Hacker News Re-Imagined

Austrian DSB: EU-US Data Transfers to Google Analytics Illegal

  • 219 points
  • 2 days ago

  • @sarnowski
  • Created a post
  • • 268 comments

Austrian DSB: EU-US Data Transfers to Google Analytics Illegal


@snowwolf 2 days

Replying to @sarnowski 🎙

Has Google Analytics now adopted the latest European Commission approved SCCs (https://ec.europa.eu/info/law/law-topic/data-protection/inte...) and does that mean using GA with those SCC's is now compliant going forwards. Or does this cases verdict that "SCCs and "TOMs" not enough" now mean those EC approved SCCs are now useless?

Reply


@timgl 2 days

Replying to @sarnowski 🎙

Relevant thread on open source alternatives to Google Analytics from earlier today: https://news.ycombinator.com/item?id=29888599

Reply


@YetAnotherNick 2 days

Replying to @sarnowski 🎙

I really don't understand why countries are so persistent about storing data in their country. It's not like the enforcers could walk into the datacenter and plug in the usb drive and get the data. And it's even hard to see what all constitutes user data. Does logging constitute user data. Does that mean that to get logs for the error the developer need to travel to every country and remember the log messages in his head.

And companies could easily copy their data in a click if they need to. A much saner approach should be limiting what the company is allowed to do with the data.

Reply


@rehamelbasha 2 days

Replying to @sarnowski 🎙

There are alternatives like snowplow.

My former company and current one decided to move out from GA to snowplow as you have much more control on your data and do not so much depend on Google to be gdpr compliant.

Reply


@aspenmayer 2 days

Replying to @sarnowski 🎙

This is due to GDPR. Amazing ruling for privacy for all of EU.

Detailed analysis:

https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.58...

Reply


@tjansen 2 days

Replying to @sarnowski 🎙

That stuff scares me. More than US government surveillance could ever scare me. The most likely outcome is that smaller companies just don't do business in the EU. At least before they are large enough to deal with GDPR.

I am located in Germany, but if I would start a SAAS site today, I wouldn't try to sell to the EU. Just isn't worth the trouble.

Over time, many people in the EU will start using VPNs to get access to the latest web sites without GDPR restrictions. Even today I have to use a VPN to access some websites (mostly news sites), but I suspect it will be much worse if noyb succeeds.

Reply


@ur-whale 2 days

Replying to @sarnowski 🎙

The EU regulating itself out from the market.

Not for the first time, mind you.

Reply


@etothepii 2 days

Replying to @sarnowski 🎙

In other news, king orders tide out.

Reply


@boshomi 2 days

Replying to @sarnowski 🎙

»Max Schrems: "In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator - not to anyone in Europe."«

That's the point: we need real data protection in US law for non-US citizens as well. Currently, US lawmakers treat EU citizens' data as US state property. Obviously, that's unfair.

Reply


@davidgerard 2 days

Replying to @sarnowski 🎙

Nothing about GDPR is hard ... unless your business model is to abuse your customers' personal data. Then it might be hard.

I routinely see the loudest complainers about the onerous nature of GDPR compliance suddenly get vague or stop posting when you ask for details of precisely what bit is so hard for them in particular. Note lack of those details in this present discussion, for example.

So far, it seems a safe assumption that the excuse makers are abusing personal data, and they know they're abusing personal data.

Perhaps one day a clear exception will show up.

I wrote up a thing here a few years ago with my actual on the ground experience of getting us compliant: https://reddragdiva.dreamwidth.org/606812.html

tl;dr anything that might vaguely constitute personal data, down to Apache logs, must either be in a writable database for redactability, or deleted.

Since then, our legal team - who are not your legal team! - has advised:

* 30 days for operational purposes is fine actually.

* Go feral on anything over 30 days. You need a named person responsible for GDPR redactions.

* If you want to do analytics on those Apache logs, do them quickly and into a form that doesn't contain personal data.

I'm in the UK, which is no longer in the EU, but the GDPR laws still hold here.

Reply


@ckastner 2 days

Replying to @sarnowski 🎙

Max Schrems is just incredible. Just look at his Wikipedia page [1] and see how many EU-US data transfers he's challenged successfully.

[1] https://en.wikipedia.org/wiki/Max_Schrems

At this point, I wonder why the EU doesn't consult him personally prior to enacting some law. It's not as if they don't consult with others as well.

Reply


@jbrooksuk 2 days

Replying to @sarnowski 🎙

And that's why, as a responsible developer, I exclusively use Fathom for my own projects. As far as I know, they are the only analytics company who are correctly following the law here AND they always try to do more.

They completely isolate EU analytics from their US databases, which you can read more about at https://usefathom.com/features/eu-isolation

Aside from this, unlike other startup analytic solutions, they've actually spoken to lawyers to read through the fine lines of the law and ensure their solution is legal. Go get it!

Reply


@usr1106 2 days

Replying to @sarnowski 🎙

The deeper background is of course Google's business model of data and privacy prostitution: Users give their private life to Google and they get web search, email, and videos back.

In a more reasonable world users would pay money for the services they want to use.

Of course it needs to be noted that most users don't even understand that they are selling themselves. And of the few who do most still think it's better than paying money.

This ruling, should Google comply in the end, will not change anything. Google will store the data in the EU and that's it. I don't think they share user data with the advertiser when they show an ad. So they could still show ads of US companies. And that's a niche business only anyway because when Europeans do business with Amazon, Disney, and the like they deal with the respective European subsidiaries already.

Reply


@fideloper 2 days

Replying to @sarnowski 🎙

To my knowledge, Fathom Analytics is the only analytics app that has bothered to hire actual lawyers and navigate EU isolation.

They wrote about it here: https://usefathom.com/features/eu-isolation

Reply


@phoronixrly 2 days

Replying to @sarnowski 🎙

The key points in the article for me:

> Max Schrems, honorary chair of noyb.eu: "Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."

> In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.

> No penalty (yet). The decision is not dealing with a potential penalty, as this is seen as a "public" enforcement procedure, where the complainant is not heard. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty.

We need more trials related to GDPR breaches. While having the legislation is a huge achievement, it needs to be backed with enforcement.

If there is no enforcement, a third long-term solution arises -- just ignoring the law until you manage to get the necessary amendments to it in order to keep operating as before without fear of penalty.

Reply


@sebsebsn 2 days

Replying to @sarnowski 🎙

It looks like this makes Fathom Analytics the only provider for website analytics that you can use if you don't want to maintain a locally hosted version if an open source product – which blows my mind. A small company is the only service that is able to comply with the rules while huge ones simply fail.

I assume that this regulation is also coming to other services soon and analytics isn't the only service that needs to be replaced when a business is in the EU and can't ignore these rules without risking fines. The team at Fathom wrote about alternatives for lots of services here: https://usefathom.com/blog/degoogle

Reply


About Us

site design / logo © 2022 Box Piper