Good for them! Citizens should be able to interact with government without being tracked.
I'm not against the idea that government uses analytics, or even outsources analytics operations, as long as there is enforceable regulation preventing that data from being used for other purposes and a reasonable amount of money is being exchanged. When you pay nothing, or next to nothing, it becomes obvious that the underlying business model is, at least partially, based on selling ads or personal information.
There's no enforceable regulation regarding what happens to data after it has disappeared in a black box. And paying money doesn't remove the underlying mechanism that made the "free" model viable in the first place. The incentive to use it on top of charging for the service is still there. (That's how you get microtransactions and pay-to-win in games that you've already paid for, for example.)
This is happening over concerns that the US government could require Google to hand over data, but the EU and the US are reasonable actors who realize that data sharing between the continents is necessary for free trade and are incentivized to come up with a solution. Doubtful this ends up mattering.
Case in point, the article acknowledges the new Trans-Atlantic Data Privacy Framework (https://cdp.cooley.com/european-commission-approves-trans-at...) signed in December which will (attempt to) cure the deficiencies under the current agreement. You should expect that the EU and the US will keep pumping these out until one of them sticks.
No one is going to ban Google Analytics, and the fact that this article was written by a competitor did not go unnoticed.
Privacy Shield was invalidated in 2020, which didn't make Google Analytics illegal but increased the burden of implementing it. If you aren't making use of more advanced features, you could be non-compliant. That site is, hilariously, also a product of a Google Analytics competitor.
The new Trans-Atlantic Data Privacy Framework replaces Privacy Shield and so for the moment out of the box Google Analytics is fine again. This is what I meant by my comment above. The US and the EU will find a way to make data sharing work, no matter how many agreements it takes.
“This new [framework] is very closely modelled on the old [framework], isn’t it?” That is, the CJEU says that people ought to be able to sue the host country regarding their privacy rights, the US says no way foreigners have privacy rights (that they can sue the US over, in something that is actually part of the judiciary), US and EU diplomats set up some sort of agreement and announce it loudly, privacy activists sue, half a dozen years pass, the CJEU says the agreement hasn’t actually fixed anything about the US system, rinse and repeat for the last two decades. This is starting to seem like a deliberate stall, honestly, and I’m not sure how it could be prevented.
> No one is going to ban Google Analytics. The fact that this article was written by a competitor did not go unnoticed.
It is already non-compliant with the GDPR according to EU data privacy regulators for precisely that reason after the Austrian data privacy regulator declared it illegal. I had customers scrambling to remove google analytics because they feared visitors/lawyers suing them for that GDPR violation. Also fines up to 4% of the concerns world wide sales volume might not be a joke to your company.
So yeah technically nobody is going to ban google analytics, because they already did..
You should tell your clients that there are still compliant ways to integrate Google Analytics even assuming the new legal framework doesn't stick.
But the Trans-Atlantic Data Privacy Framework was signed in December, so the current GDPR rulings are a moot point since those were about Privacy Shield. Should take another few years to find out what the courts think of the latest agreement. Eventually one of them will work.
Also I don't get it. People sometimes seemed to be obsessed by analytics that much they forget making their website. And then replace doing the real work with decisions by numbers they get out of "Analytics".
And all that on the cost of the privacy of the customer. Often only for negative gain.
I doubt one of them will really work. The US and EU have a very different concept of privacy. Not just for government espionage (US citizens have good protection but everyone else is fair game) but also for commercial purposes. For us in the EU everything should be opt-in, a bit like Apple does on iOS but Google refuses to implement on Android.
It's really telling that the politicians have no recourse but to try the same thing over and over again instead of just coming up with a real solution. There probably isn't one.
alternatively you could also tell your clients about how costly that is, which cheaper and more user-friendly alternatives exists.
also if you stop using analytics and do this right, you gain performance and visits and keep your site on the right track. but that's an art, not a product to sell, sorry.
What I tell my clients is that it is their responsibility to care about their customer's data and that I as a customer certainly feel better about brands that treat me well.
For anyone curious about viable alternatives, personally Matomo Analytics is good. You can anonymize IP addresses, go fully cookieless, but also use GeoIP if needed (at least for rough locations, depending on how much of the original address you choose to leave).
I've been using it for a few years, it also seems to be fairly easy to run and has most of the features that I'd expect: https://matomo.org/
For something simpler (less focus on page transitions, device and performance metrics etc.) I've also heard good things about Plausible Analytics which advertise being cookieless and compliant with various legislation as well: https://plausible.io/
For who needs a summary of what is happening in the EU [1]
1. Since 2020, it's illegal to send personal data to the US because of the invalidation of the Privacy Shield [2]
2. Google said it was okay in the EU to use anonymized IP addresses
3. The Austrian Data Protection Authority (DSB) [3] ruled differently and waived most of the arguments raised by Google. The DSB ruled that even anonymized IP addresses are personal data.
4. The Data Protection Authority of The Netherlands followed by implying that the use of Google Analytics might be banned in the future [4]
5. In February 2022 The Data Protection Authority of France (CNIL) followed [5]
6. In June 2022 the Data Protection Authority of Italy (Garante) followed [6]
7. September 2022, Denmark – after already banning Google Workspace for municipalities [7] – considers Google Analytics unlawful as well [8]
8. Now, February 2023, Finland rules against the use of Google Analytics [9]
This is a sound decision, but – as others pointed out – not a new one. It's a confirmation of what has been ruled in July 2020, but now it seems to have more impact when it happens per country.
PS: I'm the founder of Simple Analytics [10] - the privacy-first analytics tool that, unlike other privacy tools, does not use any identifiers.
Privacy Shield died in 2020, but as of 2023 the US has a new agreement with the EU [0] with additional safeguards preventing the US government from accessing certain data.
This moots all the prior decisions based on Privacy Shield's demise.
There is only a draft [0] which needs to be voted by EU Member States in order to become effective. That might end up with a Schrems III ruling when it comes into effect.
The EU and US signed an agreement-in-principle. The final ratification will happen as soon as ~March (but could realistically take until summer). The US already implemented their portion of the agreement.
No matter how many agreements it takes, the US and the EU will ensure that data transfer between the continents is possible. There's too much trade at risk otherwise.
I would not be that sure. They didn't get to an agreement since 2020. It's 2023 now. Still no agreement. To be fair: the US killed the previous pre-2020 agreement.
It took until 2022 to get an agreement-in-principle signed, but that's government for you. A two year turnaround on negotiation plus a year to get it implemented is honestly lightning speed all things considered.
2. It's only based on an presidential excecutive order, so it may become moot as soon as an insane president gets elected, as is tradition every 4-8 years in the US. So it's a very unstable ground to build a buissiness on.
3. Most GDPR experts I've talked think that the new agreement it will almost certainly get torn up the moment it gets challenged in the EU courts.
4. NOYB (The pro-privacy organization whose actions lead to the 2020 ruling) have already stated that they intend to challenge this new agreement.
So we might get a new agreement, but it will immediately get challenged in courts and probably be struck down within a few year and even if it doesn't, it's one that can be unilaterally revoked with zero warning by whatever madman happens to get elected to president.
So trying to minimize how much personal data you transfer to the US will still be a jolly good idea for the foreseeable future, at least until the US begin to respect basic human rights.
If it gets struck down, the EU and the US will just sign another agreement. That's not a hypothetical: we're already on v3. There's too much trade at risk for both economic zones if it is impossible to transfer data between continents.
Cynically, it takes the EU courts a few years to strike down every agreement. The EU and US governments can keep this game going indefinitely.
I'm not against the idea that government uses analytics, or even outsources analytics operations, as long as there is enforceable regulation preventing that data from being used for other purposes and a reasonable amount of money is being exchanged. When you pay nothing, or next to nothing, it becomes obvious that the underlying business model is, at least partially, based on selling ads or personal information.