Italian data protection authority warns against the use of Google Analytics
Google Analytics data collected through cookies constitutes a violation of the EU General Data Protection Regulation, it says
Italy is the latest European Union country to take a stance against data transfers to the United States using Google Analytics.
Garante, Italy's data protection regulator, has warned a local web publisher against the use of non-compliant Google Analytics, stating that the service transmits data to the US without ensuring that EU data protection laws are respected.
Garante said that the transfer of Google Analytics data acquired by website publishers constitutes a violation of the EU General Data Protection Regulation (GDPR).
It added that publishers' usage of Google Analytics leads to the collection of a variety of user data, including device IP address, OS and browser details, screen resolution, language selection, as well as the date and time of the site visit.
This information is transferred to the US without taking sufficient further steps to improve the degree of protection to the required EU legal requirement, it added.
Garante said that Google's protections were insufficient to address the risk.
Transfers of personal data from the EU to the US are only permitted if there is an adequate degree of protection, as per the Schrems II judgement from July 2020.
In the latest case, the Italian watchdog said that without the necessary safeguards put in place, the US government agencies may access the personal data of the users.
Garante has given the web publisher in question (Caffeina Media Srl) 90 days to update its website to comply with EU data protection laws.
It also urged "all controllers" to ensure that their websites' use of cookies and other tracking technologies complies with all applicable data protection laws.
The authority said that the decision was the outcome of a complex investigation that was coordinated with other European privacy watchdogs and was based on a series of complaints. It added that more decisions will follow.
Google Analytics is a tool that can be used to monitor the website traffic. For instance, it may be used to generate reports on the total number of visitors, browser details, and the devices used by the visitors.
This is accomplished by placing a cookie on the user's device. This cookie is responsible for assigning a one-of-a-kind identifying number to the user.
Garante ' s ruling is in line with the finding of numerous other EU data protection authorities that using Google Analytics infringes on the EU's laws governing data protection over the data export issue.
In February, French data protection watchdog the CNIL (Commission Nationale de l'Informatique et des Libertés) ordered a local website manager to stop using Google Analytics under certain conditions. It said that the use of Google Analytics can 'sometimes' breach the EU's GDPR, as data transfers to the USA are not appropriately regulated.
As part of its order, the CNIL ordered the offending website to comply with the GDPR by either ceasing its use of Google Analytics or adopting an alternative monitoring service that does not send data outside the EU.
In January, the Austrian data protection authority, Österreichische Datenschutzbehörde, found that the use of Google Analytics by an Austrian website did not comply with EU data protection law. The watchdog found that Google had not implemented sufficient measures to encrypt and anonymise the data collected through Analytics.
The case was brought to the DPA by noyb, the legal company set up by Max Schrems, the Austrian lawyer who rose to prominence by challenging Facebooks' data transfer practices. That case eventually led to the demise of the Safe Harbour data transfer agreement.
Following the Garante ' s decision this week, a Google spokesman told Tech Crunch: "People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web."
"These organisations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance."
The spokesperson added that Google is reviewing the Italian DPA ' s decision.