Following the footsteps of Austria and France, the Italian Data Protection Authority has become the latest regulator to find the use of Google Analytics to be non-compliant with E.U. data protection regulations.
The Garante per la Protezione dei Dati Personali, in a press release published last week, called out a local web publisher for using the widely used analytics tool in a manner that allowed key bits of users’ personal data to be illegally transferred to the U.S. without necessary safeguards.
This includes interactions of users with the websites, the individual pages visited, IP addresses of the devices used to access the websites, browser specifics, details related to the device’s operating system, screen resolution, and the selected language, as well as the date and time of the visits.
The Italian supervisory authority (SA) said that it arrived at this conclusion following a “complex fact-finding exercise” it commenced in collaboration with other E.U. data protection authorities.
The agency said the transfer of personal information violates the data protection legislation because the U.S. is a “country without an adequate level of protection,” while highlighting the “possibility for U.S. government authorities and intelligence agencies to access personal data transferred without due guarantees.”
The website in question, Caffeina Media SRL, has been given a period of 90 days to move away from Google Analytics to ensure compliance with GDPR. In addition, the Garante drew webmasters’ attention to the unlawfulness of data transfers to the U.S. stemming from the use of Google Analytics, recommending that site owners switch to alternative audience measurement tools that meet GDPR requirements.
“Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the E.U. GDPR, including by way of ad-hoc inspections,” it stated.
Earlier this month, the French data protection watchdog, the CNIL, issued updated guidance over the use of Google Analytics, reiterating the practice as illegal under the General Data Protection Regulation (GDPR) laws and giving affected organizations a period of one month to comply.
“The implementation of data encryption by Google has proven to be an insufficient technical measure because Google LLC encrypts the data itself and has the obligation to grant access or provide the imported data which is in its possession, including the encryption keys necessary to make the data intelligible,” the regulator said.
Google told TechCrunch that it’s reviewing the latest decision. In January 2022, the tech giant stressed that Google Analytics “does not track people or profile people across the internet” and that organizations can control the data gathered through the service.
The Mountain View-based firm, which hosts all the data collected through the analytics platform in the U.S., also said it offers an IP address masking function that, when enabled, anonymizes the information in local servers before it’s transferred to any servers outside the E.U. It’s worth noting that this feature is enabled by default with Google Analytics 4.