Another strike against use of Google Analytics in Europe: The Italian data protection authority has found a local web publisher’s use of the popular analytics tool to be non-compliant with EU data protection rules owing to user data being transferred to the U.S. — a country that lacks an equivalent legal framework to protect the info from being accessed by US spooks.
The Garante found the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, OS, screen resolution, language selection, plus the date and time of the site visit, which were transferred to the U.S. without adequate supplementary measures being applied to raise the level of protection to the necessary EU legal standard.
Protections applied by Google were not sufficient to address the risk, it added, echoing the conclusion of several other EU DPAs who have also found use of Google Analytics violates the bloc’s data protection rules over the data export issue.
Italy’s DPA has given the publisher in question (a company called Caffeina Media Srl) 90 days to fix the compliance violation. But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing in a press release [translated from Italian with machine translation]:
Earlier this month, France’s data protection regulator issued updated guidance warning over illegal use of Google Analytics — following a similar finding of fault with a local website’s use of the software in February.
The CNIL’s guidance suggests only very narrow possibilities for EU-based site owners to use Google’s analytics tool legally — either by applying additional encryption where keys are held under the exclusive control of the data exporter itself or other entities established in a territory offering an adequate level of protection; or by using a proxy server to avoid direct contact between the user’s terminal and Google’s servers.
Austria’s DPA also upheld a similar complaint over a site’s use of Google Analytics in January.
While the European Parliament found itself in hot water over the same core issue at the start of the year.
All these strikes against Google Analytics link back to a series of strategic complaints filed in August 2020 by European privacy campaign group noyb — which targeted 101 websites with regional operators it had identified as sending data to the US via Google Analytics and/or Facebook Connect integrations.
The complaints followed a landmark ruling by the bloc’s top court in July 2020 — which invalidated a data transfer agreement between the EU and the US, called Privacy Shield, and made it clear that DPAs have a duty to step in and suspend data flows to third countries where they suspect EU citizens’ information of being at risk.
The so-called ‘Schrems II’ ruling is named after noyb founder and long time European privacy campaigner, Max Schrems, who filed a complaint against Facebook’s EU-US data transfers, citing surveillance practices revealed by NSA whistleblower Edward Snowden, which ended up — via legal referral — in front of the CJEU. (A prior challenge by Schrems also resulted in the previous EU-US data transfer arrangement being struck down by the court in 2015.)
In a more recent development, a replacement for Privacy Shield is on the way: In March, the EU and the US announced they had reached political agreement on this.
However the legal details of the planned data transfer framework still have to be finalized — and the proposed mechanism reviewed and adopted by EU institutions — before it can be put to any use. Which means that use of US-based cloud services remains shrouded in legal risk for EU customers.
The bloc’s lawmakers have suggested the replacement deal may be finalized by the end of this year — but there’s no simple legal patch EU users of Google Analytics can reach for in the meanwhile.
Additionally, the gap between US surveillance law and EU privacy law continues to grow in certain regards — and it’s by no means certain the negotiated replacement will be robust enough to survive the inevitable legal challenges.
A simple legal patch for such a fundamental clash of rights and priorities looks like a high bar — failing substantial reform of existing laws (which neither side looks moved to offer).
Hence we’ve started to see software-level responses by certain US cloud giants — to provide European customers with more controls over data flows — in a bid to find a way to route around the data transfers legal risk.
Update: A Google spokesman sent us this statement following the Garante decision:
“People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.”
In a blog post back in January the company also sought to reframe the narrative around Google Analytics — claiming the tool isn’t used to track people around the web or profile them; and arguing it’s not a privacy risk by suggesting customers remain in control of the data they collect via the analytics tool; as well as pointing out it offers an IP anonymization feature.
Google’s blog post also emphasizes “numerous measures” it claims it applies to “protect data, and safeguard it from any government access”.
However a number of European DPAs have now come to a very different conclusion vis-a-vis the Schrems II-related risk of using Google Analytics — including (in the case of Austria‘s DPA) finding that even if IP anonymization had been enabled by the site it would not have fixed the risk.