The Italian data protection agency has just warned a site against the use of Google Analytics, considering that it does not comply with the General Data Protection Regulations (GDPR). More and more European countries are rising up against the Mountain View firm’s audience analysis tool.
Google Analytics sends data to the United States
As the Italian regulator explains in A press releasethe data used by Google to provide information in Google Analytics are personal, they include in particular the IP address of the user’s device as well as information on the browser, operating system, screen resolution, the selected language, the date and time of the page consultation.
Walmart introduces Triplet Model, its hybrid cloud solution
However, this data is transferred to the United States, where the data protection legislation is much less strict than in the European Union, which constitutes a violation of the GDPR according to the agency: “A website which uses Google Analytics without the safeguards provided by the EU GDPR violates data protection law, because it transfers user data to the United States, a country which does not have an adequate level of data protection “, she writes.
The agency therefore ordered the Italian company in question, Caffeina Media, to comply with European legislation within 90 days. If she fails to do so, the suspension of data flows linked to Google Analytics to the United States will be ordered “. The Italian authorities also took the opportunity to warn all companies in the country: “ The Data Protection Agency urges all data controllers to verify that the use of cookies and other tracking tools on their websites complies with data protection legislation; this applies in particular to Google Analytics and similar services “.
France and Austria have also tackled Google Analytics
This is not the first time that a European country has taken a stand against the use of Google Analytics in connection with the GDPR. In January 2022, the Austrian authorities implicated a German publisher for the same reasons. A month later, the CNIL gave Google formal notice for the transfer of data related to Analytics to the United States.
According to the Austrian, Italian and French authorities, it is possible that the American intelligence services have access to this data; they believe that the Mountain View company has not put in place adequate measures to protect this information. The Italian data protection agency recalls, for example, that ” an IP address is personal data and would not be anonymized even if truncated – given Google’s ability to enrich this data with additional information it holds “.
Google Analytics transfers a lot of data to the United States. Photography: Myriam Jessier / Unsplash
” People want the websites they visit to be well-designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how their sites and apps perform for their visitors, but not by identifying individuals or tracking them around the web. These organizations, not Google, control what data these tools collect and how it is used. Google helps them by providing a series of safeguards, controls and resources for compliance “Google said to TechCrunch.
Since 2020, the transfer of data between the United States and the EU is no longer regulated
These various decisions follow the Schrems II judgment of July 16, 2020 taken by the Court of Justice of the European Union, which annulled the Privacy Shield, an agreement established between the United States and the Old Continent for the transfer of data. Indeed, European justice has ruled that the latter did not sufficiently protect the information of European citizens, in particular with regard to the revelations of the American whistleblower Edward Snowden.
Following this announcement, the Austrian NGO Noyb (None of Your Business), founded by activist Maximilien Schrems, filed 101 complaints against companies in several EU Member States, accusing them of illegally transferring data to the United States.
A new agreement between the United States and the EU is currently in the works, but negotiations are dragging on. As the media reports TechCrunchthe gap between US surveillance law and EU privacy law continues to widen in many respects, so it is by no means certain that the negotiated replacement will be strong enough to survive to inevitable legal challenges.
In this context, Google plans to implement additional controls in order to provide its customers with guarantees regarding the protection of user data.