Italian Watchdog Says Google Analytics a Privacy Violation
Absence of Trans-Atlantic Data Framework Converts Analytics Tool Into a RiskItaly is the latest EU country to warn against use of Google Analytics on privacy grounds even as U.S. and European officials attempt to restore a legal framework for trans-Atlantic commercial data transfers.
See Also: Using the Netskope HIPAA Mapping Guide
The country's data protection authority late last week gave news and entertainment website Caffeina Media 90 days to stop using the traffic analyzer or alter the configuration so it stops sending personal information to Google servers warehoused in the U.S. Among the personal information cited by the Garante per la Protezione dei Dati Personali are IP addresses and the browser and operating system of users.
The Italian authority follows in the footsteps of France and Austria, whose data protection authorities earlier this year sided with complaints alleging Google Analytics runs afoul of European data protection law.
American tech companies' ability to process European consumer information has been in a legal gray zone for nearly two years following a decision by the Court of Justice of the European Union invalidating the U.S.-EU Privacy Shield. The court wrote that American intelligence agencies have disproportionate access to data originating outside the U.S. despite assurances offered by the Privacy Shield agreement that underpinned trans-Atlantic data transfers starting in 2016.
The same Austrian activist group behind the 2020 ruling against the Privacy Shield later that year launched a continentwide campaign of complaints against websites using Google or Facebook analytics tools. The group, noyb - it stands for "none of your business" – ultimately sent 101 complaints to European data protection authorities, including against Caffeina Media.
European and U.S. officials announced in May a framework for reestablishing a Privacy Shield-like legal mechanism, but no details have since emerged. A 2019 study of trans-Atlantic trade valued U.S. digitally enabled exports to Europe at $204.2 billion and imports at $123.7 billion.
A spokesperson for Google was not immediately available to comment.
Austria and France Bans
One question for European Google Analytics aficionados is whether they can continue to use the tool while complying with current dictates against sending information to American servers.
France and Austria's data protection authorities appear to be saying no. The French Commission Nationale de l'informatique et des Libertés - in English, the National Commission on Informatics and Liberty - in June guidance said Google has indicated that all data collected through the analytics tool is hosted in the United States.
Even if Google Analytics could be configured not to transfer data outside the EU, its mere use could subject EU companies to legal demands for personal data, the organization wrote.
Obtaining explicit consent could be a possible workaround, the data authority acknowledged, but hastened to add that consumer consent cannot be used for "systematic transfers."
The Austrian Data Protection Authority in January rejected an argument from Google that website owners can anonymize the visitor IP addresses sent to the company.
The data protection authority found that IP addresses are just one data point that can be combined with others to identify individuals. It also said other technical and organizational safeguards instituted by Google, including encryption of data in transit and limitations on what third parties can glean about individual users from analytics data, fail to allay concerns about intelligence community access.