Italy has become the fourth country to ban Google Analytics, joining Austria, Holland and France. This was the conclusion reached after a complex investigation carried out by Garante (the Italian Data Protection Authority) in coordination with other European privacy authorities. It stated that Italian websites using Google Analytics violate the General Data Protection Regulation (GDPR), the EU’s data protection law and there are no adequate safeguards to data transfers to the USA.
Article 49 of the GDPR states:
“personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.”
Google Analytics is a US company product and Google sends data from the EU to the US for processing thereby violating GDPR. Google also falls under the US surveillance laws meaning that Google would have to give up EU citizens’ data to US intelligence services if it received a formal request to do so.
Here is the statement from Garante, translated to English
Italian SA bans use of Google Analytics
No adequate safeguards for data transfers to the USAA website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.
The Italian SA came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU data protection authorities following complaints it had received. The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
Based on the above findings, the Italian SA adopted a decision, to be followed by additional ones, reprimanding Caffeina Media S.r.l. – a website operator – and ordering it to bring the processing into compliance with the GDPR by ninety days. This deadline was considered to be appropriate in order to allow the operator to implement adequate measures in connection with the data transfer; if this is found not to be the case, suspension of the GA-related data flows to the USA will be ordered.
The Italian SA highlighted, in particular, that US-based governmental and intelligence agencies may access the personal data being transferred without the required safeguards; it pointed out in this regard that the measures adopted by Google to supplement the data transfer instruments did not ensure an adequate level of protection for users’ personal data in the light of the guidance provided by the EDPB through its Recommendations No 1/2020 of 18 June 2021.
The Italian SA wishes to draw the attention of all the Italian website operators, both public and private, to the unlawfulness of the data transfers to the USA as resulting from the use of GA – partly on account of the many alerts and queries received so far. The Italian SA calls upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services.
Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.
Rome, 23 June 2022
How does Google Analytics work?
Launched in November 2005, Google Analytics is a web analytics service offered by Google that tracks and reports website activity such as session duration, pages per session and the bounce rate of individuals using the site, along with the information on the source of the traffic.
It processes and displays the data obtained during customers’ web browsing in a user-friendly interface, so the business can analyze trends and create audience lists for advertising.
Google Analytics works by setting a first-party cookie on a user’s device when the user enters a website and this contains a tracking (or Client) ID. The user’s actions are then tracked and tied to the tracking ID, with all data stored on Google servers. The data includes the time spent on site, the URLs accessed, and hundreds of other dimensions/metrics. Google then provides access to the data patterns in the Analytics interface for the business.
Google’s defence
In its defence, Google says it encrypts the user data before it is sent for processing. However, Garante said that this is insufficient, as only Google has access to the decryption key. That means that they could easily de-anonymize the data if they ever needed to, in response to a government request.
Google has also offered “IP-anonymisation”, which would mean:
sending Google Analytics the user’s IP address after obscuring the least significant octet (under this operation, for example, addresses 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0).”
The Italians regulator responds that this “actually consists of a pseudonymisation of the user’s network address data, since truncation of the last octet does not prevent Google LLC from re-identifying that user, taking into account the overall information it holds on web users.”
The Google Analytics ban issue started in Austria in December 2021 when an Austrian consumer privacy association called NOYB filed 101 complaints across the EU relating to the use of Google’s Analytics tool. France and Holland followed some months later in February 2022.
