back to article It's a crime to use Google Analytics, watchdog tells Italian website

Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics. The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found …

  1. Anonymous Coward
    Anonymous Coward

    Colour me confused.

    If this is an *EU* directive, then why aren't all EU countries up in arms ?

    Even pre Brexit, the UK seemed to be able to happily ignore EU regulations - certainly I had a big fuck all to do despite Schrems (1 and 2).

    1. Joe W Silver badge

      Re: Colour me confused.

      Well.... The UK had their own set of rules even pre-Brexit. I think many in the EU were actually hoping for the UK to take the lead in reforming the EU after the referendum (which was non-binding, but would have been a great bargaining chip). The rest could have just followed suite then...

      I'll shut up about Brexit now. It was a mess, it currently is a mess and it will remain such for a while. Buggerit!

    2. Charlie Clark Silver badge

      Re: Colour me confused.

      Because it's open to interpretation. The US and the EU have come up with various wheezes to allow processing of data in the US and they have repeatedly been struck down by the courts as providing insufficient protection, not least from warrantless US governement request for access. Google has made a version of analytics that supposedly limits the data collected, but mere act of processing data in the US remains a problem.

      1. Yet Another Anonymous coward Silver badge

        Re: Colour me confused.

        >but mere act of processing data in the US remains a problem.

        I mean if you can't trust the USA's agencies to do the right thing, who can you trust ?

    3. Roland6 Silver badge

      Re: Colour me confused.

      >If this is an *EU* directive, then why aren't all EU countries up in arms ?

      The different members have different ideas about abiding by the law; just like the UK and US when it comes to intervention in other countries such as Iraq.

      >Even pre Brexit, the UK seemed to be able to happily ignore EU regulations

      The UK government, whilst it disliked many EU regulations, particularly those that impinged upon state surveillance, did implement and follow the agreed directives. Which was a cause of tension within the EU, as the UK obviously leaned on and called out those who's idea of compliance was more akin to lip service...

      The EU project is a long-term project, we only need to look at the USA and the recent Dobbs vs Jackson case to see that even after 200+ years the US still have vast differences between states.

    4. El Bard

      Re: Colour me confused.

      Because:

      "A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods."

      As opposed to a regulation:

      A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.

      - Treaty on the Functioning of the European Union, article 248

      Member states have a set amount of time to implement a directive, and the monitoring as to whether the implementation is adequate takes additional time. You can imagine how all this process leaves room for interpretation and litigation.

      In any case, even if an implementation is not adequate, the EU can only impose fines.

      You might ask why it was not drafted as a regulation to start with, but that would be a long discussion

      1. AndrewRHT

        Re: Colour me confused.

        GDPR is the "General Data Protection Regulation" - ie a Regulation not a Directive.

        1. El Bard

          Re: Colour me confused.

          My bad. Too much multi-tasking and absent-mindedness.

          The issue seems to be that after the EU-US privacy shield agreement was invalidated in 2020, a decision has yet to be made.

          https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en

    5. AndrewRHT

      Re: Colour me confused.

      Great question!

      Like many things in the EU, there is a mixture of centralised rules and national implementation. In the case of GDPR, nearly all the implementation is at the national level, particularly enforcement. Hence why Facebook is all about how the Irish data protection body interprets GDPR.

      As you can imagine this creates an inconsistent mess, with multinationals forum-shopping and a great deal of confusion. There are currently proposals on the table to move to a greater role for the EU data protection bodies.

      A cynic might argue this was planned all along: design something which is obviously flawed, where the solution ends up being "more Europe". This way you get centralisation by the back door, whether or not the people or politicians of the EU want it.

  2. Snake Silver badge

    Nothing new here

    I booted Google Analytics off my company's website many years ago, thanks to these same privacy concerns that the EU is only addressing...today, actually (!).

    California now has some of the same types of rules regarding privacy that the EU does, and I had an online discussion with Aaron Severson of Ate Up With Motor regarding his fears of crossing those rules; my recommendation was to ditch Google and any other tracking systems on the site in order to avoid the potential issues. If you aren't collecting data, then you shouldn't cross the laws.

    So I see all these laws as a benefit to the user in general, hopefully killing (or at least greatly impacting) the analytics industry.

  3. A. Coatsworth

    Google must be trembling in its boots

    Courts in three countries have reached the same conclusion and yet SFA has changed with regards to analytics.

    Are you sure Google et al have anything to fear? It is not that I don't trust the regulators to take decisive action, but... I don't know how to finish that phrase.

    1. Anonymous Coward
      Anonymous Coward

      Re: Google must be trembling in its boots

      The thing about governments is that they may move slowly....

      "Oh no, K K Ken is c c coming to k k kill me...."

      1. Pascal Monett Silver badge

        Especially when large infusions of lobby money appear.

  4. vtcodger Silver badge

    It's OK with the EU?

    So if Google sets up an analytics server in the EU (or anyplace else not the US?) and makes sure that EU originated traffic goes to that server, Google's behavior is OK with the EU?

    1. Filippo Silver badge

      Re: It's OK with the EU?

      Yes. I think that's eventually going to be the solution.

      Remember, the problem here - at least as far as legislation is concerned - isn't that we want to bash Google because it's evil.

      The problem is that, once the data is in the USA, Google is free to sell it to anyone, the USA government is free to grab it anytime, and there's absolutely nothing the EU can do about that.

      If the data is in the EU, then Google can't sell it (because GDPR), and the only government that can (legally) grab it is our own (which is... eh, less bad).

      "Anyplace not the US" doesn't work, it has to be a place with comparable protections to the EU. There aren't many of those, though. California won't cut it, no matter what they do, because even if they implement the same protections as GDPR, the federal government could still grab the data.

      1. Yet Another Anonymous coward Silver badge

        Re: It's OK with the EU?

        >Yes. I think that's eventually going to be the solution.

        I think the solution is going to be that Google sets up a server in an Eu country that needs Google's business more than it needs votes of privacy activists.

        Google are then going to 'process' all the Eu data there - because the Eu can't restrict cross border trade between members. - and transfers from there to the USA are going to be within the rules of that friendly country.

        When the Eu tries to prohibit this, as it did with tax breaks, they are just going to appeal it for 10years while the friendly government drags its heels on implementation.

      2. John Brown (no body) Silver badge

        Re: It's OK with the EU?

        "California won't cut it, no matter what they do, because even if they implement the same protections as GDPR, the federal government could still grab the data."

        And thanks to the US Patriot Act, US owned companies with a presence/server/data in the EU has to hand it over if ordered to. Which, as MS discovered in Ireland, puts them in a very difficult position since they have to abide by both the Patriot Act inspired data request and the GDPR provision to not export the data.

        1. localzuk Silver badge

          Re: It's OK with the EU?

          That's not the Patriot Act doing that, that's the more recent CLOUD Act.

    2. OhForF'

      Re: It's OK with the EU?

      I am one of those that would rather want Google to not get the data at all.

      Unfortunately claiming "legitimate interest" in using the data to check the improve a web page seems to be a lot more reasonable than most of the uses cases where legitimate interest is claimed to allow Google et al. to harvest our data even without consent.

      So yes, if the processing is done within the EU GDPR will probably allow web sites and Google to continue to analyze every click and check how long the mouse hovered over which area of the page.

  5. Anonymous Coward
    Anonymous Coward

    "European regulators seem unimpressed,"

    <cynic>translation : don't understand </cynic>

    1. nobody who matters

      Re: "European regulators seem unimpressed,"

      I think them being unimpressed by google's response suggests that they probably do understand.

      Admittedly, this does seem unusual for officialdom.

  6. revenant
    Happy

    I quite like this judgement

    ...Italian SA adopted a decision, to be followed by additional ones, reprimanding Caffeina Media S.r.l. – a website operator – and ordering it to bring the processing into compliance with the GDPR by ninety days.

    The judgement quite rightly fingers the website itself for collecting and transmitting the data, which makes Google's arguments and power largely irrelevant to enforcement of the GDPR.

    1. LDS Silver badge

      Re: I quite like this judgement

      No, because Analytics has a very large share of the market - the case was about Caffeina Media, but **all** other sites using Analytics have been given 90 days to comply.

  7. Pascal Monett Silver badge

    "a country without an adequate level of data protection,"

    It has also just become a country without an adequate level of women's rights.

    The United States is on its way to becoming a shithole country.

    And that makes me sad.

    1. Anonymous Coward
      Anonymous Coward

      Re: "a country without an adequate level of data protection,"

      "shithole" as a generalisation is maybe a little bit on the negative side. Tiny bit. Every country has its downsides.

      1. RegGuy1 Silver badge

        Re: "a country without an adequate level of data protection,"

        Well I don't know about the US, but I can tell you I live in a Brexshithole country. Full of pig-ignorant uneducated pensioners and with a second class 'leader' who cares not a jot for the country he leads.

        And, just for the record, that makes me angry.

    2. LDS Silver badge

      Re: "a country without an adequate level of data protection,"

      I guess it's even worse. It looks any right that wasn't in the mind of the Framers - who were sons of their time, with all their inevitable limitations - could be lifted by a Court lead by Talibans.

      Which makes them very alike Putin and his mad dream of returning to a mythical golden age of Czarism.

      Since a Privacy Right is not well laid out in the US Constitution, expect rulings that will give companies broad freedom in breaking citizen rights.

      1. Anonymous Coward
        Anonymous Coward

        Re: "a country without an adequate level of data protection,"

        > I guess it's even worse. It looks any right that wasn't in the mind of the Framers - who were sons of their time, with all their inevitable limitations - could be lifted by a Court lead by Talibans.

        Only where that aligns with their beliefs and can be used as an excuse.

        As well as the original-intent argument, there was also a claim that Roe v Wade was anti-democratic and it should be up to states to decide.

        Then, in a different case they decided that New York State isn't allowed to decide whether concealed carry is permitted or not.

        As you say, they're much like Putin in that they will say anything that might further their own argument, and not worry about whether there's any internal consistency between their arguments.

        Sadly, we've got more than a few of those headbangers this side of the pond as well.

        1. M.V. Lipvig Bronze badge

          Re: "a country without an adequate level of data protection,"

          That's exactly it. There is no right to an abortion in the US Constitution, but there is an explicit right to own weapons in it. The supposed abortion right was granted by the Supreme Court, which has no business eatablishing rights to anything. Their one job is deciding whether or not an action is Constitutional. On abortion, the correct response would have been to send the case back to the lower court to rule on abortion according to that state's laws as at the time there was no federal abortion law for the Supreme Court to refer to. Only Congress can pass new laws, and it's about time the US has a Supreme Court that knows its place, and that place is not legislation.

          1. John Brown (no body) Silver badge

            Re: "a country without an adequate level of data protection,"

            So, basically what you saying is that the Supreme Court isn't "what it says on the tin", but "merely" a "Constitutional Court"?

      2. Anonymous Coward
        Anonymous Coward

        Re: "a country without an adequate level of data protection,"

        Not quite. The framers, whilst sons of their time, were relatively enlightened. The influence that Christianity now has in politics, along with the bastardisation of the second amendment would have them rolling in their graves.

        1. Anonymous Coward
          Anonymous Coward

          Re: "a country without an adequate level of data protection,"

          "were relatively enlightened"

          ..slave-owning bigots..

  8. This post has been deleted by its author

  9. localzuk Silver badge

    No way round it

    At the moment, data transfers to the USA appear to be illegal. Even data transfers within the EU, but to companies owned or operated by US companies would be questionable, as the USA's CLOUD Act renders that data within the jurisdiction of the US govt.

    The main issue at play is that the EU is taking its sweet time actually coming up with a solution to this. And I think the reason they're taking their time is that there isn't a GDPR compatible solution - the USA doesn't want to improve its data protections to GDPR standards (introducing the CLOUD Act proves that).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022