But that's not what CNIL is basing their decision on: "The CNIL concludes that transfers to the United States are currently not sufficiently regulated...Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services."
I probably don't understand the legal issues fully, but it seems the worry is that US intelligence services may be tapping the lines and databases of Google, may have agents working at Google as badged employees, or may be able to subpoena Google (or any US service provider). [for the record, I wouldn't doubt if all the above are true]
I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
> "CNIL recommends that these tools should only be used to produce anonymous statistical data"
So the tools are not anonymous because the request headers of the client are being logged and used to identify a session, along with what resources on the site were accessed in that session.
Any site operator has this data on their visitors.
CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly? What's the solution? A site builder can't let web clients make direct calls to any resources in the US? That seems... sweeping, profound, surprising, impactful. Have fun with that.
> because the request headers of the client are being logged and used to identify a session
No need to dig so deep: IP addresses are considered private information under the current EU law, meaning that just opening a client-side connection somewhere leaks that data to that somewhere.
> I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
There is none. The difference is that the website studied in the ruling was not including resources hosted at Google Docs, and hence no mention of it. If the site embedded or directly linked to a google docs document the same reasoning would have been applied.
> CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly?
Almost. They don't want any calls prior to explicit user acceptance.
> What's the solution?
For fonts/images required to load the page, use EU-based hosting facilities. If you want to link to a google docs document, a youtube video or something like that, ask the user before following that link.
> That seems... sweeping, profound, surprising, impactful. Have fun with that.
It is, I don't think anyone is denying that. There are several things that may happen here:
1. US tech companies take it as common practice to spin-off EU-based companies that are not subject to US law and store everything in EU soil. When they don't, EU competitors pop up and EU companies use those.
2. The US passes laws that offer EU-level protections to both their own citizens/companies and (at least) EU-based citizens/companies.
3. The EU backtracks on this by adjusting their current laws.
But that's not what CNIL is basing their decision on: "The CNIL concludes that transfers to the United States are currently not sufficiently regulated...Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services."
I probably don't understand the legal issues fully, but it seems the worry is that US intelligence services may be tapping the lines and databases of Google, may have agents working at Google as badged employees, or may be able to subpoena Google (or any US service provider). [for the record, I wouldn't doubt if all the above are true]
I don't see how Google Docs is less susceptible to Google tracking user activity (and by extension US intelligence).
> "CNIL recommends that these tools should only be used to produce anonymous statistical data"
So the tools are not anonymous because the request headers of the client are being logged and used to identify a session, along with what resources on the site were accessed in that session.
Any site operator has this data on their visitors.
CNIL doesn't want sites hosted in France to be making client-side calls to services provided by Google (whether analytics, fonts, etc) or theoretically any US-based service provider because the client request will be logged by that resource host and open to access by US law enforcement? Do I understand that correctly? What's the solution? A site builder can't let web clients make direct calls to any resources in the US? That seems... sweeping, profound, surprising, impactful. Have fun with that.