It's a crime to use Google Analytics, watchdog tells Italian website Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics. The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found …
Well.... The UK had their own set of rules even pre-Brexit. I think many in the EU were actually hoping for the UK to take the lead in reforming the EU after the referendum (which was non-binding, but would have been a great bargaining chip). The rest could have just followed suite then...
I'll shut up about Brexit now. It was a mess, it currently is a mess and it will remain such for a while. Buggerit!
Because it's open to interpretation. The US and the EU have come up with various wheezes to allow processing of data in the US and they have repeatedly been struck down by the courts as providing insufficient protection, not least from warrantless US governement request for access. Google has made a version of analytics that supposedly limits the data collected, but mere act of processing data in the US remains a problem.
>If this is an *EU* directive, then why aren't all EU countries up in arms ?
The different members have different ideas about abiding by the law; just like the UK and US when it comes to intervention in other countries such as Iraq.
>Even pre Brexit, the UK seemed to be able to happily ignore EU regulations
The UK government, whilst it disliked many EU regulations, particularly those that impinged upon state surveillance, did implement and follow the agreed directives. Which was a cause of tension within the EU, as the UK obviously leaned on and called out those who's idea of compliance was more akin to lip service...
The EU project is a long-term project, we only need to look at the USA and the recent Dobbs vs Jackson case to see that even after 200+ years the US still have vast differences between states.
Because:
"A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods."
As opposed to a regulation:
A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.
- Treaty on the Functioning of the European Union, article 248
Member states have a set amount of time to implement a directive, and the monitoring as to whether the implementation is adequate takes additional time. You can imagine how all this process leaves room for interpretation and litigation.
In any case, even if an implementation is not adequate, the EU can only impose fines.
You might ask why it was not drafted as a regulation to start with, but that would be a long discussion
My bad. Too much multi-tasking and absent-mindedness.
The issue seems to be that after the EU-US privacy shield agreement was invalidated in 2020, a decision has yet to be made.
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
Great question!
Like many things in the EU, there is a mixture of centralised rules and national implementation. In the case of GDPR, nearly all the implementation is at the national level, particularly enforcement. Hence why Facebook is all about how the Irish data protection body interprets GDPR.
As you can imagine this creates an inconsistent mess, with multinationals forum-shopping and a great deal of confusion. There are currently proposals on the table to move to a greater role for the EU data protection bodies.
A cynic might argue this was planned all along: design something which is obviously flawed, where the solution ends up being "more Europe". This way you get centralisation by the back door, whether or not the people or politicians of the EU want it.
I booted Google Analytics off my company's website many years ago, thanks to these same privacy concerns that the EU is only addressing...today, actually (!).
California now has some of the same types of rules regarding privacy that the EU does, and I had an online discussion with Aaron Severson of Ate Up With Motor regarding his fears of crossing those rules; my recommendation was to ditch Google and any other tracking systems on the site in order to avoid the potential issues. If you aren't collecting data, then you shouldn't cross the laws.
So I see all these laws as a benefit to the user in general, hopefully killing (or at least greatly impacting) the analytics industry.
Courts in three countries have reached the same conclusion and yet SFA has changed with regards to analytics.
Are you sure Google et al have anything to fear? It is not that I don't trust the regulators to take decisive action, but... I don't know how to finish that phrase.
The thing about governments is that they may move slowly....
Yes. I think that's eventually going to be the solution.
Remember, the problem here - at least as far as legislation is concerned - isn't that we want to bash Google because it's evil.
The problem is that, once the data is in the USA, Google is free to sell it to anyone, the USA government is free to grab it anytime, and there's absolutely nothing the EU can do about that.
If the data is in the EU, then Google can't sell it (because GDPR), and the only government that can (legally) grab it is our own (which is... eh, less bad).
"Anyplace not the US" doesn't work, it has to be a place with comparable protections to the EU. There aren't many of those, though. California won't cut it, no matter what they do, because even if they implement the same protections as GDPR, the federal government could still grab the data.
>Yes. I think that's eventually going to be the solution.
I think the solution is going to be that Google sets up a server in an Eu country that needs Google's business more than it needs votes of privacy activists.
Google are then going to 'process' all the Eu data there - because the Eu can't restrict cross border trade between members. - and transfers from there to the USA are going to be within the rules of that friendly country.
When the Eu tries to prohibit this, as it did with tax breaks, they are just going to appeal it for 10years while the friendly government drags its heels on implementation.
"California won't cut it, no matter what they do, because even if they implement the same protections as GDPR, the federal government could still grab the data."
And thanks to the US Patriot Act, US owned companies with a presence/server/data in the EU has to hand it over if ordered to. Which, as MS discovered in Ireland, puts them in a very difficult position since they have to abide by both the Patriot Act inspired data request and the GDPR provision to not export the data.
I am one of those that would rather want Google to not get the data at all.
Unfortunately claiming "legitimate interest" in using the data to check the improve a web page seems to be a lot more reasonable than most of the uses cases where legitimate interest is claimed to allow Google et al. to harvest our data even without consent.
So yes, if the processing is done within the EU GDPR will probably allow web sites and Google to continue to analyze every click and check how long the mouse hovered over which area of the page.
...Italian SA adopted a decision, to be followed by additional ones, reprimanding Caffeina Media S.r.l. – a website operator – and ordering it to bring the processing into compliance with the GDPR by ninety days.
The judgement quite rightly fingers the website itself for collecting and transmitting the data, which makes Google's arguments and power largely irrelevant to enforcement of the GDPR.
Well I don't know about the US, but I can tell you I live in a Brexshithole country. Full of pig-ignorant uneducated pensioners and with a second class 'leader' who cares not a jot for the country he leads.
And, just for the record, that makes me angry.
I guess it's even worse. It looks any right that wasn't in the mind of the Framers - who were sons of their time, with all their inevitable limitations - could be lifted by a Court lead by Talibans.
Which makes them very alike Putin and his mad dream of returning to a mythical golden age of Czarism.
Since a Privacy Right is not well laid out in the US Constitution, expect rulings that will give companies broad freedom in breaking citizen rights.
> I guess it's even worse. It looks any right that wasn't in the mind of the Framers - who were sons of their time, with all their inevitable limitations - could be lifted by a Court lead by Talibans.
Only where that aligns with their beliefs and can be used as an excuse.
As well as the original-intent argument, there was also a claim that Roe v Wade was anti-democratic and it should be up to states to decide.
Then, in a different case they decided that New York State isn't allowed to decide whether concealed carry is permitted or not.
As you say, they're much like Putin in that they will say anything that might further their own argument, and not worry about whether there's any internal consistency between their arguments.
Sadly, we've got more than a few of those headbangers this side of the pond as well.
That's exactly it. There is no right to an abortion in the US Constitution, but there is an explicit right to own weapons in it. The supposed abortion right was granted by the Supreme Court, which has no business eatablishing rights to anything. Their one job is deciding whether or not an action is Constitutional. On abortion, the correct response would have been to send the case back to the lower court to rule on abortion according to that state's laws as at the time there was no federal abortion law for the Supreme Court to refer to. Only Congress can pass new laws, and it's about time the US has a Supreme Court that knows its place, and that place is not legislation.
This post has been deleted by its author
At the moment, data transfers to the USA appear to be illegal. Even data transfers within the EU, but to companies owned or operated by US companies would be questionable, as the USA's CLOUD Act renders that data within the jurisdiction of the US govt.
The main issue at play is that the EU is taking its sweet time actually coming up with a solution to this. And I think the reason they're taking their time is that there isn't a GDPR compatible solution - the USA doesn't want to improve its data protections to GDPR standards (introducing the CLOUD Act proves that).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
