Italy is now the fourth country to ban Google Analytics, joining Austria, Holland, and France. Why are these countries banning the web analytics service offered by Google that tracks and reports website traffic?
In a statement, the conclusion was reached after a complex investigation carried out by Garante (the Italian Data Protection Authority) in coordination with other European privacy authorities. It stated that Italian websites using Google Analytics violate the General Data Protection Regulation (GDPR), the EU’s data protection law and there are no adequate safeguards for data transfers to the USA.
Article 49 of the GDPR states:
“personal data may not be transferred to a third country unless the country provides for an adequate level of data protection or, alternatively, appropriate safeguards are put in place.”
Since Google Analytics is a US company product, Google sends data from the EU to the US for processing thereby violating the GDPR. Google would also fall under the US surveillance laws meaning that Google would have to give up EU citizens’ data to US intelligence services if it received a formal request.
Also Read: Realme 9 Unboxing and First Impressions
Here is the statement from Garante:
Italian SA bans the use of Google Analytics
No adequate safeguards for data transfers to the USA
A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.
The Italian SA came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU data protection authorities following complaints it had received. The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on the browser, operating system, screen resolution, selected language, date, and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is personal data and would not be anonymized even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
Based on the above findings, the Italian SA adopted a decision, to be followed by additional ones, reprimanding Caffeina Media S.r.l. – a website operator – and ordering it to bring the processing into compliance with the GDPR by ninety days. This deadline was considered to be appropriate in order to allow the operator to implement adequate measures in connection with the data transfer; if this is found not to be the case, suspension of the GA-related data flows to the USA will be ordered.
The Italian SA highlighted, in particular, that US-based governmental and intelligence agencies may access the personal data being transferred without the required safeguards; it pointed out in this regard that the measures adopted by Google to supplement the data transfer instruments did not ensure an adequate level of protection for users’ personal data in the light of the guidance provided by the EDPB through its Recommendations No 1/2020 of 18 June 2021.
Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.
Rome, 23 June 2022
In its defense, Google says it encrypts the user data before it is sent for processing. However, Garante said that this is insufficient, as only Google has access to the decryption key. That means that they could easily de-anonymize the data if they ever needed to, in response to a government request.
Google has also offered “IP-anonymisation”, which would mean:
sending Google Analytics the user’s IP address after obscuring the least significant octet (under this operation, for example, addresses 220.127.116.11 to 18.104.22.168 would be replaced by 22.214.171.124).”
The Italian regulator responds that this “actually consists of a pseudonymization of the user’s network address data since truncation of the last octet does not prevent Google LLC from re-identifying that user, taking into account the overall information it holds on web users.”
The Google Analytics ban issue started in Austria in December 2021 when an Austrian consumer privacy association called NOYB filed 101 complaints across the EU relating to the use of Google’s Analytics tool. France and Holland followed some months later in February 2022.