Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.
GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.
The Authority assessed the processing carried out using this tool and showed that website operators (such as the sanctioned company) use cookies transmitted to the user’s browser to collect information on how these interact with the website, individual pages, and services offered. The data collected consists of: unique online identifiers that allow the identification of the user’s browser or device while visiting the website, and the website operator (through the Google Account ID); address, website name and navigation data; IP address of the user’s device; information on the browser, operating system, screen resolution, language selected, and date and time of website visit.
This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.
The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.
For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.
At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.
◊◊◊◊
While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.
Other related insights:
