Like Austria and France, the Italian Data Protection Authority has become the latest regulator to find that the use of Google Analytics does not comply with European data protection regulations.
La Garante per la Protezione dei Dati Personali, in a press release published last week, called out a local web publisher for using the widely used analysis tool in a way that illegally transferred key elements of personal data of users in the United States without necessary safeguards.
This includes user interactions with the websites, individual pages visited, IP addresses of devices used to access the websites, browser specifics, details related to the device’s operating system, resolution of the screen and the selected language, as well as the date and time of the visits.
The Italian supervisory authority (SA) said it had come to this conclusion following a “complex investigative exercise” which it had undertaken together with other data protection authorities in Italy. EU.
The agency said the transfer of personal information violates data protection laws because the United States is a “country without an adequate level of protection”, while stressing the “possibility for government authorities and agencies to US intelligence to access the personal data transferred without the necessary safeguards”.
The website in question, Caffeina Media SRL, was given 90 days to opt out of Google Analytics in order to comply with the GDPR. In addition, the Garante drew the attention of webmasters to the illegality of data transfers to the United States resulting from the use of Google Analytics, recommending that site owners turn to alternative tools for measuring audience meeting GDPR requirements.
“At the end of the 90-day period set in its decision, the Italian SA will verify that the data transfers in question comply with the EU GDPR, including by means of ad hoc inspections”, a-t- he declares.
Earlier this month, France’s data protection watchdog, the CNIL, issued updated guidelines on the use of Google Analytics, reiterating the practice as illegal under General Privacy Regulation laws. (GDPR) and giving affected organizations one month to comply.
“The implementation of data encryption by Google has proven to be an insufficient technical measure because Google LLC encrypts the data itself and has an obligation to grant access or provide the imported data that is in its possession. possession, including the encryption keys needed to make the data intelligible,” the regulator said.
Google told TechCrunch it is reviewing the latest decision. In January 2022, the tech giant pointed out that Google Analytics “does not track people or profile people on the internet” and that organizations can control the data collected through the service.
The Mountain View-based company, which hosts all of the data collected through the analytics platform in the US, also said it offers an IP address masking feature which, when enabled, anonymizes information on local servers before it is transferred to servers outside the EU. It should be noted that this feature is enabled by default with Google Analytics 4.