchdog to mean any organisation that has an oversight role, frequently government ones. For example the Financial Services Authority might be described as “the banking watchdog”, it is very much a government agency.
The Italian SA is the Italian Data Protection Agency (DPA), one of the per-country European regulators https://ec.europa.eu/justice/article-29/structure/data-prote... . Which acts under the GDPR and predecessor data protection laws, and is very explicitly a governmental regulator.
Good. US citizens should be, at least, disappointed that their government is so bad at protecting their privacy, that US law is so far behind the times.
To those companies and people who find these EU decisions baffling or inconvenient: tough. If you had had respect for your users this would not be an issue. You would already not be spying on them.
To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
The US isn't "behind" it simply has no intention of moving in that direction, despite the 4th amendment making it really clear they're not allowed:
>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.
There was a recent ACM article on this. They found there was a large number of sites that don't actually ask permission for anything, they are simply informing you of the spying. Not surprisingly, the ones that did allow modifying cookies were all setup in a predatory fashion which discouraged the disabling of tracking.
Not necessarily. The team that wrote the ACM article did a small user-test using various versions of the "disable cookie" banner. In all cases they concluded that the user was indeed aware of the negative impact of cookies, however, the need to just "get back to the content" often overruled that distaste.
Not surprisingly, the most effective banner they found was the one which had a single "disable all cookies" button. It was something like an 80% hit rate. So, people care, but not enough to dig into another prompt to uncheck a bunch of boxes. This is what the ACM writers referred to as predatory (abusing human nature).
It's possible for a company, which is seemingly providing you a service since you visited the site, to make money off a targeted ad in exchange for free video streaming/content/entertainment.
The whole thing has always seemed overblown to me. Websites make much more money off targeted ads, allowing them to do things like allow anyone to upload a video of any length and quality for free. And view other videos people upload. In most cases it seemed to me like a fair trade to make. Yet as people point out all the time, technically a website isn't allowed to deny access to someone who refuses targeted ads (through the cookie pop-up), so they're essentially being forced to provide that user content at a loss. Untargeted ads are often worth 90% less or more than their targeted equivalent.
Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.
> Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.
Part of the problem is that it seems more or less impossible to get large companies to keep their data secure. In fact Google stands out as maybe the only big tech company that has not been involved in a major breach.
Notwithstanding the legal and political issues that arise when (not if, but when) this data gets into the hands of law enforcement agencies.
And yes, there have been individual instances of employees misusing sensitive user data.
Privacy is security.
Generally I agree that content providers should be allowed to make money somehow, but this way has proven to be untenable and something needs to change.
Give me the option to pay more if it lets me get more privacy. Otherwise I keep using fake accounts, VPN, antifingerprinting methods, ad blockers, etc.
Given your comment history, it’s clear that you’re driven by motivations that aren’t at all universal.
More bluntly, you’ve decided that consumer-surveillance-as-a-service is harmless. I’m thankful that the European regulatory apparatus disagrees. Now if only we could remind the American federal government why regulation is a worthwhile effort.
I believe a part of the data-privacy laws and sentiment in Europe comes both from the WWII and the civil wars/dictatorships/etc that happened across EU. When in our grandparents time (YMMV) the government was compiling list of citizens or checking what they were doing in their private lives, it was not to give them flowers. And while that still sounds pretty far from me, it was also fairly recent in the past so that there's some social residue of the sentiment.
BUT to answer the question directly, credit checks to the level they are performed in the USA sound like a horrifying thing and a total privacy breach for us EU citizens.
European laws are pushing to end Chat providers control over social interactions(which is something that shouldn't be done for profit any way) in the Digital markets act, which forces big apps to provide federation APIs.
The EU with the GDPR made an incentive to not use trackers, dont want that ugly tracker on your site ? Then stop selling data, that's why private analytics like Plausible and Umami have sprung to life.
And also made it clear how much tracking is on the web.
There is also finally a movement to let the US host everything because really, the US isn't trust worthy.
So, the EU laws, gave better awareness about tracking, gave incentives to not use trackers, and is now working on improving the user experience by stopping the monopolization of social interactions.
Have you heard of Robo-calls? Basically there are no Robo-calls in EU, because you can just add yourself to a Government no-call list. If any company doesn’t respect that, they get a huge fine.
> To website visitors: if you see a cookie banner, the site is asking permission to spy on you.
Or you know...count how many unique visitors they have and how to make the site more useful. Do you avoid using cookies on this site but still manage to log in?
Cookies needed to properly provide user authentication, i.e. user session identification, are counted as "technical necessary" cookies and do not need a cookie banner. You only need to ask for cookie consent, if you track visitors with third-party services.
And, to counter your unique visitors claim: you don't need cookies, or any third party service, for that. Everything can be done locally without disrespecting user privacy.
> and, to counter your unique visitors claim: you don't need cookies, or any third party service, for that. Everything can be done locally without disrespecting user privacy.
how do track unique visitors without cookies, and how is that way less "disrespecting" of user privacy than a cookie?
IP and User Agent, for example. Goaccess[1], a tool to generate statistics from webserver logs, is capable of calculating unique users. Calculating unique views entirely on your own server without any of that data leaving it, is way more privacy friendly than urging your users into accepting cookies so that Google can harvest their data and send it to their US servers.
I wrote "disrespecting" because using GA is exactly this for me. Website owners give a f** about your user privacy just to save them some work, without caring about any of your users' data.
Do you know the difference between cookies and a cookie banner? Do you understand why this site can have login sessions, and even keep track of the number of unique visitors, yet is not required to have a cookie banner?
Have you researched to know if this site is hosted on a US server? I wouldn't be surprised if it is and I also wouldn't be surprised if your IP address was additionally stored in a log somewhere for a period of time. In the US.
Yes but they are not tracking you with third party services, so regardless of where the server is they would not need a banner. The banner is a request for surveillance permission.
My buddy is a manager at a chemical plant, and your comment reminds me of a very astute statement he made recently.
“I don’t generally like unions. I’ve worked at both union and non-union plants. But anytime someone else complains about unions, I remind them that if they have a union at their plant, they earned it.“
I think it's fair to say that most unions have been established as a sole result of proportional human effort, while the same cannot be said for the success of most businesses. There are many instances where an existing imbalance in power or resource ownership is a significant factor in a business' success.
My impression of these people is that they generally use very out-of-date versions, and they misunderstand/misuse configuration settings to the point that their builds are illogical for anyone's needs, despite their surface-level appeal upon skimming the manual & ancient mailing list messages. So the government performs efficiently for some very specific workloads, but generally lacks necessary features to run society at web scale.
Agreed i'm not interested in "ever-growing"...not for a distro nor a gov...but i am interested in an evolving one for the better - i.e. improve effectiveness, and reduce bloat if it adds nothing of value. ;-)
The economy is pretty bad in the USA too if you aren't a white collar tech worker (or in a handful of other white collar fields). Maybe not as bad, but it's pretty rough for a lot of people, possibly a majority, and it's definitely unsustainable.
If I thought the EU was doing this to protect privacy I'd be all for it. They really don't give a fuck as seen by ever bit of legislation they are pushing for. Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
The EU has both enacted the most promising and some of the most backwards, stupid and regressive privacy laws. I'm guessing that it depends on what representative guides it and forms it through the various processes, and what the courts do with it. Overall I think they have moved the needle towards more privacy.
> Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.
That is absolutely not true, at least not by enough people for anyone to be able to make that sort of blanket statement. I'd also wonder what reasons you have for thinking that, it seems to me like all of the 5-eyes used each other to spy on themselves (besides all of the things done by normal police, various levels of federal police, etc.)
Unless there is a very simple "reject" button, I click okay. Between Firefox's native protections, DNS-level blocking and uBlock, I have a lot more confidence in my own protections than I do in their honesty, and it's not worth it to me to uncheck a bunch of boxes.
Yeah clicking anything but okay or reject all (which I rarely ever come across) is usually a maze of options no one has time for except some tiny dedicated minority.
Really? I could have sworn the EU regulation requires dropping all non-essential cookies in 2 clicks or less - and that tracks with nearly every site I interact with that has a cookie banner.
Well I’m not an expert but I think the main issue is that American citizens have protections that non-Americans do not. The government cannot spy on Americans without a court order.
Unless they have an intelligence sharing agreement with a nation that happens to pick up signals from americans, from who they can request that data. And maybe there exists a network to share the raw data, wouldn't that be convenient? Or you could have a secret court system (FISA) to bypass most of the protections normally granted by due process?
Can you point me to the part of the ban that says it's about protecting users from "spying in general" and not "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"?
> "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"
I want to quantify this quote. Each EU country can spy on its citizens to similar extent as 3 letter agencies from the US, but in a less analytical/big meta data way (part of it being the US brain draining EU countries for those working in tech).
However, if EU country A wants to have access to its citizens user date on website X located in EU country B, is not an easy process; involving a strict judicial system between those countries.
If you feel this way I hope you do research before visiting any website at all, because you might accidentally connect to a server in the US and your IP address will be in the TCIP stack of that server and probably the logs too. US servers that are intended to serve US customers have no obligations to you.
I've been using clicky on a few of my sites and even though they _assure_ me that it's totally compliant with gdpr I don't really believe them, does anyone have a decent alternative for analytics that respects people's privacy? I just want to see when I get new vs returning visitors on a page. Cloudflare's analytics are okay but I like how granular clicky can get, but if there's no good way to do that I think I'm just gonna ditch clicky and make do with the cdn analytics. Hell, I bet the cdn already does everything I need and I just don't know how to use it right, or I'm not paying for the right tier or something.
There's several self-hosted solutions, as well as several GDPR-compliant SaaS solutions. They generally work pretty well; I've seen people set up, for example, Plausible, in a couple of hours on a cheap VPS.
Google needs to do what apple is doing with PrivateRelay and putting double blind proxies in place so PII can be stripped before Google gets its hands on it.
i’d support any legislation that booted google, fb, ms, adobe, salesforce, and a whole host of other surveillance tech companies from any and all levels of government. it’s literally as important as the separation of church and state. in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones, in all facets of civic life (e.g., campaign finance).
This is just naive. Government offices/agencies are so tightly coupled with packages like office 365 that forcefully separating them would require home built solutions which would always be terrible, less secure, and more expensive to the tax payer. There’s a lot of good these products can provide, granted they are properly audited and have high security requirements.
Idk here in France there are cities and state-wide administrations with free/libre stacks based on Linux, LibreOffice, Zimbra and others and things seem to JustWork™. For instance the french Gendarmerie, the cities of Rennes and Arles...
Arles is getting suckered by Microsoft, sadly [1]. Unfortunately all it takes is one idiot to get in office once to kill this kind of successful initiative that has been running for almost two decades.
Using Libre Office rather than Office 365 is unlikely to be the limiting factor in how fast anything in a government office is going to run.
In fact, I bet you that a major part of the delays in Government are because Tom from IT needs a sign off from three separate people to get a new Office 365 license for Brenda in accounting.
With Libre Office you make that a thing of the past.
> Tom from IT needs a sign off from three separate people to get a new Office 365 license for Brenda in accounting
That's unlikely, and if so I doubt Libre Office would liberate Brenda. It may be the reverse. On-boarding or moving Brenda between functions would mean provisioning her for internal ID, identity, email/communication, security, network/group access and permissioning, physical device(s), etc. Various parts of Microsoft 365 would just be part of the checklist and deployment, an integral part.
Microsoft make the above very smooth. I don't think someone slapping Libre Office on a PC makes any of that a thing of the past. Any realistic alternative needs to be all the way down the stack.
"Using Libre Office rather than Office 365 is unlikely to be the limiting factor in how fast anything in a government office is going to run."
Depends.
When odf would be the standard maybe, but it isn't. Standard is microsoft office, and libre office is not 100% compatible. But you will still have to deal with lots of microsoft documents, from all the other agencies, ordinary people, companies, ..
Meaning, when Munichs government tried to switch to oss a few years ago, they did indeed lost a lot of time with broken documents, templates, layouts etc. so they ultimately switched back (direct microsoft lobbying with even Bill Gates getting personally involved might have played a role, too).
So I am all for an open standard, but this easier said, than done.
They tried that, but the question is how do you write the law? In the end they settled on requiring that govt. departments use ISO standards to store docs (which at the time was only ODF).
Microsoft then tried to get their format ratified as an ISO standard. But everyone complained that their spec did not actually specify how to implement, instead it said things like "In accordance with output from Word 2007". So after a bit of back and forth MS realized that they did not want to _actually_ document what they were doing. The solution? Pack the committee with MS shills to vote yes on every proposal by MS. Urgh.
One of the negative flow on effects was that these new committee members only cared about voting for things that MS had instructed them to vote on - so other standards and issues stalled due to a lack of a quorum. It was super disappointing looking at this from the sidelines at the time.
I would have defined Libre Office as the reference implementation. Other software is allowed to the extent it reads/writes those files formats correctly.
I haven't had any issues with Libre Office in years. They even have a paid corporate version with (supposedly) good support.
What I have had more incompatibility issues with is Gsuite (or whatever Google is calling it these days) which a LOT of medium sized businesses and school are using now as an office alternative.
> would require home built solutions which would always be terrible, less secure,
I disagree. It would be relatively straightforward to build such systems on Linux and open source.
> and more expensive to the tax payer
As a proportion of Italy's GDP, the cost would be negligible, especially given that this is a matter of national security, something governments tend to be keen to spend money on.
The assumption here seems to be that the government would be writing the software, but it would go out to market. This would be a fantastic opportunity for a local software company to put out something in the space. I'm foreseeing more of this kind of thing as data sovereignty becomes a more considered issue by governments.
The other undertone I'm getting from this thread is that people think America has a monopoly on building software, and that's simply not the case. It's not hard to find companies doing really good work outside of the US. There is also nothing special about Office 365, it doesn't have a technology moat, it just has a surmountable interoperability moat and a social moat.
I didn’t read it as government can’t use commercial products. Just that the corps couldn’t influence politics. But I’m not the OP, so I can’t speak to what was intended.
> are so tightly coupled with packages like office 365
Are they though? Do you know this for a fact? I mean, sure, MS Office is very popular in government settings, but does this really go beyond the possibility of just replacing it with LibreOffice if they so decided?
or Box/DropBox/other cloud storage services, which is less convenient than proper collaborative in-pace editing, but you can still get the file at the link, edit it and upload it.
I obviously can’t speak for all, even most, but back in my consulting days I can say the many US federal and state agencies use Azure AD and a litany of AWS services that are core to vital work streams. Enough that having to shut them down would neuter the department.
ah, the ad hominem, never a good sign for the proceeding argument.
there are a number of other office suites that are entirely adequate for bureaucratic organizations to build methodical processes around (which is what bureaucracies do). the capabilities of the underlying tools don’t matter much in this regard.
also, audits aren’t meant to prove anything (like security), but instead to shift liability.
> ah, the ad hominem, never a good sign for the proceeding argument.
An ad hominem means using an insult as the basis for rejecting an argument, e.g. 'that is wrong because you are [attack]'. Saying an argument is naive and then explaining why is not an ad hominem.
None of the lines of reasoning were an ad hominem. From your other comment[1], it seems like you think "ad hominem" just means "being rude to someone". I recommend reading the GP comment's description of ad hominem again: it means making a logical argument that depends on the speaker's personal characteristics.
"You're European, so your argument is biased and wrong" is an ad hominem. "Your argument is naive, here's why I think that" is not. The latter is logically downstream of the argument, while the former is upstream.
no, an ad hominem need not be literal. do you really not understand nuance in language? we're not computers operating only on singular data and deterministic instructions.
see how those three sentences go together? that's a line of reasoning. the subject comment doesn't have that throughline. it's disjointed; the parts are only tangentially connected.
What on earth do you mean by "literal" here? Ad hominem refers to a specific fallacious style of argumentation. Being ignorant of the definition and then too stubborn to admit it is not pushing back against "overliteralism".
Especially because the rest of your comment (dismissing the rest of the argument due to "ad hominem") only makes sense if one assumes the correct definition!
But an ad hominem requires that the argument is thrown out solely based on the attack against the person. Laying out a logical argument against someone's belief, and then _additionally_ insulting him based on his beliefs is not an ad hominem.
I looked at it carefully, and I’m not seeing what you’re seeing unfortunately. I interpreted the naive comment as a separate summary of their opinion, and then the rest of the paragraph was the supporting explanation. He didn’t dismiss the idea because it was naive, it’s the reason it is naive is why he was saying it wouldn’t work
either way (intent can also be multi-modal), it signals a triggered response and is entirely superfluous and distracting. it's worth setting that aside, even after writing it, and examining the emotional underpinnings that led to the response in the first place. we learn a lot about our own subconsciousness that way.
And if no one does anything, in 5 years it will be a 1000, in 10 years 5000. As it is right now, the only voice governments hear is that of corpos, and corpos want to preserve the influence of corpos. That's why we need to force the ban on corpo influence. I'd rather pay 1% gdp for a one-time migration to open and free software than pay .01% gdp per corp per year.
Are you going to also train staff to use the new open source software? Where is the open source SalesForce equivalent? Workday? Concur? Device management? Email service? ServiceNow? Time tracking? Photoshop? Are you going to also force every employee to use Linux instead of Mac and Windows? Are you going to tell them to rewrite all of their software and business processes written on top of Oracle and SQL Server? Should they also rewrite all of their bespoke mobile apps to support open source mobile operating systems? Are you going to migrate all of their Office documents and SharePoint? Are they going to move all of their project management processes from Microsoft Azure DevOps (aka Visual Studio Online)? Are they going to move all of their call center software to open source? For school systems are they going to move their fuel procurement software? Many education systems are partially funded by the lottery. Are they going to move their backend systems from GTech? Their lunch programs payment systems for students use a third party, are they going to move that too? Their ATS? LMS? Grade tracking software?
So let’s take the lottery systems. Most states including mine has been using the same back end for the lottery since 1991. Who is going to write the replacement? Who is going to audit it? How much is it going to cost to replace literally thousand of lottery terminals? And what benefit would it be?
I can’t think of the name of the company now. But there is one company that manage the school lunch programs. Who is going to write the software and you have to replace all of the hardware throughout the state.
And they'll require renegotiation or hardware upgrades at some point, so use that as leverage to say no government entities will buy any more unless they meet certain rules about open sourcing and data storage.
But really, if a handful of things like that were the only examples that would be wonderful.
> So what goes at the beginning of their list and who is going to develop and maintain the equivalent open source software?
The beginning is any SaaS that started being used in the last 2-3 years. The immediate solution might just be going back to what they had before, if the top priority is privacy.
As far as open source, the existing companies could often be contracted, but if they don't want to open up then the government can put out bids or build a team. If entire countries want to buy something, they can make a market. And that's assuming there isn't already open source software that can do the job, because there often will be.
So now you want the government to “build a team” of competent software engineers and the government is going to have to compete with the private sector for talent. The average enterprise framework developer in the US costs at least 3 times as much as the average teacher.
Now on the other hand, return offers for interns at my BigTech company is around $150K. The average salary for the superintendent of schools for larger cities is $167K. Where is the government going to get the money to compete with the private sector?
In the US, congressmen make $170K a year, the president makes around $400K a year. Junior developers at large tech companies can make $170K easily in year one or two. Senior developers at tech companies make $400K+. Is the government going to pay tech workers enough to compete?
The companies bidding for the work would also be private industry. Wasn’t the entire idea to remove private industry from government?
Do you really think the government has the competence to create software? How many decades has the US government been trying to modernize the IRS? Do you remember the original ACA website rollout?
Not only do you have to hire developers, you have to hire project managers, retrain employers, etc.
Are you going to also create data centers to create what’s available in the public cloud? You need to make those redundant across regions, are you going to force open sourcing of control plane software?
> Wasn’t the entire idea to remove private industry from government?
I think the main idea was to remove third party data storage? With some open source? You can contract both of those out, and when it's open source the company doesn't have the same kind of leverage.
> Do you really think the government has the competence to create software?
It's not like companies are usually good at it either, so shrug.
> Are you going to also create data centers to create what’s available in the public cloud? You need to make those redundant across regions, are you going to force open sourcing of control plane software?
At that scale, datacenters are cheaper than cloud hardware. As for making the cloud software, well, billions of dollars can buy a lot. Force shouldn't be necessary.
It’s not just the hardware, it’s building out the competencies in house. Companies like Netflix, Disney , Intuit (TurboTax) explicitly decided that it wasn’t “cheaper”.
Google, Apple, Microsoft, SalesForce, Oracle, are not good at creating software?
Let’s say the government wanted to “leverage” open source, do you think they could make a better version of ChromeOS than Google?
You also just think throwing money at a problem can automatically create software that is better than private corporations?
The original poster said:
i’d support any legislation that booted google, fb, ms, adobe, salesforce, and a whole host of other surveillance tech companies from any and all levels of government. it’s literally as important as the separation of church and state. in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones, in all facets of civic life (e.g., campaign finance).
They don’t want any private company involved in government IT. That means the government has to build everything out themselves without using contractors.
> Companies like Netflix, Disney , Intuit (TurboTax) explicitly decided that it wasn’t “cheaper”.
Doesn't Netflix only run their metadata servers in the cloud? I'm not sure what those other two do.
> Google, Apple, Microsoft, SalesForce, Oracle, are not good at creating software?
Did I imply that?
Though we could debate Oracle...
> You also just think throwing money at a problem can automatically create software that is better than private corporations?
I never said better. But "good enough", in avoidance of horrible privacy violations, is a choice I'd approve of.
And open source software usually does quite well when given moderate funding.
> They don’t want any private company involved in government IT.
My interpretation is that if you get rid of the surveillance you solve the main problem, as far as outsourcing goes. If that's wrong then some of what I suggested isn't compatible.
Netflix is AWS’s largest customer. They run everything on AWS except the CDNs that cache their video that is usually collocated at ISPs.
I’m not trying to “appeal to authority”. But since we are taking specifically about AWS, I should disclaim that I work at AWS in the consulting department. That’s where my perspective about large scale migrations come from. I’m not necessarily saying everyone “should move to the cloud”. I’m more referring to how deeply ingrained the commercial sector has always been involved with government.
not sure that it's relevant and 'large' is subjective, but yes, i stewarded the technology migration of a core product suite for a prior employer, which incidentally had government agencies as a prominent customer segment.
i'm not suggesting that governments can only use internally developed or open-source software, i'm saying corporate interests should be firewalled away from goverment. so a locally-installed office suite incorporating no surveillance tech doesn't have the ancillary corporate interests attached to qualify it for being firewalled.
"Creating jobs" to inefficiently solve a solved task is not a good thing, it is society burning it's tax income. It is only good to create jobs when the output of those jobs is increased value.
Slowing the flow of money out of the public purse and into a very small number of barely accountable global megacorps and private equity funds, whilst improving the employment prospects of the local population, sounds like it's worth the cost of repeat work.
Also, nature loves a bit of redundancy. And capitalism loves competition. You can't have competition under a monopoly.
> > . And capitalism loves competition. You can't have competition under a monopoly.
> And the govt. is the biggest monopoly of all.
I didn't say shut down the megacorps. Maybe they have use; I don't know. What I do know is they're unaccountable (like the shit bits of government).
If government had to use open systems, the quality of those open systems would improve and compete better with the similar commercial ones. The public (and companies and other countries) then have a choice between the tools from the megacorps and the open tools. The public also gains/improves a resource. More competition. Probably better for everyone.
If there isn't anything generally available that doesn't have telemetry, then productivity software w/o telemetry isn't a solved task. If you accept LibreOffice and the like, then it's a solved task but you'll still need someone to manage it, hence job creation.
Rubbish, there has been a concertive effort by the US to undermine other countries including so called NATO allies in order to dominate the world, its been going of for decades.
I refuse to use the NHS here in the UK because of the widespread use of Microsoft everywhere.
> in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones
I don't think you comprehend the scope of what you're suggesting.
I work for a school district and I'm currently migrating our system from using one commercial bus routing service to another... using Windows, SQL Server, Teams, etc. from Microsoft... using a laptop, dock, three monitors, keyboard, and mouse from HP... and today the elevator was broken so we called a repair company to come fix it... oh, and some company makes the school buses, and the networked phone on my desk, and the printer around the corner, and all of the paper in it... the fluorescent bulbs above me don't grow on trees...
you can't just expect governments, even at the national level, to roll their own everything without interfacing with corporations in any way—this is a hopelessly naïve view of the world. I am just as uncomfortable as you are with data being shared with corporations, but you're going to have to figure out a more realistic set of political goals than what you've outlined here.
it's not really aimed at governments, so much as corporations that feel entitled to sneak in ancillary interests into their products, like surveilling the public. basically, it's to force companies like microsoft to remove all that other shit and provide just the core software, if they want access to government largess. this has beneficial externalities for us, the residents of said governments.
sure, and like I said, I agree completely. but you can't just say "i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones", unless you're proposing that all corporations should be state-owned and -operated, and that's not really a viable solution, plus it introduces a whole host of other problems.
but even if you just mean to say "government should not share citizens' data with corporations", well, there are presently two (until our license with one is up at the end of summer) separate corporations that both know where every kid in my school district lives, what their special ed needs are, what their parents names are, what their parents' contact information is, if they live between multiple households, and so forth, because that is the explicit purchase of their business, and that why we purchased their software. the same goes for another piece of SaaS we recently purchased a license to involving food service management for the school system. when designing the data export we opted to not follow the part of the schema that wants SSNs for the students (because why would they need that?!), but that might not be the case for other districts using the same software.
my point is there are a lot more interconnected corporate software services sharing citizen data at play in contemporary government systems than you probably think, and, once again, even though I agree with your position with regards to sharing citizen data with corporations... I think that ship might've pretty much sailed sometime in the past few decades.
i wrote a few sentences on a large civic concept, not a treatise, so let's not jump to ideological conclusions quite yet.
but yes, i'm explicitly against governments sharing private data with corporations, no matter how convenient it might seem to be for workers. governments have run for centuries without those conveniences, so it's not a dichotomous choice of share all the data or not have schools (for instance). a lot of data sharing is driven by the misguided desire to control (that is, to centralize power), whether it be teachers, students, or administrators, not for actual educational outcomes, despite the latter being the nominal impetus.
> a lot of data sharing is driven by the misguided desire to control (that is, to centralize power), whether it be teachers, students, or administrators, not for actual educational outcomes, despite the latter being the nominal impetus.
I have yet to see this occur. instead, it's all about bureaucratic convenience. why hire more people for Student Transportation to keep bus routes straight, and deal with printing out & distributing paper passenger lists to bus drivers, etc. etc., when you could use a piece of software to handle it all for you? nobody at the bureaucratic levels we're talking about here care about hoarding personal information for power or centralization or anything like that, it's purely for convenience and streamlining of bureaucracy.
one might say, ok, sure, but why does it have to be a third-party SaaS that you're SFTPing data back and forth with, why can't it just be a traditional piece of software that you install and manage locally? again: convenience, for all involved. that's one less thing for our sysadmins to worry about dealing with, and when you get enough of these things then you'll need to hire and retain more sysadmins (who we're frequently cycling through as is due to failure to compete with corporate salaries). the software developers of the third-party bus routing software don't have to worry about platform compatibility if the platform they're targeting is the web. parents can easily log into the website to see their child's bus routes and if they're delayed or whatever (apparently this is a real thing real parents demand...). but also, hey, we're already using Office 365, so "what's a few more SaaS solutions to problems we have, at this point?"
what I'm getting at here is the rise of SaaS and the fall of self-hosted solutions to things like this is pervasive everywhere in the corporate world, so if you don't want your tax money "wasted" on even keeping school district student data in-house and secure, this is the world we have to live with now. I'm not saying it doesn't suck ass, another piece of software we replaced is all web-based (albeit locally-hosted) and strictly inferior to the end-of-life Java-based software it is replacing. software kinda just keeps getting worse, and the further stratification of everything into SaaS is definitely not good in the long run. but... that's the current state of things everywhere, so why should government be any different?
if this bothers you about public schooling in particular, then the solution (which I'll likely be doing, but not for this reason) is homeschooling your kids. then their data is only stored in the district database and only transmitted to and from the state and local governments, for reporting purposes.
but more broadly speaking, what's the use in calling out governments transmitting personal information to corporations when corporations are already taking so much of your data themselves? I bought my fiancée a hat with a soda logo on it last week and she was getting ads for that specific soda the next day. how it happened, I have no idea. shortly after I moved back to my hometown, I picked up some groceries for my mom using her credit card, including a can of Red Bull I got for myself, the first I'd had in months. later that day, ad for Red Bull on my social feeds, first I'd seen... in months. whenever I buy booze, I get (different) booze ads on Twitter for days—when I don't buy any booze for awhile, the ads stop.
there's already so much personal information being trafficked between corporations everywhere without our consent, what makes the government sending it to corporations for legitimate purposes so specifically offensive? maybe I'm being too cynical but it seems like the genie's just kind of out of the bottle now for personal data in general. TFA is sticking a finger in one of many finger-sized holes in the hull of a ship which is sinking mostly not due to the finger-sized holes but to the person-sized ones that we're just kinda ignoring.
not trying to be mean, but it's one thing to acknowledge the status quo, and another to acquiesce. that's exactly how we collectively slide into decay and corruption.
homeschooling might fix the short term, but it helps no one else and probably not your kids' long term. speaking up, debating alternative solutions, supporting better legislation, even making your own job harder will help you and all your neighbors in the long run. we each need to call out governments and corporations for their misdeeds, all the time, whenever we see it. being a citizen is a responsibility, not a right.
(also, i don't see ads and don't give data willingly to the likes of google)
How far does "separating corporate interests from governmental ones" go?
Can the government purchase a car? Hire a private corporation to build a road? Hire a consulting company to check the security of their (now-free-and-without-a-support-contract FOSS?) computer setup?
It's actually quite simple. The government can buy things services from specific providers, but it cannot force you to buy services from specific providers. In other words, it can buy BMWs for government use, but it cannot say "you have to buy a BMW to enter the municipal office".
The same applies to websites. If a government website uses Google analytics, it is essentially requiring you to do business with a specific company (in this case Google) in order to use a government service.
And if the government uses Cloudflare or GoDaddy or aws it’s requiring you to do business with those companies. This goal is impossible to achieve with any government run service.
> cannot force you to buy services from specific providers
But government can impose requirements, like TAA compliance (1) and SHB requirements (2) on its service vendors, forcing those vendors to purchase from a fairly constrained number of hardware providers.
Is this a bad faith argument? I can't see how the difference of google having the data vs the government (or whatever entity you interacted directly with) is so easy to miss.
Could you expand on the definition of "doing business with" an entity that you're using here? It seems quite non-standard.
If you open the door to a govt office, are you doing business with the company who installed the doors? If you use the toilet, are you doing business with the company that janitorial services are contracted out to?
where to draw the line is a fair question in any policy debate, and one i'd expect to draw plenty of lively discussion. it's pretty clear to me that surveillance tech is on the outside of that line, but i'm open to reasonable arguments otherwise.
Not only state... I see absolutely 0 reason for my swiss ebanking in the secured web interface to se google analytics and similar trackers. I can clearly see them being blocked by the likes of ublock origin and ghostery in my firefox. Why the f*k should google know where I go in such private matters (and there are tons more, ie if you are lgbtq+ in one of the many restrictive locations, have some less mainstream political preferences etc.). The data once acquired have no reason to be deleted, ever. Too juicy info, and 7 billion humans is not that large group to aspire to track.
I get why google et al want it for their growth/sales, but they are a private entity not owning internet in any way, extremely foreign to Europe with no clear friendly intentions. One of few times I can say I am proud to be living on old continent.
exactly, we need to decentralize power, and knowledge (information) is power. it seems innocuous when we each leak a little here and there, but surveillance tech is vacuuming up every tiny bit of it.
living in europe doesn't much matter, given the reach of these companies and their interweaving into government systems, along with reciprocal surveillance agreements (however-many-eyes countries).
I agree 100%. I have nearly all google domains blocked in my hosts file and was frustrated to find out google captcha was required on a few government websites. I understand rolling your own can be difficult or expensive but it's the government we're talking about here. They're no strangers to spending.
i mean, that's like asking how is it possible to compartmentalize anything. as elaborated elsewhere, it isn't about literally separating all interests, just those that harm the public. it's about removing the negative externalies that companies like google impose on us via such government contracts.
But it’s not that simple. What harms the public? Many would argue being able to use data google collects (legally through subpoenas or grey-legally through any of the number reports that have come out since Snowden) helps government agencies by increasing public security—thus the opposite of harm. Being
in that case, it's pretty simple. the snowden leaks elucidated the government's desire to create a surveillance state with the help of corporations, not that a surveillance state would be a net-good for society.
I understand the feeling, but that's not possible, and moreover, after reflection, why should it be so?
If government can literally fine/shutdown your business arbitrarily (as they do for lockdowns, permits, etc.), then they should have a voice in the government that could treat them so terribly.
Unless you mean to say that government should be so much smaller that it doesn't impose separate business taxes, import/export controls, require permitting and licensing and follow arbitrary regulations on those businesses, which I could get behind. Ideally, if there's no advantage or penalty to avoid by petitioning government, won't everyone stop paying attention to government? No gaming the game can happen then!
The problem is that we can't have it both ways, can't restrict a group from petitioning and then pose rules they MUST follow, without a say. That's not democracy at all.
Companies are just groups of individuals after all, and should have just as much voice as an activist group does, like ACLU or Americans for Tax Reform or whatever.
The government of Italy makes rules that apply to Italians and those doing business with them.
If you’re Italian, you do have a say, and if you’re doing international business in Italy then you accept the sovereign risk of dealing with a foreign state.
you seem to be arguing from the corporate personhood stance. corporations still have an outsized voice via their rich owners. they shouldn't, however, be privileged with extra voice unaccorded the ordinary citizenry.
GDPR and these other regulations in the EU exist because EU cannot stomach the fact that they got beat on tech and instead of innovating they are regulating to try and even the playing field.
All the recent "tech" I see from the US is all about novel ways to screw & exploit people for profit, at the expense of turning society into a dangerous wasteland full of outrage and saturated by advertising.
I wish GDPR compliance would have been opt-in. For example, a GDPR compliant website could have sent a custom header indicating compliance, which the browser could have displayed in the address bar (a bit like HTTPS). Consumers would then have been free make the decision to not use websites which aren't GDPR compliant. Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.
Yes? ...this was the original dream of non-national cyberspace and we almost had a hope at getting it. Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.
A parallel anonymous-and-free-for-all-but-with-payments-included, smth. like Tor-but-powered-by-IPFSv9-and-Etherv7, will probably emerge in a couple decades done right after a couple failed iterations. Some techs need hardware to catch up to be cheap enough, and only after a few failed attempts they manage to grow a trend... and it will probably will last until it's used to finance a proper starting of WW3 and by then banning it will be too late.
Anyway, we'll enjoy the hell out of ourselves on the new patreons-but-for-snuff-p03n, so it will all have been worth it :)
> Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.
Maybe the laws & regulations you complain about are actually necessary because otherwise people will keep being greedy & nasty and eventually outnumber honest people?
Besides the missed irony, I mean that we need to have and we'll inevitably have a separate internet layer / set of protocols / etc. where information will be freely broadcastable and exchangeable without enforcement of any laws. We de-facto have it now too, but it's practically geek-only hence no real "broadcast" to masses of people function can be achieved.
And that once such tech becomes usable by a large percent of the general population (by eg. allowing "unsecure" websites to "do anything") and we make the mistake to add a truly functional and anonymous money transfer technology to this layer of information tech, we're royally screwed as a species.
I obviously don't want a lawless and free for all regular/default internet because on the regular internet we exchange real money and we have real identities. I'm perfectly OK with having lawless layer of information exchange and broadcasting (it's just a natural generalization and globalization of "free speech" and I think it's crucial for humanity) and even working to making them usable by the general population, as long as we don't allow any serious kind of money transfer and commerce to happen through them. Eg. A psycho posting a killing video once a decade is no biggie and would happen anyway, let's at least enjoy it / groups of psycho creating a market and industry for their "products", not ok. Two random guys planning to meet to exchange some guns for some money is no biggie and already happens anyway; trading weapons on scales to supply real wars not ok. Etc.
De-facto "having sites op-out of anti-fraud legislation" or of "human rights" protections is already happening, and is less obvious because of the centralized nature of our current internet. A less centralized internet will just allow it to happen in the open in theory. Only it won't because since they're already doing other more serious illegal stuff and don't want to draw attention.
PP's "Bizarre idea. Should websites be allowed" thinking was just funny and ridiculous at the same time: there's nothing bizzare, thing are already happening (naturally) like this, and ofc it's happening discretely (eg. having telegram or other messaging app groups instead of http websites but performing similar functions etc etc) and in the silence bc ppl doing them do even more illegal stuff and nobody wants attention from authority or ppl concerned with morality ...and I couldn't help make fun of it a bit. It's the kind of guys that argue against free speech and yell the "but think of the kids" argument at us all the time, and it's tiresome to have to trick them all the time since reasoning with them doesn't work...
So suggesting that maybe we should bring what's already happening anyway in the open, base it on more open standards technology, have it be indexable by search engines etc. :P I'd rather have a legal:any flag that I can add to a google search when I want to go off the beaten track then to have to switch the program/protocol I'm using (and the browser should make sure as hell I don't leak my identity and don't pay for anything on such unsafe sites), and that's the crux of it, the browser would know that a site is unsafe and needs total sandboxing simply because the site owner has decide to "opt out of the laws" - you realize that longer term when s settles down it's a win win situation for everyone if you just twist your mind out of the default narrative the current tech-corporate establishment is brainwashing you with...
(Or the "let's make a decentralized and truly free internet layer" into a real and usable thing... or the crypto-crimies will beat us to it and do a version that also has payments, generates obvious disasters/wars etc., and then is taken over by big gov and turned to a totalitarian nightmare with social credit tracking extra features" argument.)
> this was the original dream of non-national cyberspace
cyberspace was about freeing the people and the flow of information between people, not the corporations that silo the data in their data centers for ptofit.
No, just GDPR? I don't see any valid reason a user might want to "opt out" of anti-fraud legislation but I do see a reason why a user might want to access the non-GDPR web.
> It's a consumer protection law, what you want is consumers with less or no protections.
Yes, indeed. I don't believe the government should mandate specific protections consumers should receive, because it just serves to reduce consumer options. And this is also why I wish GDPR would have been opt in, giving more options to consumers.
For example, in a world with no government mandated "2 year warranty", some manufacturers would offer a product with "2 year warranty" and some other manufacturers would offer the same product "without warranty", but at a lower price.
Consumers would then be free to chose if they want to pay the cheaper price without warranty or the higher price with the warranty. There are two options for consumers in this world whereas in the world with mandated warranty, only the "higher price with warranty" option is available.
It's the same with GDPR, GDPR compliance has a cost. Some websites have started banning EU IPs for that reason.
Of course, the above assumes that consumers are not mislead and that transactions are voluntary. Therefore, I do think there should be laws against fraud, theft, misrepresentation, etc.
> Yes, indeed. I don't believe the government should mandate specific protections consumers should receive,
What you believe or not it's completely irrelevant.
In my Country consumer protection is in the Constitution, at article 41. [1]
So the government is duty bound to protect the consumers.
Thanks God I was born here and not in olalonde-land.
[1] Art. 41
Private economic enterprise is free.
It may not be carried out against the common good or in a way that may harm public security, liberty, or human dignity.
The law determines appropriate planning and controls so that public and private economic activities may be directed and coordinated towards social ends.
> "some manufacturers would offer a product with "2 year warranty"
Or, realistically, all the manufacturers would offer zero days warranty and only luxury brands would offer life-long warranty to people who can afford their products (e.g. less than 1% of the population).
Example: Apple, which is not exactly a cheap brand, only offers one year warranty in the US, while it's 2 years mandated by the law in EU.
Of course the price premium is not exclusively due to the warranty (probably a good chunk of it is due to import tarifs and taxes). But do we agree that increasing the warranty period costs Apple more? Do we not agree that a business will tend to increase the price of its product when the cost of its product increases?
> Do we agree that increasing the warranty period costs Apple more?
I don't.
On the contrary, I believe they should thank us for encouraging them to make better and more durable products.
If I am spending 12 hundred euros on an electronic device, the least the manufacturer can do is give me the warranty that it won't break on its own before 2 years of usage.
Anyway, Xiaomi makes perfectly valid products at 1/3 of Apple prices.
Maybe it's not the 2-year warranty the issue here...
The Venn diagramm of the websites that have a Cookie-Popup right now and the websites that would choose to not be GDPR-compliant is a circle.
This change would mean most website couldn't be used by privacy concious people anymore and that the websites in turn are free to track the sh*t out of everyone else. From my perspective that sounds a lot worse.
The web is a mandatory part of public live for most people by now and it's good and healthy that corporations get push back for not respecting privacy.
The market would only react if people were actually aware of the privacy violations. This is what the GDPR is trying to address by making data processing require informed consent.
The vast majority of people (some even on HN) have absolutely no clue how advanced the stalking actually is. You hear every so often these anecdotes about people suspecting Facebook of listening to them; it's actually more creepy that the tracking is advanced enough to successfully infer conversations without actually listening in.
Are you implying that the vast majority of consumers aren't concerned with their privacy and would keep using GDPR-compliant websites? If that's the case, isn't the regulation somewhat against the spirit of democracy?
This kind of ridiculous laws do not understand the boundless nature of internet. If you want to protect privacy of netizens simply make a universal law instead of having different laws in different countries.
Since the Internet is not a fiefdom, universal law is moot. Nation states will draft tracking laws that are only only enforceable through tracking in an attempt to gain their slice of authoritarian pie. Pointing to the Google or US is typical strawman BS and gives people a false sense of security because they should assume everyone, not just the Google, is tracking them. Getting people to own their data is an uphill climb, but is ultimately what will curb the negative behavior we're witnessing.
An RFC won't compel people or companies in the way you hope. An RFC is a request and nothing more. A law is driven by the legal authority of a state and is backed by corporate & financial penalties, prisons, and guns.
Those decisions are good in theory, but in practice they will kill the free web.
The only people that have the work power to put equivalent alternatives in place are the big corporations, that will anyway find a loophole.
I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution. I won't even start talking about self-hosting an analytics solution which would probably double my monthly server cost for a website on which I earn 0€.
In 2030, if we continue on that trend, websites will be in two categories: belonging to huge companies, or running illegally. It's baffling that people are applauding the end of the free web.
Because I want to know where my readers come from, which Google terms they searched, etc.? There's a million reasons to want to know stats like this without earning money...
That's the problem with GDPR. A lot of people are fine with this arrangement, but the GDPR is basically making it unlawful. GDPR is basically imposing the preferences of other people (e.g. progman32) on us.
The problem that regulation is trying to solve is that if "personal data" becomes an acceptable form of payment then people won't actually have a choice and companies can force people to provide data by not offering any alternative payment methods.
The GDPR effectively outlaws using personal data as payment which IMO is a good thing because unlike money, personal data is not a one-off transaction (the data can be valid long-term) and can be misused in all kinds of ways we might not even know about yet, thus the risk is too high.
This doesn't necessarily mean advertising is banned - targeted advertising is generally beneficial to the user (if you're going to see ads, you're better seeing something you're interested about) so they could offer the user a way to set their ad preferences manually (and thus sharing personal data freely with no coercion).
This assumes that businesses hold all the power and can dictate payment methods to consumers. That's not how it works in a market economy. If there is a demand for alternative payment methods, businesses ignoring it will get outcompeted by competitors who do satisfy that demand.
In practice, they currently can. Tech companies have a monopoly in their respective verticals due to the lack of interoperability and use network effects to essentially force you to submit to whatever terms they choose.
Keep in mind that regulation isn’t usually drafted in a vacuum and instead takes the real world into account.
If tech monopolies get broken up by anti-trust regulation it would be a good time to review the GDPR (as privacy-friendly competitors can now interoperate with existing social media networks) but until then I’m happy to have it.
Then it's not really free content is it? Put your content behind a "paywall" where the payment is whatever information you're (illegally) collecting from GA and see how it goes; at least then the "payment" you're expecting from it will be clear and users can make their own decision.
Honestly, at this stage the "free web" can fuck right off. The "free web" you speak of generates a lot of negative externalities everyone else has to put up with. If your "free" web needs to attack everyone with spyware for it to exist then it's not really "free".
> I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution.
(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)
Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.