23. June 2022

Italy stops Google Analytics

Authority warns of illegality of sending data with GA to the U.S.

“A website that uses the Google Analytics (GA) service without the safeguards provided for in the EU Regulation violates data protection law because it transfers user data to the United States, a country that does not provide an adequate level of protection.” This was stated by the data protection commissioner at the end of a complex investigation launched on the basis of a number of complaints and in coordination with other European data protection authorities.

The investigation revealed that the operators of websites using Google Analytics use cookies to collect information about users’ interactions with the said websites, the individual pages visited and the services offered. This includes, among other things, the user’s IP address and information about the browser, operating system, screen resolution, selected language, and the date and time of the website visit. It was made clear that this information was transmitted to the United States. In determining the unlawfulness of the processing, it was again pointed out that the IP address is personal data that would not be anonymized even if it were truncated, since Google is able to enrich it with other data in its possession.

As a result of these investigations, the DPA issued the first of a series of measures admonishing Caffeina Media S.r.l., which operates a website, and ordering it to comply with the European regulation within ninety days. The indicated time frame was considered adequate to allow the operator to take appropriate measures for the transfer, under threat of suspending the flow of data that occurs through GA to the United States.

In particular, the Authority pointed out the possibility that U.S. government agencies and intelligence agencies may access the personal data transferred without adequate safeguards and, in this regard, noted that, in light of the EDPB’s guidance (Recommendation No. 1/2020 of June 18, 2021), the measures taken to integrate the transfer tools adopted by Google do not currently ensure an adequate level of protection for users’ personal data.

On this occasion, the Authority draws the attention of all Italian website operators, both public and private, to the unlawfulness of transfers to the United States through GA, also in light of the numerous reports and requests that reach the Office. And it is urging all data controllers to verify that the methods of using cookies and other tracking tools used on their websites, particularly Google Analytics and other similar services, comply with privacy laws.

At the end of the 90-day period granted to the company receiving the measure, the Authority will also verify, on the basis of specific inspection activities, whether the data transfers carried out by data controllers comply with the EU Regulation.

More articles

Blog

The forgotten Data Protection regulation that started it all

Do you know the story of the groundbreaking EU data privacy regulation that threatened to disrupt data flow between the EU and the US? Hint: it’s not the GDPR.

Blog

The 3 biggest Challenges for Digital Marketing 2023

What will be important in the coming year? What will pose the most difficult challenges for digital marketing? An analysis from a marketer's point of view.

Blog

How DPAs determine the level of GDPR fines

The GDPR applies as a legal basis to all EU data protection authorities. But there is far less uniformity when it comes to the level of fines. How high can they get? A quick guide to what companies can expect.