The Italian Data Protection Authority questions GDPR compliance of Google Analytics
With order no. 224 of 2022, the Italian Data Protection Authority (“Garante”) recently ruled on the use of Google Analytics, the web analytics service offered by Google to website operators, which enables the generation of detailed statistics about users. The Authority’s ruling is just the latest in a series of decisions related to the use of Google Analytics made by European regulators, most recently in France and Austria.
The decision comes at the end of a complex investigation, initiated, following a user's complaint against an Italian company, Caffeina Media S.r.l., owner of the Italian web page Caffeina magazine, against the transfer of the user's personal data to the United States using Google Analytics.
The issue stems from the different level of protection accorded to personal data by European and American legislation: the United States, in fact, unlike the European Union, where data processing is regulated and protected by the GDPR, does not offer sufficient guarantees to the rights of European data subjects. In particular, U.S. law enforcement and intelligence agencies as well as government institutions can access personal data, regardless of the nation to which the data subjects belong, under the Foreign Intelligence Surveillance Act.
The investigation showed how Caffeina Media S.r.l, but more generally the managers of websites which benefit from the Analytics service, collect, with cookies, multiple pieces of information relating to the users who navigate their websites. This includes the IP address of the device used by them, considered, on the basis of the legislation (art. 4 GDPR and Recital 26 GDPR) and technical findings, as personal data[1]. This data, once collected, is transferred to the United States despite the fact that the GDPR places a clear prohibition on the transfer of data to countries that do not guarantee levels of protection equal to or higher than European Union’s ones. This specifically includes the United States, as sanctioned with the invalidation of the so-called Privacy Shield by the Schrems II ruling.
Therefore, in order to transfer data to the United States, as a third country offering an inadequate level of protection, the data controller can have recourse to use certain tools defined by Articles 44-50 of the GDPR: standard contractual clauses and supplementary measures of a technical-legal nature. These additional measures are to be considered supplementary to the standard contractual clauses in order to bring the level of protection of the data being transferred up to EU standards.
In the case at hand, the company Caffeina Media S.r.l. had merely approved the terms and conditions of use of Google Analytics, in addition to having concluded standard contractual clauses with Google regarding the processing of personal data. However, the clauses offered by Google alone cannot guarantee an adequate level of protection in the event of a request for access by foreign authorities, particularly if local laws provide for such access, as is the case in the United States. For these very reasons, Google has put in place a number of additional protective measures, including the anonymization option, but these have been found to be inadequate to guarantee a level of protection equivalent to that provided by the GDPR, particularly against data access requests from U.S. intelligence services.
It is true that Google has made available the "IP-Anonymization" option, but this measure, the Garante points out, in fact only constitutes pseudonymization (and not anonymization) given that Google is able to identify the user by retrieving the person's identity through third-party data.
There is also a possibility for Google to associate the IP address with additional information already in its possession, if the data subject has logged in through his or her Google profile, , such as e-mail, telephone number or any additional personal data, including gender, date of birth or profile picture, in order to recreate a complete profile of the user. The Garante also questioned the legality of the privacy policy published on Caffeina Media's website on the grounds that it failed to specify that the personal data was being transferred to a country without appropriate data protection measures.
The measures do not contain any pecuniary sanctions because of the information asymmetry between Google and Caffeina Media, which did not allow the latter to assess the unsuitability of the measures adopted unilaterally by Google. For this reason, the Privacy Authority merely admonished the website operator, inviting it within 90 days to bring its processing activities into compliance with the GDPR provision, under threat of suspending dataflow to the United States.
The order does not declare the use of Google Analytics illegal per se, but it certainly requires companies using this service to consider taking the additional measures necessary to bring it into compliance with the data protection regulations.
[1] The Garante, taking up Opinion 4/2007 on the concept of personal data, issued by the Article 29 Working Party, reiterated that the IP address is to be considered personal data for all intents and purposes, where it enables the identification of the electronic device used, thus indirectly allowing the identification of the user.