Austrian DSB: EU-US Data Transfers to Google Analytics Illegal

254 点作者 sarnowski超过 3 年前

17 条评论

ckastner超过 3 年前

Max Schrems is just incredible. Just look at his Wikipedia page [1] and see how many EU-US data transfers he's challenged successfully.[1] <a href="https://en.wikipedia.org/wiki/Max_Schrems" rel="nofollow">https://en.wikipedia.org/wiki/Max_Schrems</a>At this point, I wonder why the EU doesn't consult him personally prior to enacting some law. It's not as if they don't consult with others as well.

评论 #29919386 未加载

评论 #29919187 未加载

评论 #29919647 未加载

boshomi超过 3 年前

»Max Schrems: "In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator - not to anyone in Europe."«That's the point: we need real data protection in US law for non-US citizens as well. Currently, US lawmakers treat EU citizens' data as US state property. Obviously, that's unfair.

评论 #29920289 未加载

评论 #29920557 未加载

评论 #29922179 未加载

评论 #29923175 未加载

评论 #29920559 未加载

usr1106超过 3 年前

The deeper background is of course Google's business model of data and privacy prostitution: Users give their private life to Google and they get web search, email, and videos back.In a more reasonable world users would pay money for the services they want to use.Of course it needs to be noted that most users don't even understand that they are selling themselves. And of the few who do most still think it's better than paying money.This ruling, should Google comply in the end, will not change anything. Google will store the data in the EU and that's it. I don't think they share user data with the advertiser when they show an ad. So they could still show ads of US companies. And that's a niche business only anyway because when Europeans do business with Amazon, Disney, and the like they deal with the respective European subsidiaries already.

评论 #29920238 未加载

评论 #29933304 未加载

评论 #29922435 未加载

评论 #29928236 未加载

sebsebsn超过 3 年前

It looks like this makes Fathom Analytics the only provider for website analytics that you can use if you don't want to maintain a locally hosted version if an open source product – which blows my mind. A small company is the only service that is able to comply with the rules while huge ones simply fail.I assume that this regulation is also coming to other services soon and analytics isn't the only service that needs to be replaced when a business is in the EU and can't ignore these rules without risking fines. The team at Fathom wrote about alternatives for lots of services here: <a href="https://usefathom.com/blog/degoogle" rel="nofollow">https://usefathom.com/blog/degoogle</a>

评论 #29921076 未加载

评论 #29921411 未加载

YetAnotherNick超过 3 年前

I really don't understand why countries are so persistent about storing data in their country. It's not like the enforcers could walk into the datacenter and plug in the usb drive and get the data. And it's even hard to see what all constitutes user data. Does logging constitute user data. Does that mean that to get logs for the error the developer need to travel to every country and remember the log messages in his head.And companies could easily copy their data in a click if they need to. A much saner approach should be limiting what the company is allowed to do with the data.

评论 #29920150 未加载

评论 #29920509 未加载

评论 #29920999 未加载

评论 #29920119 未加载

评论 #29920287 未加载

评论 #29920630 未加载

评论 #29920069 未加载

timgl超过 3 年前

Relevant thread on open source alternatives to Google Analytics from earlier today: <a href="https://news.ycombinator.com/item?id=29888599" rel="nofollow">https://news.ycombinator.com/item?id=29888599</a>

评论 #29919693 未加载

phoronixrly超过 3 年前

The key points in the article for me:> Max Schrems, honorary chair of noyb.eu: "Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."> In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.> No penalty (yet). The decision is not dealing with a potential penalty, as this is seen as a "public" enforcement procedure, where the complainant is not heard. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty.We need more trials related to GDPR breaches. While having the legislation is a huge achievement, it needs to be backed with enforcement.If there is no enforcement, a third long-term solution arises -- just ignoring the law until you manage to get the necessary amendments to it in order to keep operating as before without fear of penalty.

评论 #29919398 未加载

评论 #29919586 未加载

评论 #29919577 未加载

davidgerard超过 3 年前

Nothing about GDPR is hard ... unless your business model is to abuse your customers' personal data. Then it might be hard.I routinely see the loudest complainers about the onerous nature of GDPR compliance suddenly get vague or stop posting when you ask for details of precisely what bit is so hard for them in particular. Note lack of those details in this present discussion, for example.So far, it seems a safe assumption that the excuse makers are abusing personal data, and they know they're abusing personal data.Perhaps one day a clear exception will show up.I wrote up a thing here a few years ago with my actual on the ground experience of getting us compliant: <a href="https://reddragdiva.dreamwidth.org/606812.html" rel="nofollow">https://reddragdiva.dreamwidth.org/606812.html</a>tl;dr anything that might vaguely constitute personal data, down to Apache logs, must either be in a writable database for redactability, or deleted.Since then, our legal team - who are not your legal team! - has advised:* 30 days for operational purposes is fine actually.* Go feral on anything over 30 days. You need a named person responsible for GDPR redactions.* If you want to do analytics on those Apache logs, do them quickly and into a form that doesn't contain personal data.I'm in the UK, which is no longer in the EU, but the GDPR laws still hold here.

评论 #29920412 未加载

评论 #29920349 未加载

评论 #29924161 未加载

评论 #29920348 未加载

fideloper超过 3 年前

To my knowledge, Fathom Analytics is the only analytics app that has bothered to hire actual lawyers and navigate EU isolation.They wrote about it here: <a href="https://usefathom.com/features/eu-isolation" rel="nofollow">https://usefathom.com/features/eu-isolation</a>

snowwolf超过 3 年前

Has Google Analytics now adopted the latest European Commission approved SCCs (<a href="https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en" rel="nofollow">https://ec.europa.eu/info/law/law-topic/data-protection/inte...</a>) and does that mean using GA with those SCC's is now compliant going forwards. Or does this cases verdict that "SCCs and "TOMs" not enough" now mean those EC approved SCCs are now useless?

评论 #29921364 未加载

pieter_mj超过 3 年前

Great victory. I bet firebase crashlytics is illegal as well in EU.The reason I uninstalled the hacker news app 'Materialistic' is because it regularly crashed and was probably unvoluntarily siphoning off pii data through the crashlytics module.

评论 #29998428 未加载

etothepii超过 3 年前

In other news, king orders tide out.

jbrooksuk超过 3 年前

And that's why, as a responsible developer, I exclusively use Fathom for my own projects. As far as I know, they are the only analytics company who are correctly following the law here AND they always try to do more.They completely isolate EU analytics from their US databases, which you can read more about at <a href="https://usefathom.com/features/eu-isolation" rel="nofollow">https://usefathom.com/features/eu-isolation</a>Aside from this, unlike other startup analytic solutions, they've actually spoken to lawyers to read through the fine lines of the law and ensure their solution is legal. Go get it!

评论 #29921046 未加载

aspenmayer超过 3 年前

This is due to GDPR. Amazing ruling for privacy for all of EU.Detailed analysis:<a href="https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.586.257_(D155.027)" rel="nofollow">https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.58...</a>

评论 #29919154 未加载

ur-whale超过 3 年前

The EU regulating itself out from the market.Not for the first time, mind you.

评论 #29920174 未加载

rehamelbasha超过 3 年前

There are alternatives like snowplow.My former company and current one decided to move out from GA to snowplow as you have much more control on your data and do not so much depend on Google to be gdpr compliant.

评论 #29919335 未加载

tjansen超过 3 年前

That stuff scares me. More than US government surveillance could ever scare me. The most likely outcome is that smaller companies just don't do business in the EU. At least before they are large enough to deal with GDPR.I am located in Germany, but if I would start a SAAS site today, I wouldn't try to sell to the EU. Just isn't worth the trouble.Over time, many people in the EU will start using VPNs to get access to the latest web sites without GDPR restrictions. Even today I have to use a VPN to access some websites (mostly news sites), but I suspect it will be much worse if noyb succeeds.

评论 #29920346 未加载

评论 #29920013 未加载

评论 #29919771 未加载

评论 #29920011 未加载

评论 #29923406 未加载

评论 #29919649 未加载

评论 #29919707 未加载

评论 #29919718 未加载