Italy stops Google Analytics

“A website that uses the Google Analytics (GA) service without the safeguards provided for in the EU Regulation violates data protection law because it transfers user data to the United States, a country that does not provide an adequate level of protection.” This was stated by the data protection commissioner at the end of a complex investigation launched on the basis of a number of complaints and in coordination with other European data protection authorities.

The investigation revealed that the operators of websites using Google Analytics use cookies to collect information about users’ interactions with the said websites, the individual pages visited and the services offered. This includes, among other things, the user’s IP address and information about the browser, operating system, screen resolution, selected language, and the date and time of the website visit. It was made clear that this information was transmitted to the United States. In determining the unlawfulness of the processing, it was again pointed out that the IP address is personal data that would not be anonymized even if it were truncated, since Google is able to enrich it with other data in its possession.

As a result of these investigations, the DPA issued the first of a series of measures admonishing Caffeina Media S.r.l., which operates a website, and ordering it to comply with the European regulation within ninety days. The indicated time frame was considered adequate to allow the operator to take appropriate measures for the transfer, under threat of suspending the flow of data that occurs through GA to the United States.

In particular, the Authority pointed out the possibility that U.S. government agencies and intelligence agencies may access the personal data transferred without adequate safeguards and, in this regard, noted that, in light of the EDPB’s guidance (Recommendation No. 1/2020 of June 18, 2021), the measures taken to integrate the transfer tools adopted by Google do not currently ensure an adequate level of protection for users’ personal data.

On this occasion, the Authority draws the attention of all Italian website operators, both public and private, to the unlawfulness of transfers to the United States through GA, also in light of the numerous reports and requests that reach the Office. And it is urging all data controllers to verify that the methods of using cookies and other tracking tools used on their websites, particularly Google Analytics and other similar services, comply with privacy laws.

At the end of the 90-day period granted to the company receiving the measure, the Authority will also verify, on the basis of specific inspection activities, whether the data transfers carried out by data controllers comply with the EU Regulation.

Update: In July 2023, the EU Commission approved the new EU-US Data Privacy Framework (DPF), removing many of the restrictions of Schrems II and making it much easier for organisations to transfer EU personal data to the US. However, the new framework will be challenged legally by NGOs (possible “Schrems III”). Therefore some legal uncertainty will remain until the Court of Justice of the EU (CJEU) rules on the matter. JENTIS Data Capture Platform enables future-proof GDPR-compliant tracking, regardless of the data privacy framework and potential challenges.