[kmitz]

Speaking of adapting the product, the article explicitely states : "Is it possible to set the Google Analytics tool so that personal data is not transferred outside the European Union?"

"No."

So right now it is practically impossible to use Google Analytics in a legal way in France.

[jeppester]

It's a very common misunderstanding (which is happily spread by US cloud providers) that it matters where the data is stored.

What matters is that the data is stored by - and accessible to - a company which submits to the US laws.

[retcon]

Equally it's a sorry indictment of our economic times that the meaning of unlawful has been hammered into a understanding that non prohibition is permission. This aggressive and putative new use is refuted by every founding principle of the common law in Anglo Saxon countries and most of the western world. See the argument of letter vs. spirit for a effect.

Ed. cleared up phrasing around new use, replaced meaning with use for .. meaning.

[brian_cloutier]

> This aggressive and putative new use is refuted by every founding principle of the common law in Anglo Saxon countries

Which founding principles, exactly? Your comment seems to imply you think we should live in a world where we are only allowed to pick our actions from an enumerated list of approved actions. That world is extremely contrary to the kind of world I would like to live in, but also seems to contradict most of what I know about the history of the western world. Is that really what you mean?

[pdpi]

> Is that really what you mean?

I'm fairly certain that's not what OP meant, no.

What OP is getting at is that the common law tradition isn't to explicitly spell out all the nuances of when that action is actually disallowed, but rather to set out the general principles, and let case law define the precise limits of that boundary. In contrast, the civil law tradition is very much based on statutory law explicitly setting the boundaries, and case law serving only to disambiguate.

The "aggressive and putative new use" they're referring to is basically taking common law's fuzzy boundaries and pushing a civil law interpretation on top where all the grey areas are assumed to be allowed.

[brian_cloutier]

That was a very clear explanation, thank you!

[Georgelemental]

> non prohibition is permission

That is exactly how things work. Unless the government goes through the effort of passing a law to prohibit something (and getting approval of the people's elected representatives, and the courts), then the thing is legal. How else do you propose things should work?

[cmroanirgo]

Those "pushing the boundaries" always end up using a similar logic. However, there's always going to be a large segment of society whose rules are based around non financially oriented methodologies, such as: "morals", or directly from spiritual texts which disallow certain practices, or historical "customs". Such things are not "illegal" per se, but it's largely held as being reprehensible by a large number of people nevertheless & causes a large amount of friction within society.

Then there's the issue of marketing/propaganda (which the parent mentions as "hammered") whose sole purpose it's to change people's minds in an emotional way. I wish people would learn about Edward Bernays, nephew of Freud, who instituted this. In and of itself, propaganda has never been illegal, but no one likes to admit to being emotionally manipulated. (But when you begin to pay attention to your emotions, you can spot this stuff from a mile away).

[masswerk]

I think, what you are addressing is social convention and social norms, which are enforced by social sanctions only. However, while these are soft norms, laws are hard norms and enforced by the legal system, which is an important difference. Therefor (however we may feel about this) something may be intuitively and morally wrong, but still perfectly legal. Still, this may subject to social action, which may be what you are aiming at. This is, what civil society is about.

[judge2020]

Not sure what the stance being argued is. Should we require companies run morality polls and submit a pre-rollout court to determine the legality of new products that push the limits of human innovation?

Also, it's important to note that humans are actually quite bad at this sort of judgement. I'm sure if you showed everyone in Germany in 1980 a computer, and how it can instantly store and retrieve files and documents, and asked them 'is this moral?' they would be against it on the grounds that it would put hundreds of office workers out of a job.

[bigDinosaur]

Great. Now what's your policy proposal?

[safety1st]

That's not exactly how things work, though. Laws aren't deterministic like a computer program. They can be drafted broadly, poorly, incompletely, or simply not take into account things that didn't exist when the law was written.

It's the job of the judiciary to interpret the laws in these situations, and part of that is looking at the spirit of the law and create case law which may alter the powers of government.

This is very much part of the Western tradition of common law, as is a vigorous discussion over how far the judiciary should be able to go. It's fair to say popular sentiment has drifted in a libertine direction over the last 50 years, but the debate is far from settled.

(In fact we can speculate with some reliability about what the future may hold: via one mechanism or another, including the judiciary, governments usually trend more libertine in times of peace and more authoritarian in times of crisis.)

[bjornsing]

I don’t think you can equate common law and Western tradition. Large parts of what I would call The Western world has the civil law system.

[safety1st]

Yes you're right - just meant to say that common law is one of the major Western legal traditions, and worded it awkwardly

[darkwater]

> They can be drafted broadly, poorly, incompletely, or simply not take into account things that didn't exist when the law was written.

Computer programs suffer all of this as well :)

[abigail95]

common law is very much the minority of western law traditions

[omginternets]

That’s definitely not how French law works. What is not proscribed is permitted.

[e98cuenc]

Why are then things like AWS, Azure, Google Cloud, … legal? Are they? I assume Amazon can access data stored in any of their servers, right?

[darkwater]

> I assume Amazon can access data stored in any of their servers, right?

If you encrypt the data with your own key, they should not be able to access it.

[fauigerzigerk]

Only if you encrypt before upload and decrypt after download, which renders almost all AWS/Azure/GCP services completely useless.

[darkwater]

In-transit encryption protects you against this attack scenario specifically (if you own the keys obviously).

[fauigerzigerk]

How so? Amazon, Google and Microsoft need access to your unencrypted data in order to provide most of their services (such as databases, analytics, machine learning). There's not much they can do with encrypted data. They can store it. They can pass it through. That's it.

This problem has to be solved on a political level. There is no technical fix and the legal workarounds appear to be exhausted.

[Rebelgecko]

Wouldn't Amazon still have access to metadata, e.g. connection info, IP addresses, etc?

[darkwater]

Yes, that's absolutely right, and in fact about that I don't really know how the GDPR applies, and it's an interesting question to ask.

[srrr]

IP addresses (for connection setup) are personal data: https://ec.europa.eu/info/law/law-topic/data-protection/refo...

You can process IP addresses without consent only if it is technically necessary: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph b)

But you always (!) need consent to transfer personal data to a non GDPR compliant entity: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... (paragraph f)

[remus]

It depends how much credence you put in the standard contractual clauses (SCC) added by these companies after the privacy shield was ruled invalid by the EU.

The idea with the SCC is that instead of all data transfers being covered by a single adequacy decision, each company adds SCCs to it's contracts with customers promising that data of EU citizens will be handled in a way that's compliant with GDPR.

Reading this piece from CNIL, I can't see how a US company is going to be able to use SCCs to protect EU citizens from data access by the US government. Non US citizens typically don't have a lot of rights in the eyes of the US gov and they've traditionally been pretty happy to rifle through the data of those people at will.

ed: the point by another commenter about using your own encryption key is a good one. However, the view of CNIL essentially seems to be that transferring any data to the US is risky so to me it feels like you'd be swimming against the tide.

[martin_a]

They are probably not legal, either, yes.

[verisimi]

In what sense does it matter?

Corporations such as google have legal and financial centers all over the world and these will be structured towards providing the best circumstances for the corporation (tax, legal).

On the other hand, don't all these corporations have data centers all over, that replicate data to provide a better service? Which is to say that pretty much most data is available to all legal jurisdictions. At least as I understand it..

[8ytecoder]

I don’t think it has been tested in court. It’s akin to a U.S. Court issuing a search warrant on a house in Paris.

[moontear]

Yes, it has been tested: https://amp.theguardian.com/technology/2015/sep/09/microsoft...

And that’s exactly what it would be like, though the house in Paris would be owned by a company that has a legal entity in the United States.

[Gwypaas]

Which is exactly what happened and is causing this mess.

https://en.wikipedia.org/wiki/CLOUD_Act

No problem at all with GDPR and third countries. They simply need to have a regulatory framework making compliance possible.

https://www.imy.se/en/organisations/data-protection/this-app...

[GekkePrutser]

The problem is that frameworks we have with the US keep being shot down by the EU judiciary. First Safe Harbor and now Privacy Shield. For good reason I might add.

[corobo]

You should be able to put the GA loading script behind your cookie banner -- never even load the script until the user allows third party cookies.

Is there an issue with this technique? I've not managed to poke holes in it yet but have at it.

[zagrebian]

What personal data does GA collect?

[Nextgrid]

IP addresses for starters, which are considered personal data under the GDPR.

Keep in mind that the mere transfer of the IP address (which is inherent in a TCP connection and cannot be avoided in the default setup without proxying it yourself) is enough, regardless of whether Google will actually store said IP or anonymize it (not that you should trust them in any case).

[fooster]

IP addresses by themselves are not personal data.

[martin_a]

They can be used to track and identify users, so they are personal data.

My IP address hasn't changed in some time, so if someone was to connect various sources of information, he would be able to identify me personally

[origin_path]

They can be used to track and identify users by the police. Not by third parties, because ISPs won't give out identifying information to those.

That something could potentially be correlated across time and space to link different facts about you, does not or should not make those things personally identifying. Otherwise there's a lot of obvious problems e.g. if you were in the habit of wearing unusually distinctive clothing, or had an interesting bumper sticker on your car, etc, then all those things would become "personally identifying" even if nobody who saw them had any idea who you are. There are also deep moral limits to how blind you can insist other people become.

[zelphirkalt]

> That something could potentially be correlated across time and space to link different facts about you, does not or should not make those things personally identifying.

I think the rules are usually though, that when those correlating things are put together, into one system, then the combination of those things are in sum personally identifying. That can actually happen very quickly and in non-obvious ways. You might add something inconspicuous and suddenly that makes users unique and allows to map in any theoretical way to real identities.

I think one also has to consider publicly available information sources. Just to make a silly example:

If there was some public register of favorite foods of people, and you asked your users about favorite foods, which you store in your database. Ooops, it is personally identifying, because anyone with that data in hand could map it to identities using publicly available data.

However, I am not so sure, that the publicly available data is considered for judging whether something is personally identifying information.

[martin_a]

It's easy, I will quote myself:

> Connect my login into my personal Google account with the same IP address over and over to all the script calls on other Google services.

That's it. That IP address is _pretty sure_ me and not somebody else and therefore a personal information.

[morelisp]

> Not by third parties, because ISPs won't give out identifying information to those.

lol

[pelorat]

How so? Your almost fixed IP address does not leak your real identity, at most it leaks your ISP.

[morelisp]

You're making the argument that it's not PII, which has no bearing on if it's personal data.

[martin_a]

> How so?

Connect my login into my personal Google account with the same IP address over and over to all the script calls on other Google services.

It's pretty easy to connect the dots once you have a far enough reach.

[manuelmoreale]

They are according to the GDPR and that’s all that matters when it comes to the issue discussed here.

[judge2020]

> IP addresses for starters,

https://support.google.com/analytics/answer/2763052?hl=en

[Nextgrid]

Have you read the second paragraph of my reply?

[hedora]

The article also makes it pretty clear that it would be illegal (in the US) for Google to offer a version that is legal in the EU, barring some major technological and algorithmic breakthrough, or changes to the law.