[corywatilo]

Italy is the 4th in a string of recent decisions across the EU.

(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)

Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.

[stingraycharles]

That is an extremely important nuance which is not obvious from the title.

[tut-urut-utut]

Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.

Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.

[throwaway2037]

I agree 100% with your second paragraph. I also hope they introduce massive "percent of revenue" fines when Google "forgets" to ban illegal activity on their (near-monopoly) advertising platform. Massive fines has genuinely changed the behaviour of sales & trading at global investment banks. We can do the same for FAANG and friends.

[mywittyname]

It's not that bad: https://support.google.com/analytics/answer/6366371?hl=en#zi...

The most difficult aspect is dealing with URLs. But a company that is large enough to be customizing URLs per user, is large enough to make a few JS changes to ensure they aren't sending those details to GA.

[digitalengineer]

Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.

[kixiQu]

if anyone is curious about why that gives the govt. access:

https://en.wikipedia.org/wiki/CLOUD_Act

(God willing they repeal it, even if only for the international commerce implications...)

[toyg]

This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.

If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.

[kixiQu]

No one said "quietly" -- but there has to be some threshold of backlash that would knock it back. My guess is that European privacy law could combine with it to do enough impact to large American businesses that they'd use their political weight to do something, whether or not it were to improve matters from the perspective of privacy/sovereignty.

[DyslexicAtheist]

something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.

So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).

CloudAct would (or should) in this case also apply here or what am I missing?

[toyg]

You're not missing anything. A lot of companies just have no idea of the legal landscape, or simply ignore it in the name of convenience. That's because consumers are even more ignorant of their rights around technology and don't sue them. It will take a lot of civil litigation for this to change.

[spockz]

I am only aware of Hetzner. (German) The other day I was checking out there offerings and I was amazed at how easy it is to order a vm. And then it is live the next second. It is amazing.

Obviously they don’t have full range of services the big three have. But maybe just enough anyway.

[dizhn]

They routinely refuse new accounts if something looks fishy (to them). They don't provide extra information or even accept payment in advance.

[undefinedzero]

The watchdogs are extremely slow and have a huge backlog. You’re right that storing that data in the US or without transferring ownership to an EU subsidiary would not be legal.

[BlueTemplar]

> what other options are there LOL

This blogpost lists a few :

https://news.ycombinator.com/item?id=27393854

Also, even if no options were available, it's not like the law would care - the illegality of it has been advertised for years...

[xvinci]

(what other options are there LOL)

It is a hot topic, here are a few: IONOS - https://cloud.ionos.com/ Onep Telekom Cloud - https://open-telekom-cloud.com/en

But if you want to do scale in Europe you have to go for OVH: https://www.ovhcloud.com/en/

[AlchemistCamp]

> every company I know operating in this market uses US based clouds (what other options are there LOL)

Alibaba has a sizeable cloud offering and has for years.

[godshatter]

Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.

[concordDance]

> (God willing they repeal it, even if only for the international commerce implications...)

It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...

[kixiQu]

This then comes down to whether you think the US govt. these past few decades is better at self-perpetuating power or toadying up to the demands of capital. Cynicism vs. cynicism!

[googlryas]

Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?

[digitalengineer]

If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers

[marcosdumay]

Italian laws do not apply to Google USA.

[lovich]

The Italian market doesn’t have to apply to Google USA either.

Companies can always choose to ignore a specific nation’s laws[1], they don’t still get access to that nations markets. At the borders the nation state is the one with the guns and firewalls

[1] unless you piss off a nation that can project global power, lol if you piss off China or America

[justinclift]

First time I've heard of China projecting "global power". Are there cases of it happening?

[lovich]

https://www.scmp.com/news/china/article/1714248/more-chinese....

Chinese and American police forces both operate abroad and like to flex their power. The NYPD was in a similar situation post 9/11 when they started trying to police nearby states and when they sent operatives to other countries even against their own federal government [1].

Russias also sent operatives overseas in some fairly public assassinations. It’s not really surprising that China does this, it appears to be the default operating procedure of powerful countries

[1] http://america.aljazeera.com/watch/shows/the-stream/the-stre...

[hef19898]

All over Africa, in a more heo political sense. Also along the new silk road all the way to Europe. Just to name two.

[psychoslave]

https://www.wilsoncenter.org/article/china-the-arctic

https://thediplomat.com/2021/08/chinas-presence-in-africa-is...

https://www.cadtm.org/Chinese-geopolitics-continuities-infle...

[dmitriid]

Apple complying with Chinese laws, and providing Chinese government access to private data.

Google, Facebook etc. being blocked in China.

etc.

[wonderbore]

Oh yes they do. GA is part of a company that also sells services in Italy. They should follow the law if they want to keep earning that non-US Adwords money that allows GA to remain free.

[googlryas]

Not generally, but they do apply to Google Italia, who would not legally be allowed to respond to requests from Google USA for European PII.

[marcosdumay]

Yes, the Italian law that prohibits sending data abroad applies to Google Italia, but Google USA is submitted to the USA law, that says that the USA government can request any data from Google Italia and they are required to get it.

So the existence of Google USA makes Google Italia operation illegal.

[baq]

...in USA.

[connicpu]

But someone will have to foot the bill when their branch in Italy is fined by the government for violating Italian law

[y42]

Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?

[cavisne]

The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.

The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.

[sebazzz]

On the last point: how does that work with cloud computing providers, as all the big ones are US-based?

[minsc_and_boo]

Isn't it already against Google Analytics' policy to put PII in the platform to begin with?

https://support.google.com/analytics/answer/6366371?hl=en#zi...

[rgbrenner]

Gdpr uses a more expansive definition of personal data, and it includes the IP address and geolocation data, for example.

[dudus]

And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.

Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.

IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.

[riffraff]

The press release mentions that partial truncation is not considered good enough as google has enough ancillary metadata to reverse it.

[y42]

I guess the difference here is, that I want to visit a website in the US versus a tracking request, that happens in the background.

[fulafel]

The GDPR is a product of the Snowden revealed pervasive surveillance done by US TLAs. Keeping the data in EU vs sending it over to US under assurances is a big hair.

[anothernewdude]

Yeah, it uses the definition of personal data that includes information that isn't personal.

[lmkg]

> just illegal to use in its default state which transmits PII to the US

As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.

[closewith]

That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.

[Nextgrid]

If only ad clicks send back tracking parameters (and nothing else) it might actually fall into legitimate interest.

[closewith]

The current issue isn't the lawful basis for the processing, as compliant companies already only use Google Analytics once they have consent. The issue is that without an adequacy decision from the EU to allow data transfers to the US, and with the global reach of US authorities thanks to the CLOUD Act, there's no way to keep personal data safe from US law enforcement.

[naet]

My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.

For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.

I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.

ref: https://support.google.com/analytics/answer/2763052?hl=en

[jeroenhd]

I'm not so sure your take on IP address anonymization. The source states:

    The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.

The Google documentation says:

    The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.

IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.

As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.

[snowwrestler]

That Google documentation is for the IP anonymization feature of Universal Analytics, which is being sunset in about a year.

Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

I don’t know whether UA or GA4 service was the subject of the Italy case, but I would not be surprised if it was UA. Most sites have not switched over to GA4 yet.

[autoexec]

> Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.

So if I go to a website and it has me load code from Google's servers it's still got to send my IP address to them. I'm not sure why we'd take them at their word that they won't keep that data around (I'd like to see that independently verified). but it'll be sent to the server logs if nothing else. What does not storing the IP address even mean? Do they hash it and store that instead? Do they do a quick lookup and just flag your dossier logging the connection and when it happened before dropping the IP info?

If people care about their privacy I think it's probably best not to send information to Google in the first place. There are alternatives to google analytics after all.

[closewith]

In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company, and Google will never see the user's IP address.

There is no real alternative to Google Analytics for most companies because of the Google Ads integration. If you advertise with Google, you need to send them conversion data, which means the GCLID. Without Google Ads, switching would be simple. Most enterprises already pay for other analytics tools.

[denton-scratch]

> Google Analytics 4, its successor, does not log or store IP address at all.

The fact that it receives the IP address at all renders it illegal in Italy, and probably anywhere GDPR is in force. And IP address truncation doesn't get you anywhere; it's Google that does the truncating, so the whole address is actually sent to Goo, by which time it has departed from GDPR jurisdiction.

[majewsky]

> For many clients I have set up a cookie compliance tool like Onetrust

Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?

[erikgaal]

This is actually a setting within OneTrust which has a terrible default. We (had to) use OneTrust on eurovision.tv, but configured it ourselves to have three equally styled options.

[hedora]

I'd love to see this result in a company-ending lawsuit against OneTrust.

[stickfigure]

Is it illegal to use my website from Italy? I store PII (and everything else) in the US.

[dmitriid]

No. It's illegal for you to operate in the EU.

[stickfigure]

What does that mean? Europeans use my website.

[xcdzvyn]

It's your responsibility to not export PII of Europeans to America, and/or to stop them from accessing your content.

[stickfigure]

My website does not care where you live.

What exactly will happen me if I do not block Europeans from using my website?

[bruce343434]

If you are breaking European law, you can't operate in Europe? What is so hard to understand about this? Amend your code to not send PII of Europeans outside Europe, or pussy out and give a "451 Unavailable For Legal Reasons".

[remram]

I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:

> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.

At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183

[1vuio0pswjnm7]

Here are the URLs for those who disable Javascript (from https://github.com/PostHog/isgoogleanalyticsillegal.com)

https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...

https://www.cnil.fr/en/use-google-analytics-and-data-transfe...

https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...

https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.

As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.

Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.

[ricardobayes]

Forget anonimized GA, I wonder what regulators would say to the likes of Hotjar which even records your screen and can be played back.

[FateOfNations]

They aren't Google, so the anti-"American Big Tech" energy isn't as strong.

[mro_name]

yeah, like 'swimming pools only bear a danger of drowning when wet'.

[hnarn]

That analogy makes no sense at all.

[rightbyte]

Empty pools are probably more dangerous.

[Forge36]

I hear they attract skaters.

[rightbyte]

Those pools don't have sharp drops and are rather safe I guess. I wonder if that is the reason some pools are built like that ...