Table of contents of the article:
We talked a few days ago about the massive email from this Federico Leva and the controversy raised by its demonstration initiative which required the removal of Google Analytics from Italian sites, mentioning the specific directives of the Italian Privacy Guarantor and the necessary references to the regulation European GDPR which in fact declared Google Analytics illegal.
We have therefore witnessed several online controversies on the main social networks that have seen famous figures in the field of Analytics (first of all Matteo Zambon founder of Tag Manager Italy) as well as other figures with skills regarding internet law who have somehow advised to implement Google Analytics 4 or GA4 which guarantees better privacy and discretion and does not need to send the IP.
So that it is clear once and for all the concept and the basic implications regarding IP and Google Analytics.
The core of the problem revolves around the fact that the IP is personal data, and that the GDPR actually prohibits the sending of personal data to non-European servers.
Therefore, the European Commission, considering the IP as personal data (in our opinion a gross error on their part), is not allowed to export it to non-European countries such as the USA where the Google Analytics servers reside.
The IP is interpreted as personal data even if anonymized, i.e. the last octet is obscured, for example 192.168.0.1 becomes 192.168.0. * With * a range from 0 to 255.
So we tend to think and reason in the perspective that by not sending the IP via Google Analytics 4 we can be GDPR compliant and safe from the problem.
Too bad because every connoisseur of networks knows that to establish a communication at the TCP / IP level, you must present your IP to the service you want to connect to and complete the famous Three Way Handshake which necessarily requires the establishment through the knowledge of random sequence number of a communication channel.
So even if Google Analytics 4 could do without sending the visitor's IP explicitly, Google would have the right to obtain it implicitly by reading the veriable server REMOTE_ADDR which regardless of the webserver in use and the server programming language side is perfectly accessible.
For example wanting to speak for purely academic purposes, PHP says this:
$ _SERVER is an array containing information such as script headers, paths and locations. The entries in this array are created by the web server. There is no guarantee that any web server will provide any of these; servers may omit some or provide others not listed here. That said, a large number of these variables are considered in the »CGI / 1.1 specification , so you should be able to expect those.
'REMOTE_ADDR' : The IP address from which the user is viewing the current page.
In simple terms, it is useless for Google Analytics 4 not to send us the IP address of the IP visitor if the visitor with his browser actually connects to the Google Analytics site to download the JS file.
This is already enough to undermine the good intentions of Google Analtics 4 and those who recommend Google Analytics 4 compliant with the GDPR.
But the problem is not only this, but it is much more serious and structural.
Patriot ACT: why datacenters and branches in Europe are not enough.
Inherent with the problem raised by Federico Leva regarding Google Analytics, many professionals (including us in the first instance) thought that it was enough for a company like Google or Facebook to have European branches and European datacenters on which to confine the European user data to be perfectly compliant with the requirements imposed by the GDPR.
However, although this interpretation is de facto correct, it inevitably clashes with the US Patriot ACT and all the obligations that it implies directly or indirectly and even only potentially in a purely theoretical line.
What is the US Patriot ACT?
Lo USA PATRIOT Act (Acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 translatable into Italian as Law to Unite and Strengthen America by providing adequate tools needed to intercept and thwart terrorism), is a US federal law countersigned by US President George W. Bush on October 26, 2001. The acronym is believed to have been the work of Chris Cylke, a former staff member of the House Judiciary Committee.
The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States and around the world, to improve law enforcement investigative tools and other purposes, some of which include:
- Strengthen US measures to prevent, detect and prosecute international money laundering and terrorist financing;
- Subject to special scrutiny foreign jurisdictions, foreign financial institutions and classes of international transactions or types of accounts that are susceptible to criminal abuse;
- Require all appropriate members of the financial services industry to report potential money laundering;
- Strengthen measures to prevent the use of the US financial system for personal gain by corrupt foreign officials and facilitate the repatriation of stolen assets from citizens of countries to which such assets belong.
The law reinforces the power of US police and intelligence agencies, such as the CIA, FBI and NSA, with the aim of reducing the risk of terrorist attacks in the United States, thereby affecting the privacy of citizens.
Fourteen of the sixteen provisions of this law have been made permanent.
Among the other provisions promoted by the vote, to which a series of amendments favored the application, there are the possibility of wiretapping, access to personal information and the taking of fingerprints in libraries, which expired on 1 June 2015. The following day, their validity was finally approved until 2019. Two bills previously presented (the USA Act and the Financial Anti-Terrorism Act) also merged into the law.
The legislation deriving from the implementation of the USA Patriot Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) of October 26, 2001, extended until June 2015, makes it mandatory for US companies, as well as their subsidiaries around the world, American hosting providers or European hosting providers affiliated with US companies, to allow access to any personal data by US intelligence agencies.
It should be remembered that personal data means: “(..) Any information concerning an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more specific elements characteristic of his identity. To determine whether a person is identifiable, all means that can reasonably be used by the controller or others to identify that person should be considered. The processing of personal data means any operation or set of operations carried out on such data, regardless of the procedure used, in particular the collection, registration, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, cancellation and destruction of data even if not registered in a database. By personal data archive we mean any set of structured and stable personal data, accessible according to specific criteria. The person interested in the processing of personal data is the person to whom the data refers ".
And here is the glaring problem, makes it mandatory for US companies as well as their subsidiaries around the world.
In short, if Google Europe referred to Google Inc in the United States of America, the problem would be present and absolutely incompatible with the GDPR.
We talk about Google Analytics, Facebook but the problem is much bigger and practically infinite.
It may seem normal that the mass is dwelling on the issue raised regarding Google Analytics, as the Italian Guarantor has in fact issued a 90-day order to remove it on Italian sites, but it is also true that the problem of compliance with the GDPR and export of data on European soil is much more vast and is touching these days too Facebook with Ireland that has already spoken.
The problem once it is such, it is for everyone, it is Microsoft, for Google, for Facebook, for Netflix, for Amazon, for any US company that also has subsidiaries in Europe.
This means that Europe with this absurd law should in effect ban any non-European company from having European data processing relationships and this is probably impossible especially due to the fact that Europe is not able to guarantee many services currently offered by US or non-European companies.
The solution to the problem is not technical, but political.
For those who are puzzling over the technical virtuosity on how to remove, replace, replace Google Analytics, it should have the same rigor in not using Gmail, not using Hotmail, not using Yahoo, removing online software that allows you to perform the most disparate functions including many professional and working.
And there would be the problem of error propagation, in fact it would be enough that for example a company that defines itself as GDPR compliant uses Google Suite within its organization, perhaps for purely internal use, perhaps to manage the list of customers through a spreadsheet. defaulted and here is that the GDPR compliant company becomes in fact a company no longer GDPR compliant with the European regulation on privacy.
Europe should have ready substitutes worthy and suitable to the height of many non-European software, an advertising circuit such as Google Adsense or Google Adwords for example or Fb ADS.
Doesn't it seem strange to you that the problem has focused only on Google Analytics? The truth was probably already under everyone's eyes and everyone (including governments and privacy guarantors) was in fact well aware of the absurdity of the law and closed both eyes, letting go of what in fact seemed to be the wisest and most feasible solution.
Until some virtuoso of the laws and regulations decided to appeal to the GDPR regulation and therefore begin to use a senseless and harmful law for the European economy, for their own personal gain.
The guarantor necessarily received the complaint by registering it and had to express himself (perhaps in spite of himself) on the basis of what are currently the regulations in force, however remembering and keeping in mind the hierarchy of sources, according to which Europe legislates and states members acknowledge within 90 days.
If even by pure hypothesis the Italian Privacy Guarantor had understood the absurdity of what is set out in the GDPR and had (I hope) in his heart wanted to avoid making a pronouncement in that way declaring Google Analytics illegal, it is also true that in the institutional role it covers, it could not have done otherwise than apply what is now the regulation.
The fact that he has not sanctioned, but has kindly advised with 90 days to remove Analytics is a clue that there is a certain understanding on the part of the Guarantor who in any case is formally called into question to express himself and does so in the only way it can, or at least for now.
Privacy Shield reset as a solution to all problems.
It must be directly considered that Italy is part of Europe, but Italy is closer to the United States than other European countries such as Ireland for example can be.
There is no need to remember history, especially close to the Second World War and the reasons why as Italians more than Europeans we are more Atlanticists than other EU countries.
It would therefore be desirable to renew a cooperation pact with the United States of America, which until recently bore the name of the Privacy Shield before its abolition due once again to an activist who decided to appeal.
What was the Privacy Shield?
Il Privacy Shield,2 or the "privacy shield" between the EU and the US, is a self-certification mechanism for companies established in the USA wishing to receive personal data from the European Union. In particular, the companies undertake to respect the principles contained therein and to provide the interested parties (ie all subjects whose personal data have been transferred from the European Union) adequate protection tools, penalty the removal from the list of certified companies ("Privacy Shield List") by the Department of US trade and possible sanctions by the Federal Trade Commission (Commission Federal for Commerce). The European Commission has considered that the system offers an adequate level of protection for personal data transferred from a person in the EU to a company established in the United States and which, therefore, it Shield constitute a source of legal guarantees with regard to data transfers in
question. The EU-US Privacy Shield has been in effect since 1 August 2016. The Shield is applicable to all categories of personal data transferred from the EU to the US, including information
commercial, health or human resources data, as long as the recipient US company has self-certified your adhesion to the scheme.
Abolition of the Privacy Shield
The Court of Justice of the European Union (CJEU) ruled on 16 July 2020 (cd "Schrems II Judgment") regarding the data transfer regime between the European Union and the United States, invalidating the adequacy decision of Privacy Shield, adopted in 2016 by the European Commission following the termination of the agreement Safe Harbor.
The CJEU, with a judgment of 16 July 2020 (also known as "Schrems II"), declared the 2016/1250 Decision of the European Commission invalid, dismantling the possibility of using the "Privacy Shield" as a legal basis for transfers of personal data of European citizens in the USA.
In fact, the Court found that the “Privacy Shield” failed to fulfill its objective of limiting the US government's interference with European citizens' data.
The Court also noted the inadequacy of the judicial protection provided by the "Privacy Shield"; in particular, "the Ombudsperson", that is the body entrusted with the mediation procedure that can be activated in the event of an infringement of privacy, lacks binding decision-making powers towards the US intelligence bodies and does not present, with respect to the administration, a degree of independence such as to guarantee the effective protection of the parties concerned.
At the same time, the CJEU expressed itself with regard to the standard contractual clauses, affirming their validity. However, the Court made the use of these clauses subject to a prior assessment, conducted on a case-by-case basis, which the data exporter and importer are required to carry out before the transfer, taking into account the circumstances relating to the transfer itself.
Conclusion and possible solutions
It therefore seems necessary to be able to manage this precisely in two ways, or the total enabling of the Privacy Shield for US companies and their branches, subsidiaries, European branches, whatever they are.
Or to be able to draw up a list of certified and cooperating companies and therefore authorized for data processing at European level. The standard could be evaluated for example on impactful companies that have no European substitutes, think for example of Amazon or think for example of Google Analytics or Google Adsense which now has a widespread diffusion. It might be sensible, albeit limiting, to give a "license" to these companies that are now companions in professional life and not all European citizens, considering how the cons are definitely lower than the pros, especially where there are no practical alternatives that can be implemented today. until tomorrow.
It is therefore quite likely, in spite of the title of this post that no company among those mentioned will be killed and put in a position to be unable to operate, after all if it has done so for almost 20 years without any factual problem for what reason should the problem start right now?
Moreover, after two years of crisis due to covid and a new economic recession in sight, focusing on marginal aspects such as those just mentioned is even more limiting for internal trade.
Because it is clear that even for an Italian who sells to an Italian, tools that pass on US servers are needed, and whoever liquidates everything by citing that it is right being in fact mere commercial protectionism, should change their minds when the increased costs of advertising will have repercussions. relentlessly on their wallets with higher prices.