Italy’s data watchdog latest to warn over use of Google Analytics

Another strike against use of Google Analytics in Europe: The Italian data protection authority has found a local web publisher’s use of the popular analytics tool to be non-compliant with EU data protection rules owing to user data being transferred to the U.S. — a country that lacks an equivalent legal framework to protect the info from being accessed by U.S. spooks.

The Garante found the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, OS, screen resolution, language selection, plus the date and time of the site visit, which were transferred to the U.S. without adequate supplementary measures being applied to raise the level of protection to the necessary EU legal standard.

Protections applied by Google were not sufficient to address the risk, it added, echoing the conclusion of several other EU DPAs who have also found use of Google Analytics violates the bloc’s data protection rules over the data export issue.

Italy’s DPA has given the publisher in question (a company called Caffeina Media Srl) 90 days to fix the compliance violation. But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing in a press release [translated from Italian with machine translation]:

[T]he Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through GA [Google Analytics], also in consideration of the numerous reports and questions that are being received by the Office, and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data.

Earlier this month, France’s data protection regulator issued updated guidance warning over illegal use of Google Analytics — following a similar finding of fault with a local website’s use of the software in February.

The CNIL’s guidance suggests only very narrow possibilities for EU-based site owners to use Google’s analytics tool legally — either by applying additional encryption where keys are held under the exclusive control of the data exporter itself or other entities established in a territory offering an adequate level of protection; or by using a proxy server to avoid direct contact between the user’s terminal and Google’s servers.

Austria’s DPA also upheld a similar complaint over a site’s use of Google Analytics in January.

While the European Parliament found itself in hot water over the same core issue at the start of the year.

All these strikes against Google Analytics link back to a series of strategic complaints filed in August 2020 by European privacy campaign group noyb — which targeted 101 websites with regional operators it had identified as sending data to the U.S. via Google Analytics and/or Facebook Connect integrations.

The complaints followed a landmark ruling by the bloc’s top court in July 2020 — which invalidated a data transfer agreement between the EU and the U.S., called Privacy Shield, and made it clear that DPAs have a duty to step in and suspend data flows to third countries where they suspect EU citizens’ information of being at risk. 

The so-called ‘Schrems II’ ruling is named after noyb founder and longtime European privacy campaigner, Max Schrems, who filed a complaint against Facebook’s EU-U.S. data transfers, citing surveillance practices revealed by NSA whistleblower Edward Snowden, which ended up — via legal referral — in front of the CJEU. (A prior challenge by Schrems also resulted in the previous EU-U.S. data transfer arrangement being struck down by the court in 2015.)

In a more recent development, a replacement for Privacy Shield is on the way: In March, the EU and the U.S. announced they had reached political agreement on this.

However the legal details of the planned data transfer framework still have to be finalized — and the proposed mechanism reviewed and adopted by EU institutions — before it can be put to any use. Which means that use of U.S.-based cloud services remains shrouded in legal risk for EU customers. 

The bloc’s lawmakers have suggested the replacement deal may be finalized by the end of this year — but there’s no simple legal patch EU users of Google Analytics can reach for in the meanwhile. 

Additionally, the gap between U.S. surveillance law and EU privacy law continues to grow in certain regards — and it’s by no means certain the negotiated replacement will be robust enough to survive the inevitable legal challenges.

A simple legal patch for such a fundamental clash of rights and priorities looks like a high bar — failing substantial reform of existing laws (which neither side looks moved to offer).

Hence we’ve started to see software-level responses by certain U.S. cloud giants — to provide European customers with more controls over data flows — in a bid to find a way to route around the data transfers legal risk.

Update: A Google spokesman sent us this statement following the Garante decision:

People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.

He also told us Google is reviewing the Italian DPA’s decision.

In a blog post back in January the company sought to reframe the narrative around Google Analytics — claiming the tool isn’t used to track people around the web or profile them; and arguing it’s not a privacy risk by suggesting customers remain in control of the data they collect via the analytics tool; as well as pointing out it offers an IP anonymization feature.

Google’s blog post also emphasizes “numerous measures” it claims it applies to “protect data, and safeguard it from any government access.”

However a number of European DPAs have now come to a very different conclusion vis-a-vis the Schrems II-related risk of using Google Analytics — including (in the case of Austria‘s DPA) finding that even if IP anonymization had been enabled by the site it would not have fixed the risk.

Although — responding to this point — Google’s spokesman pointed to a recent update (Google Analytics 4) that he said has introduced more controls and product configurations since the versions of the software which originated the complaints to DPAs; and which he suggested could help address concerns about data export risks — such as via the ability to stop the transfer of IP addresses (including anonymized IP addresses) outside the EU; disable Google Signals data collection at country level; and disable granular location and device data collection at the country level. 

He added that while Google remains convinced that the only sustainable solution to the recurring uncertainty around EU to U.S. data exports is a durable legal framework, the tech giant is exploring developing additional controls to provide its customers with further assurances around the safeguarding of user data.

This report was updated with additional responses from Google.