Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.
GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.
This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.
The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.
For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.
At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.
While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.
Other related insights: