Illegal thing turns out to be illegal, shocker. Simple Analytics knows how to market their software, their articles reach the front page every time.
I wonder what's going to happen once the DPF[0] is put in place (it's very much a work in progress at the moment, but I'm sure it'll come through). I'm sure Schrems III will kill it within half a year, but we'll have to wait and see what the implications will be for Google and other American tracking services.
I'm not convinced depending on an executive order that can be revoked on a whim by the next elected USA president is a great basis for such an adequacy decision, but on the other hand I wouldn't expect the USA's legislative branch to accept the EU's terms.
The fundamental problem is that NSA, CIA, FBI.. can force American companies to hand over data (even if the data is saved in EU). I think it’s just a matter of time before AWS, Google Cloud, Azure.. is illegal to use, as long as there is not an EU company that have 100% control of the environment and is not incentivized to follow the orders from their software “supplier”.
The only fix it to remove all legal ground for American officials to get access to data about EU citizens.
That is the reason exporting PII to American cloud providers is illegal, yes. That's exactly what the EU is now trying to work out. This includes concessions to give European citizens certain rights when it comes to American intelligence agencies and such. That's part of the reason why companies use Irish subsidiaries to bring a point of presence into the EU (without having to bother paying too much tax); directly dealing with the American companies would be blatantly illegal.
The main reason American companies are barred from processing personal information for European consumers is that Europeans don't have the necessary rights under American law to safeguard their data. Through an executive order and other political tools, this is being changed. Once that's done, there's no legal reason why the USA can't receive a competency decision from the EU.
Various DPAs are sceptical about the work being done on the American side exactly because of the way this is implemented (executive rather than legislative branch) and the possibility that existing laws will make effective protection impossible anyway. I personally wouldn't trust the country behind the Hague Invasion Act to protect the rights of foreign citizens.
> The fundamental problem is that NSA, CIA, FBI.. can force American companies to hand over data (even if the data is saved in EU)
How does this work when it goes the other way? Suppose a French company in Paris had some data and they stored that data in AWS in the us-east-1 region. A French police or intelligence agency gets a court order (or whatever is the French equivalent) asking the company to turn over a copy of that data.
Can the company refuse (without getting in legal trouble) on the grounds that the data is not stored in France?
This would work the other way around in practice (source: Snowden): the NSA would voluntarily give the data that the French want off of AWS in exchange for whatever data the NSA wants from within the French territory.
The company wouldn't have to refuse anything, because they wouldn't even be aware that this is happening at all. All the company knows is that they host data on US servers.
I mean this is what Snowden described many years ago, it's probably way worse, more legalized and even more automated now.
EU don’t have the same kind of laws that don’t obey other countries laws as I am familiar with. So a solution would also be to move headquarters for Microsoft, Apple, Meta… to EU
So no, they would not get into trouble (if based in EU)
> EU don’t have the same kind of laws that don’t obey other countries laws as I am familiar with
No other country's laws would be involved in the scenario I asked about. It does not violate any US law for a company that has stored data in US AWS to retrieve that data.
The French authorities would be asking the French company to give them a copy of data that the French company controls and has legal access to. All the French company has to do to comply is make an API request to AWS, something they presumably routinely do.
If merely storing documents outside of your own country, but still within your control (in the sense that you can retrieve them any time you need them by asking whoever/whatever is holding them for you in the other country), is sufficient to make it so your own country can no longer legally compel you to turn over copies of those documents I don't see how that would not lead to massive problems for that country.
Wouldn't every company making consumer products, for example, store all documents produced during design and testing outside the country so in case safety issues arise later investigators can't get those documents to help build a negligence case against the company?
The CLOUD Act allows the US government to compel a company to turn over their data even if that data is only stored in servers in a foreign country, with no due process in that country. It requires American companies to violate EU law. The only way the EU can protect themselves from the CLOUD Act is to forbid any EU data be stored with any US company. Maybe you could accomplish that with a wholly EU subsidiary of an American company that is able to refuse and block requests for that data from their American parent corporation, but the CLOUD Act would still require the American company to hand over that data because the EU subsidiary is owned by the American company.
The only rational response from the EU is to ban EU companies from storing EU data with American companies.
These protections aren't in place yet. They're not even finished at the moment. Until the time comes that the necessary protections are in place, one can assume American companies are off limits for the time being, as they have been for the past couple of years.
To be clear, this is not about morality, but about following EU privacy rules. As far as those rules go, I must consider US courts to be hostile actors, and any entity that would follow their rulings is a potential threat to me.
I am liable if personal data pertaining to EU citizens is disseminated outside of the process set out in EU directives and local laws. This process does cover a local court compelling me or a local company to hand over something, and so in that case I will be in the clear. However, it does not cover the situation where I store my data on AWS and a non-EU court (US) compels Amazon to hand over the data, so in that case I will be liable for massive, potentially company-ending fines.
People have still not adjusted their behavior to account for the changes in laws, but right now it is very inadvisable for any EU entity to store any personal data on any service provided by a non-EU entity.
Easy! Article 44 of the GPDR explicitly prohibits the transfer of private information outside the conditions of the regulation. The cloud act requires the transfer of the private information without consideration to anything but US laws.
GP's advice is solid. Avoid US cloud services for handling any private data.
At this point, I'm pretty convinced these Europeans legislations are about being as vague as possible so that they can target pretty much any entity they (the state) doesn't like with fines and legal threats.
It all works because the public are made to believe these are good because they seem to go after some boogeymen (the evil foreign tech companies and the United-States).
The United States have decided that they will not provide the same protections required by the EU when it comes to EU citizens' data. That's a choice the American government can and has made. The economic barrier is clearly worth the sovereignty and national security benefit of the government being able to demand data about foreigners without protections or recourse according to lawmakers and that's fair enough to me.
The American CLOUD act grants certain agencies the right to demand data stored in European countries from American companies. This means American companies can either choose to comply with American law, providing said data, or with European law, refusing to provide the data without getting European courts involved. Refusing national security demands from the American government becomes very problematic real fast, especially when gag orders are involved, so companies and American citizens simply cannot be expected to comply with European law.
This choice has the consequence that American companies cannot be trusted to process PII (which is very broad) in any legal sense. Whether or not those companies go evil doesn't matter, the problem lies with the legal protection implemented by the American government.
I'd expect a CLOUD act equivalent from the EU (forcing companies with American offices to hand over the data of American citizens to secret European courts under the guise of national security) will be met with significant protest across the political spectrum. In fact, I would be disappointed if that wasn't protested. Surely Amazon, Microsoft and Google would be pressured to split off or shut down European operations if American citizens would suddenly become at risk of being spied on by foreign governments. If I were an American citizen, I'd certainly want politicians to do something about it!
You mean they can go to the DOJ and ask for a subpoena and then go argue to a court that somehow that Google Analytics data is critical to national security and then and only then can they compel a company to hand it over.
You seem to be very confused about how this process works in reality.
One has several layers of checks and balances in there from unrelated sections of government as a part of a legitimate function of any government in the world.
The original post however implied that it was a sinister thing that could just be done on a whim which is objectively not at all how it works in reality.
American checks and balances aren't relevant to the EU. The CLOUD Act requires that American companies turn over data stored in the EU without any involvement of EU due process and checks and balances, violating EU laws. The CLOUD Act effectively drafts all American companies into the American intelligence community. This is not acceptable to the EU.
punnerud is not confused.
Edit for response:
> Which European countries aren’t able to compel a company to help them by providing data in a matter of national security?
EU companies being so compelled by EU governments isn't relevant to the EU; which obviously supports that.
> This idea that all American companies are somehow arm in arm with the USIC is a ridiculous notion that isn’t supported by facts.
That is the purpose of the CLOUD Act. That's what it does. If Microsoft has a server in the EU with EU citizen data on it, the CLOUD Act requires Microsoft to hand over that data in violation of EU law if the US Government requests it. The fact that the US Government has checks and balances of its own is not relevant, the CLOUD Act still compels American companies operating in the EU to violate EU laws.
> There is a reason why most American tech companies in particular make a point to repeatedly and very loudly proclaim [...]
Their proclamations are irrelevant. US law requires them to violate EU law. As long as this is the case, the EU has no rational choice but to ban EU companies from giving EU data to American companies.
Which European countries aren’t able to compel a company to help them by providing data in a matter of national security?
This idea that all American companies are somehow arm in arm with the USIC is a ridiculous notion that isn’t supported by facts.
There is a reason why most American tech companies in particular make a point to repeatedly and very loudly proclaim that they will not provide any assistance unless legally forced to do so with a subpoena. They understand that they have a global customer base and that outside the context of those checks and balances that it might be bad for business.
In fact I would even argue that many of those same companies have a far stronger record of collaborating with China than the US. Apple is an example which repeatedly comes to mind here.
European countries can compel me to share data, and in that case I can do it legally. However, under the current law if I share data to the US government without going through the process in my local courts, I am liable for massive fines.
This is even true if I am not the entity sharing the data, but I merely placed it in the care of an US company. The problem is not that American companies are arm in arm with the government, it's that they are incorporated in a jurisdiction where the US courts have power, and because of my local laws, I must consider those courts to be a hostile actor.
It's not having a trial or anything to get the data, it is a judge (or in the link, a court clerk?) signing off on the subpoena or am I confused as to how complicated and difficult and time consuming that actually is.
Because getting a warrant is in my experience not like something that takes months and months where people argue and there is a likelihood that even if the warrant is granted that you can appeal to have it overturned, and it seems like a subpoena is no more difficult than getting a warrant and maybe easier.
At any rate, aside from the fact that the American government has often been shown to take more data than needed in their searches of people - that is to say abuse the layers of checks and balances - the European government would of course worry about potential abuses and disallow on the better safe than sorry view of protecting its citizens.
on edit: slackdog made a more relevant point than I did anyway.
Norge FTW. I'm so pleased to see their claws out, somebody needs to stand up and defend the law of their lands. There are plenty of options for analytics that don't involve breaking laws. Its virtually impossible to imagine Google could ever vend such a thing that somebody could pay a reasonable amount for private analytics on local servers. Google could pull that off easily, but its antithetical to their culture and strategy.
indeed. this is why we should be banning all analytics. user specific tracking or not, it's possible to deanonymize data in aggregate, therefore the only way to truly guarantee user privacy is to ban all analytics.
if people think your privacy is secure because the website is not capturing "user-specific" data, think again.
I think that’s a bit extreme. What if I’m doing analytics via server-side logs rather than client-side (e.g. Google Analytics)? Are we supposed to ban server logs too? What happens when I want to actually troubleshoot issues with my site?
You should design your site so that you can troubleshoot it without using real user data. Failing that, you should receive voluntary informed consent from the users, and exclude those that don't consent.
A/B testing / etc is a form of human subject research, the only way to experiment on humans ethically is to have voluntary informed consent. The fact that you're 'merely' running psychological tests on website users instead of performing medical vivisections doesn't free you from the moral and ethical obligation to acquire voluntary informed consent.
This may or may not be helpful depending on your business/user-base but one option would be to have a different URL for your site that customers can opt-in to beta-test early features, changes, etc... Give them some perk for doing this. Some free thing(s), extra features, etc... On that beta/release-candidate URL require their accounts flagged by the end-user to have double-opted-in to advanced analytics. Some people love to try out new features early. In the event a change breaks something ensure those that opted in can still go back to the main URL of your site.
Tell your legal team you want the opt-in legal language to be easily readable and understandable by the average person and make the font big so nobody can say there was fine print.
Advantages:
- People that opt-in to such things are far less likely to make a stink when something breaks. Again, reward them for finding bugs even if its something trivial. Maybe even set up a private community forum for these people to discuss the bugs they find.
- These people will also go out of their way to find bugs for you. Real-world traffic meets a free Quality Assurance team.
- Your Beta/RC URL can be excluded from any service level agreements in an updated AUP/ToS. Finance people like such risk mitigations.
Disadvantages:
- More work and cost up front to set this all up even if it pays for itself in the long run.
- Requires a bit of humility and discipline to openly share your errors with a handful of your user base.
If you need user information to troubleshoot your site, then you'll need their explicit informed consent. Without it, you simply won't get to troubleshoot and will have to find some other way to fix your site.
> And attributing funds to the correct place is the whole reason price-based economy works.
you don't need to know. same logic you're using could be said to justify the current user hostile tracking. the economy existed before analytics, and will continue to exist after it.
if you insisted on knowing, a simple counter will do.
If mere IP addresses are PII, I do not see how me looking at my GCP logs is any different (i.e. not allowed), and by extension how any US cloud provider can operate in Europe within these rules?
Quite a few people in the EU already consider US cloud providers to break GDPR just by existing because of US legislature like the CLOUD act.
A view that was (is?) at least partially shared by Microsoft [1]. MS created a (now closed) dedicated Azure data center in Germany where they got into trouble with the US government because MS didn't comply with a three letter agency request to obtain data from there.
There are a few justifications that allow you to process PII. One of them is to fulfill a contract (e.g. storing the address when a user purchases a product). The same justification is also used to store IPs in logs as you might need this information to debug issues or report illegal activity to authorities.
The same reasoning cannot be applied to analytics as there are no technical or legal requirement to have them and they are rather an optional addon. Moreover, there is also a restriction how long you are allowed to retain logs that have PII in them. You must not store them any longer than required (or anonymize them). I think 7 days is a commonly used limit for this.
Good. US cloud providers are so abusive and monopolistic, we basically need regions that exclude them entirely to give better alternatives a place to develop.
In what way are three major cloud competitors + many more focused cloud offerings a monopoly? “Monopoly” doesn’t mean “successful company I don’t like”.
Europe has failed to innovate for decades and that’s why it’s perpetually backed into a corner.
You as an individual are free to peruse any site you want. In practice, it might be hard to use US cloud providers in Europe lawfully to process PII, although some exceptions have been ruled - such as the french DPO ruling the use of AWS lawfully for the state vaccine program, as the PII was only encrypted in AWS, and AWS did not have the encryption keys.
SimpleAnalytics! High-level recommendations if you see this.
I am a systems developer and privacy guy working at a digital advertising firm and really don't understand the coming implications of the Google Ads antitrust lawsuit, digital advertising, or how to seperate my work-life balance and stop reading HN on a Sunday..
Most of your articles are fantastic and very factual vs vendor orientated and I LOVE that. Would you be able to do a few posts on the topics above and how the google ads/analytics changes/lawsuits CCPA/CCPR, VA Data Privacy laws, are changing the digital advertising industry client-delivery metrics? For instance, I will fully admit that I don't understand the way Analytics and Ads actually tie-in together in terms of the digital ads sales process. Is everything going to be de-anonymized and non-targeted in the future? Is targeting by geographic location acceptable? How does this stuff affect things like print mailers and CRM platforms and how do the metrics change using something like simpleanalytics vs google analytics tracking? I understand more privacy, unique page views from referring URLs, but what are the differences, or should I say difficulties, I should expect in reporting to clients their website tracking and ad campaign tracking?
Polish gov websites - for example www.gov.pl itself - try to run Google Analytics / Tag Manager on visitors' devices. I've opened a case with local GDPR body "UODO" (part of said government) but they wouldn't do anything. Case dismissed.
GDPR is only as good as local government's interpretation and approach.
Polish (and Hungarian) governments have a long track record of not following the EU laws. For them, the EU is more of a piggy bank to draw money from, rather than respecting values.
In this case, delegation to local DPAs is hurting privacy regulation across the EU.
Technically, what is it that makes GA (likely) violating?
I’m assuming no PII is transmitted or stored?
Part of the issue is that data is transmitted outside the EU - but that seems easily fixable.
Storing a unique user id also isn’t - in itself - a violation, unless enough other data is stored to make it possible to connect a physical person to the id.
In one instance anonymized IP's were rendered PII by one of the European countries. Mostly it all comes back to the CLOUD act and US state surveillance. JDSupra and searching the other simpleanalytics posts on HN provides great reading to get up to speed quickly.
France actually is forcing their governments to drop Microsoft 365 and instead only use on-prem Microsoft apps because even using a company with EU specific datacenters isn't enough. They put out a list of EU, specific data centers to use because using companies which are subject to only EU law and regulations is important to them.
Many people using USA cloud providers claim that using USA cloud providers is legal, and will start to speak faster, more stressed, and aggressively once you mention Schrems 2. I believe you don’t need to be a lawyer department to understand that it can’t be legal in the current state of the law.
I know people who prefer to ignore the problem. It’s a risk that they are willing to take and they think that they are going to be alright. I guess they may have a sound strategy.
What can’t the EU just attack Google itself and for the 4% fine?
See, I get that it’s companies who shouldn’t put GA on their website, but it’s not a practically navigable response:
- As a startup,
- All marketing agencies start with nonchalantly setting up GA,
- All marketing agencies know nothing else and deny that GA is illegal. Even if I know better, GA is THE standard.
So, EU can attack every single company in Europe, as the data controller, and enforce law as it technically is, but that still doesn’t provide consumer protection. And in the end, it’s Google who’s sending the data to the US. Why can’t Google be attacked, not on behalf of being a data processor or data controller, but on the very initial crime of sending data to the US without permission?
> Part of the issue is that data is transmitted outside the EU - but that seems easily fixable.
Not quite, since the CLOUD Act [0] was put in effect.
This is the gist of the problem:
The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.
And this is under "International reactions":
The European Data Protection Supervisor (EDPS) viewed the CLOUD Act as a law in possible conflict with the GDPR. The German Commissioner for Data Protection has warned against the use of US based Amazon Web Services for storing sensitive data for the Federal Police.
This only applies to PII though? If analytics contains PII it seems that’s already problematic.
I get that GA is “worse” than others in that it potentially sends more data than necessary, potentially making it possible to bind pseudonyms to real identities.
But hypothetically - if GA was properly pseudonymous (e.g client generated guide transmitted, no connection to browsing history, no entropy like detailed user agent data etc, and purely client side pseudonymization) would that remedy the situation?
I guess the answer is “no one knows as it’s not tried”. But it’s an interesting question because if it isn’t, then no analytics would be compliant. For example using an analytics service like Ms App Insights for a mobile app.
Correct, storing PII is against GA’s TOS. Which doesn’t at all mean it isn’t ingested somehow or another (and Google can trivially integrate it back to a person if they wanted to). PII is a very malleable term depending on the jurisdiction.
So long as website operators are creating URLs and the data layers published into analytics there’s no way to ensure the data is truly anonymized. It just takes one slip up with a username being placed into a query string, or some other small mistake. In many organizations marketing runs the analytics, and they try to do as much as possible without developers who might notice these types of errors.
It could be interesting to have browsers avoid sending user agents and otherwise minimize HTTP headers to a list of analytics domains.
Is the key then perhaps to NOT use the default functionality of this type of analytics? I don't use this I use a pseudonymous "hand rolled" analytics method which is simply logging specific events in the program when a feature is used, and tagging those with a random session id and a persistent random pseudonym. E.g. "user 291281223233 used feature print_document in session 129871209182 ".
But I guess some of the attraction of a package like GA is that you don't have to spend weeks instrumenting your app? But I can certainly see the problem if ANY urls are sent. And I can see how weak GA would be if by default NO urls, no IPs, no User agent string are sent. You'd need to add quite a few "user_visited_page('pagename')" to your site code...
Amazed that the word 'beacon' does not appear in comment or in the article. GA, just like the Facebook like buttons that kickstarted shaded but overt surveilllance, are fundamentally beacons and that should be sufficient to have a discussion around "digital privacy".
sends a POST request to https://www.simpleanalytics.com/api/content-feedback with the original paragraph and the edited one with the name "suggestion", so I guess it's a very confusing interface for suggesting corrections
When it comes to privacy, I am always a little confused as to what people are interested in, versus the more mechanistic issues of GDPR rulings.
If there was a Woogle Analytics EU (GA mechanics, EU jurisdiction, EU servers, no US ties), as far as the curret anti-GA rulings are concerned, there would be no legal issue with its operation, correct?
If that is so: Is there something happening in the US that would never be an issue if a big EU corp had comparable market power – or are we just really happy to maybe hit two anti-privacy birds with one loosely aimed stone here?
This is missing a critical clarification though. Are they talking about Universal Analytics, or GA4, which Google designed to hopefully be GDPR compliant?
So the analysis was of UA, but they noted that GA4 may not fix the issues:
"We have received several questions about whether, hypothetically speaking, we would move towards a different conclusion with Google Analytics 4. The Norwegian Data Protection Authority has not taken a position on this in the specific case, but as far as we can see, Google Analytics 4 will not necessarily correct those problems we have so far identified."
You don’t need to track users individually to do analytics.
A simple example of “why have analytics” is if you are selling physical goods through website, you need to keep track of sales so you can plan your next resupply of inventory. If you don’t know which t-shirt is selling the most, you won’t order enough of that one.
Now you might say “that’s not analytics” but you would be wrong. Analytics and tracking are different things; that’s why we have different words for them. And the use of analytics predates tracking by decades.
Most no-EU sites should have been blocking EU users one day 1 of GDPR. Instead we had Google and adtech firms lying to their customers about legality and loopholes while GDPR supporters told smaller webmasters they didn't have to strictly comply with it.
DSA will be a bigger test. The thing that seems most probable is platform bifurcation whether or not Section 230 survives in the US.
> The number 451 is a reference to Ray Bradbury's 1953 dystopian novel Fahrenheit 451, in which books are outlawed.[2] 451 provides more information than HTTP 403, which is often used for the same purpose.[3] This status code is currently a proposed standard in RFC 7725 but is not yet formally a part of HTTP, as of RFC 9110.
> Examples of situations where an HTTP 451 error code could be displayed include web pages deemed a danger to national security, or web pages deemed to violate copyright, privacy, blasphemy laws, or any other law or court order.
In my experience only sites that look like local news have told me "oops you're in europe we don't do business with you". Stuff like "the times of Chakahooee, New Hampshire" *. I understand them not bothering, I only randomly - and rarely - reach them because of links on another site.
Most sites that do have a global audience have a popup. Sometimes very dark pattern ish, sometimes not. But they bother.
It's lucky for tech companies with EU customers that a ruling has only been made regarding a low-hanging fruit like Google Analytics that is relatively easy to replace. Exactly the same reasoning can be used to essentially ban the use of e.g AWS, Google Cloud, Azure, Stripe and any other US infrastructure provider within the EU (they would only be legal to use as long as no personal information is ever stored on any of their servers, which in practice renders them useless).
I think there's a lot of companies hoping that the next "data transfer framework" negotiated between the EU and US lands before another EU court ruling triggers "infrastructuregeddon" - and that the new framework actually holds up in court, so we don't need to go through all this again.
Edit: Could the people downvoting maybe add a comment too? Is my comment factually incorrect or not adding to the discussion?
That's not enough if employees under US jurisdiction have access to the servers. Or indeed, if employees under US jurisdiction can order that they be given access. So it boils down to the organization structure, who has final say, and which jurisdiction that person is under - which renders even European daughter companies moot.
Oh, it's enough. If a server is in your jurisdiction, you just mandate that there is to be no foreign access to any data concerning your citizens. Just like that.
The international network we know and love will one day be fractured into many regional networks as governments seek to impose their laws on it. This is inevitable.
> I was under the impression GDPR has been useless since day 1.
Most laws are. Local regulations need to come into place, which takes time. Monitoring, auditing and enforcement takes even longer.
We're slowly seeing countries fining companies for violations. We're slowly seeing countries issuing advisories. We're slowly seeing countries putting it into action.
People thinking the world would change with GDPR day 1 have no idea how the world really works.
Yes, but about user tracking. Not about fighting it back.
>Why always go after FAANG?
Pareto something? You go after the one's that have the most reach, so that your action has the most effect.
>If google analytics was dissolved then some one else will take its place
Same as with Pablo Escobar then. So they shouldn't have stopped him?
(Though in this case, we're talking about a legal corporate activity. So, after this has been made illegal, no company can just "take its place").
>Remember visa/master card are terrible. Stripe is very organic and nice until it wasnt. Myspace terrible until facebook came
Even if we ignore that this is about making the activity illegal (and thus preventing someone else from coming and doing the same), this is some kind of "the devil you know" application that is totally bogus...
They need to stop that cycle by making exploitative surveillance capitalism illegal. Their very business model must be made illegal. Data on human beings must be a massive liability. They should be scrambling to forget everything about us the second our transactions are done. There should be no loophole, no conditions where it's acceptable, no "legitimate business need".
Realistically, it would be easier to fight for abortions rights than to ban corporate spying on users. The US is not the only country that does this and frankly the situation ine the US is way much better than in China or Russia. Good luck banning spying on users there. You might think you are not affected by them, but check if you have TikTok installed. Here you go.
>If google analytics was dissolved then some one else will take its place.
Someone that is respecting local law?
>Myspace terrible until facebook came
No one said that, Myspace was a huge expression of freedom in a time where not many could afford a domain-name or a server with decent connection.
>It is not as if VW or SAP or Schufa are decent.
It's Norway, Germany has nothing todo with it since 1945, and no they are not decent, but this is Germany's problems and not those of Norway.
>At the end all these marketing/JS/analytics devs will go to some other local company.
Terrible, having local company's instead of internet controlling behemoths who made it the opposite of a distributed information exchange network (you know the core idea of arpanet).
> Terrible, having local company's instead of internet controlling behemoths who made it the opposite of a distributed information exchange network (you know the core idea of arpanet).
Please ask any local company to build such infra. Unfortunately, they dont. Or once they become big - founders sell to SV.
I wonder what's going to happen once the DPF[0] is put in place (it's very much a work in progress at the moment, but I'm sure it'll come through). I'm sure Schrems III will kill it within half a year, but we'll have to wait and see what the implications will be for Google and other American tracking services.
I'm not convinced depending on an executive order that can be revoked on a whim by the next elected USA president is a great basis for such an adequacy decision, but on the other hand I wouldn't expect the USA's legislative branch to accept the EU's terms.
[0]: https://ec.europa.eu/commission/presscorner/detail/en/qanda_...