To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.
No, they can't as far as I get it. The american cloud act entitles US law enforcement to serve orders to US companies and their foreign branches. So, if you are american with a company in the EU, the important part is that you are an american, not that the company is in a foreign jurisdiction.
Yes, specifically the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which was enacted following a case in 2014 where Microsoft refused to hand over emails stored in the EU (Ireland, in that case) on foot of a domestic US warrant.
The CLOUD Act expressly brings data stored by US-based companies anywhere in the world under the purview of US warrants and subpoenas.
It really makes no difference where the data is stored once it's accessible by a US company:
"The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil."
As mentioned by other commentators, this is not enough. Schrems II ruling exposed the risk here. If servers are in EU but are undereffective control (even via proxy) of country with inadequate control (US, RU, CN), then you can't use data location as argument.
The problem is not only the geo location of the datacenters. As long as these subsidiaries are under the control of a USA corporation, this is illegal, since the USA corporation can be requested by the USA gov to share any data they may have not matter where it's stored. Only options are a 100% GDPR compliant solution (European or from a country with similar laws) or self-host. Hopefully another Privacy Shield like agreement will be in place soon.
Building out the infrastructure necessary for Cloud to be compliant with region-stored data was a multi-year project.
Huge swathes of Google's architecture (especially its legacy architecture) have deeply-ingrained location-agnosticism assumptions. It turns out to be extremely complex and expensive to remove those assumptions given the way Google handles data once it hits their datacenter fabric.
(Not impossible, mind, just that this assertion that it wouldn't be that hard to do is in "I could build Twitter in a weekend" territory).
It’s coming up to a decade since Schrems I, six years since GDPR, and four years since enforcement of GDPR. For a company like Google the writing has been on the wall for a lot longer than a weekend. They’ve simply been gambling that they can get away with it, and now that argument is collapsing.
Oh, no doubt. They've 100% been gambling that they could get away with it. The GDPR has deviated increasingly from what their leadership assumed would be a reasonable position (it continues to drift from the American centroid belief on who owns what data; for Americans, the notion that you can use other people's computers without them keeping records of how you used their computers is kinda weird, and Americans lack the direct historical experience to have the kinds of concerns about mass-citizen-tracking that Europe does).
My prediction is that as things move forward, they're going to find it isn't worth their money to offer Analytics for European customers if the GDPR continues to make that more onerous (especially since the monetization story of Analytics for Google is so threadbare) and just offer it for customers in other countries while Europe does its own thing. Win-win.
It wouldn't be hard for Googs to do this on their own so that they comply with the rules/laws in the markets they are operating vs giving it to the end user as an option in the configs. Most people using GA probably wouldn't know what any of that meant anyways. They just want the numbers so their marketing people can tell them what to do next. I'm talking the people running sites on Wix type sites vs having an actual dev team that can push back against a marketing department
