CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders

Italy bans Google Analytics for inappropriate data transfer between the EU and the US

Google Analytics, the world’s most widely used web tool for tracking website visitor activity and traffic for marketing purposes, is no longer welcome in Italy. The country’s data protection authority (DPA) has ruled that the transfer of data from the service to servers in the United States violates the rules of the General Data Protection Regulation (GDPR), in particular the revised terms for the international transfer of user data that are established by the 2020 Schrems II ruling.

The decision follows months of rumors that Google Analytics in the EU could be in serious trouble for not adequately anonymizing the data it “calls home” to Google’s US servers. This is the conclusion reached by the Italian data protection authority when it found that Google does not anonymize the IP addresses of website visitors enough to ensure that they cannot be identified by other information the company collects.

Data transfer between the EU and the US remains a thorn in the side of major technology

Google Analytics is in a unique situation when it comes to complying with the GDPR rules for international data transfers. The service allows webmasters to see how individual users interact with their sites in different ways, but in a way that doesn’t reveal the visitor’s identity.

The way it functions would probably suffice for any other standalone operator of a similar analytics service. Not so much for Google, thanks to its internet-wide system of data collection through its ad networks, apps and cloud services. The argument for breaching the GDPR relies on the user’s IP address remaining sufficiently visible to Google internally so that it can be matched with Google’s wealth of user data to identify the end user if the company wishes.

The Schrems II decision revealed that the US was not a suitable partner for data transfer because of on-the-book laws that allow surveillance of foreigners’ internet traffic, and because of clandestine spy programs exposed nearly a decade ago by the Edward Snowden leaks. The US is essentially stuck in this state until it passes a federal data privacy law with terms similar to the GDPR, or comes up with a replacement for the previous “Privacy Shield” agreement that will survive an inevitable lawsuit.

Such a replacement is in the works and has undergone significant development in recent months, but Andrew Barratt (Vice President at Coalfire) sees this ruling as potentially undermining the whole matter: “This decision by the Italian DPA appears to be largely inconsistent to be with the new Trans-Atlantic Data Privacy Framework, which was intended to support the suitability for data transfers between EU countries and the US This move could jeopardize years of negotiations with the US and the EU. not clear how the data they reference immediately interferes with the rights and freedoms of specific citizens. countries with more favorable intelligence-sharing relationships, such as the five-eye countries.The complaint appears to be largely targeted are on someone’s misuse of Google Analytics and not directly on Google itself. It is plausible that this could be a management oversight by Caffeine Media that has been punitive and Google’s name thrown in purely as the technology in question.”

The Italian DPA’s ruling stems from a case involving a specific website called “Caffeina Media SRL”, which was given 90 days to stop using Google Analytics. This basically puts all websites in Italy on the same post. The court said Italian authorities would begin “ad hoc” inspections of the country’s websites for compliance at the end of the 90-day period. This follows a similar ruling by the French DPA in June, which gave websites in that country a month to stop using the service.

Potential for Google Analytics to make necessary adjustments, but affected websites will likely need to switch analytics tools

Apart from the fact that Google stores data through its wide variety of services, the Italian DPA’s decision focused on how Google Analytics handles the IP addresses of website visitors. To comply with GDPR data transfer rules, these IP addresses should be completely anonymized. By default, Google only masks the last octet of the address, which the DPA classified as “pseudonymization” and not good enough to meet standards to ensure that Google itself cannot identify the individual user internally.

If Google implemented a means of encrypting this data that arguably takes the “master key” off your hands, Google could keep the service in good graces with EU data privacy laws. Until then, individual website operators can be held responsible for violations such as “data exporters” knowingly using a service that engages in inappropriate data transfers. Google had previously tried to claim it offers non-default optional settings that allow webmasters to enable a greater amount of anonymization in Analytics, but Austria’s DPA struck down that argument earlier this year as part of a Schrems-related complaint.

The argument for #GDPR violation relies on the user’s IP address remaining visible to Google internally enough for it to be linked to Google’s wealth of user data. #privacy #respectdataClick to Tweet

Other major technology platforms have data collection activities that rival Google’s in size, but none (perhaps except Adobe) are in the position to also offer a widely used analytics tool that deals with data transfer across international borders. Some of their marketing services, such as Microsoft Advertising, have built in similar tools to which this decision could ultimately apply. Other tech companies have encountered major difficulties competing in this area; Facebook tried for years to offer a similar product with Facebook Analytics, but adoption remained low and the company closed it just over a year ago.

Leave a Comment

Your email address will not be published.