I started this blog few weeks ago and I installed, despite my will, Google Analytics but, just few days after… G. Analytics has been declared illegal in EU. Then?
Okay, first a bit of background: everyone is curious of how many visitors, from where and from which referral site, is coming to his website. And I’m too, so what is the easy to install, free and detailed analytic service? Google Analytics, you bet. Well, maybe it’s true, if you run a commercial website and you need to know some super detailed stats maybe if you want to be the money, you can use Google Analytics for free. But since I’m not interested in all those data that G. Analytics gives, but I’m a lot more interested in my -and my visitors- privacy, I started to search for an analytics service that is free, self-hosted and it requires very small hardware/system specs, because I don’t want to buy another VPS with a huge SQL database, maintenance it, etc… I just want a lightweight service that gives me some basic users’ info, like location, device, browser, referral site and… a nothing else I think. Why I need to know bounce rates, conversions, engagements, users explores and blablabla… that Google gives? For a simple and stupid blog? I think is a waste of resources and privacy, because all these -for me useless- data/info on the users behavior are going, and remain, into the Google servers in the USA.
GA illegal
And here start all the troubles. Since I’m italian (and that’s why I wrote in a terrible english), I care a lot of users privacy and GDPR, and just few day afters I started this website, G. Analytics has been declared illegal in EU by the Austrian watchdog. What this mean?
tl;dr: U.S. intelligence agencies can have the access to EU citizens data stored in the Google’s USA servers
(not very) Long form: Google is storing all the Analytics data on the USA servers, and this is not compliance with the EU GDPR regulation, but Google said “Ehy mr. EU/Austrian watchdog, we made lots of specific contracts with EU companies that are authorizing us to store data in USA server, we are inside the regulations” yes, and this is true, Google can do that, but, and here’s the point, the data stored on USA server can be accessed by U.S. intelligence agencies. And this broken the GDPR compliances.
In particular:
- the complaint against the first respondent is upheld and it is found that
a) the first respondent, as the responsible party, by implementing the “Google Analytics” tool on its website at www.[REDACTED]at, transmitted personal data of the complainant (these are at least unique user identification numbers, IP address and browser parameters) to the second respondent at least on August 14, 2020,
(b) the standard data protection clauses concluded by the first respondent with the second respondent do not provide an adequate level of protection pursuant to Article 44 GDPR, since
(i) the Second Respondent qualifies as an electronic communications service provider within the meaning of 50 U.S. Code § 1881(b)(4) and, as such, is subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S. Code § 1881a (“FISA 702”); and
(ii) the measures taken in addition to the standard data protection clauses set forth in item 2.(b) are not effective because they do not eliminate the possibility of surveillance and access by U.S. intelligence agencies,
c) in the present case, no other instrument pursuant to Chapter V of the GDPR can be used for the data transfer referred to in item 2.a) and the first respondent has therefore not ensured an adequate level of protection pursuant to Art. 44 GDPR for the data transfer referred to in item 2.a).
3) The complaint against the respondent to the second complaint on the grounds of a violation of the general principles of data transfer pursuant to Art. 44 GDPR is dismissed.
This is provided thanks to gdprhub.eu: DSB (Austria) - 2021-0.586.257 (D155.027) and you can also read more at: Is Google Analytics ILLEGAL in your country?
So it’s only a matter of time that other EU’s countries watchdogs will declare GA illegal in other countries and maybe in all the EU. Yes, possibly Google can reach an agreement with EU commission like the “International Safe Harbor Privacy Principles”, that has been overlapped in 2016 by the “EU–US Privacy Shield” that has been declared also invalid by the European Court of Justice in 2020 :) So, how much time will pass since another “EU-USA Idontcareprivacy shield” will be declared not legal -again-? :)
Alternatives
I don’t want to know it… I want to solve the question from the beginning: stop using Google Analytics.
So I started to search for an alternative, and there are a lot of them, but almost all are very expensive, like €20/months or more, and all have many features that I don’t need, are heavy, I can’t use them self-hosted, etc… then I finally found umami.is that is open source, free, on GitHub, light, easy to install and it doesn’t have tons of useless features but just the necessary.
At the beginning I thought it was a bit complicated to install, so I created an account on Heroku, followed the guide and… in a few minutes was working, great! There’s nothing complicated, it is super-simple, I was surprised, I don’t even have the Heroku CLI installed.
and here’s the panel with the stats, it’s just perfect for my needs!
I have no idea when/how much time my 500Mb of free space on Heroku will last. Umami is light, it only takes less than 150Mb, but I don’t know about the recordings/logs in the future. If you know (for example in one year) how much space the log will take for an average of 100 visits/day, let me know in the comments please (and thanks in advice).
Final thoughts
Finally: I’m Google-free! Well, I’m already (since a lot of years) using Duck Duck Go (‘cause is better than Google, regardless of privacy, it has the !Bangs, customizable layout, a simple toggle to switch from english to italian search and others features). And I don’t have to care/think in the next months about “ouch, Google now is illegal in EU, and I’m using it, what I have to do now?”
I suggest all to do the same, because it’s very easy, a lot more satisfying, nicer and pleasant to use… and, hey, it’s your own service! You don’t have to rely on third a party, big and invasive, tech company. It’s a goal!
Update
I’ve added a simply tutorial to backup the umami database here: Backing up umami database on Heroku free plan.