The Italian Data Supervisory Authority warned against the use of Google Analytics

- Advertisement -

Another strike against the use of Google Analytics in Europe: Italian data protection authority found the use by a local web publisher of a popular analytics tool to violate EU data protection regulations because user data is transferred to the United States, a country that lacks an equivalent legal framework to protect information from access by US spies.

- Advertisement -

Garante discovered that the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, OS, screen resolution, language selection, and date and time of site visit, which were transferred to the United States without acceptance adequate additional measures to raise the level of protection to the required EU legal standard.

- Advertisement -

The protections applied by Google were insufficient to address the risk, he added, echoing the findings of several other EU DPAs that also found that the use of Google Analytics violated the block’s data protection rules regarding a data export issue.

- Advertisement -

The Italian DPA gave the publisher in question (Caffeina Media Srl) 90 days to correct the breach. But the decision has broader implications as it also alerted other local websites using Google Analytics to take note and check their own compliance by writing in a press release. [translated from Italian with machine translation]:

“[T]The Authority draws the attention of all Italian website managers, public and private, to the illegality of transfers to the US through GA. [Google Analytics]also taking into account the numerous reports and questions that the Authority receives and invites all data controllers to check the conformity of the cookie practices and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services provided for by protection legislation personal data”.

Earlier this monthFrance’s data protection regulator has issued updated guidance to warn against the illegal use of Google Analytics after a February.

The CNIL guidance offers only very limited options for site owners in the EU to use Google’s analytics tool legally, either through the use of additional encryption where the keys are under the sole control of the data exporter itself, or by other entities established in the territory offering an adequate level. protection; or by using a proxy server to avoid direct contact between the user’s terminal and the Google servers.

The Austrian DPA also upheld a similar complaint about the site’s use of Google Analytics in January.

While the European Parliament finds itself in a quandary over the same key issue at the beginning of the year.

All of these attacks on Google Analytics stem from a series of strategic complaints filed in August 2020 European privacy campaign group noyb, which targeted 101 regional operator websites that were found to be sending data to the US via Google Analytics and/or Facebook Connect integration.

The complaints follow a historic bloc Supreme Court ruling in July 2020 — which annulled the EU-US data transfer agreement called the Privacy Shield and made it clear that DPAs have an obligation to intervene and suspend data flows to third countries where they suspect EU citizens’ information is at risk.

The so-called “Schrems II” ruling is named after noyb founder and longtime European privacy campaigner Max Schrems, who filed a complaint against Facebook’s EU-to-U.S. legal direction – before the CEC. (Schrems’ previous lawsuit also resulted in a previous EU-US data transfer agreement being overturned by a court in 2015.)

More recent developments are preparing a replacement for the Privacy Shield: In March EU and US announced they reached a political agreement on this matter.

However, the legal details of the planned data transmission system are yet to be finalized and the proposed mechanism will be reviewed and adopted by the EU institutions before it can be used for any purpose. This means that using cloud services in the US still comes with legal risks for EU customers.

Bloc deputies proposed The replacement deal could be completed by the end of this year, but at the same time, there is no simple legal fix that EU Google Analytics users can turn to.

In addition, tThe gap between US surveillance law and EU privacy law continues to widen in some respects, and by no means can one be sure that an agreed-upon replacement will be strong enough to withstand the inevitable legal challenges.

A simple legal patch for such a fundamental clash of rights and priorities looks like a high bar—failure of substantial reform of existing laws (which neither side appears to be proposing).

Thus, we began to observe the reaction of some American cloud giants at the program level – to give European customers more control over data flows – in an attempt to find a way around the legal risk of data transfer.

Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox