It had already happened in France and Austria a few months ago and today also in Italy Google Analytics ends up in the viewfinder of the Privacy Guarantor. Yesterday, in fact, the news that the authority for the protection of personal data has decreed that Google Analytics "Violates data protection legislation because it transfers user data to the United States, a country without an adequate level of protection"1.
But how did this decision come about? And what consequences will there be?
The decision of the European Court of Justice
The assumptions that led to the current situation date back as far as two years ago. In fact, in July 2020 the European Court of Justice has decided to cancel an agreement entered into in 2016 between the United States and the European Union known as Privacy Shield. The European body defines qhis "shield", which allowed the transfer of personal data of all European users to American servers, was invalid, since American legislation did not guarantee adequate privacy.
And it is precisely in this perspective that the decision of the Guarantor to prohibit the use of Google Analytics. The authority has in fact emphasized the ease with which the US Government Authorities would have access to personal data stored in their country. This would make the United States a non-compliant country GDPR, the privacy law currently in force in the European Union.
Furthermore, a note from the Guarantor reads: "among the many data collected, the IP address of the user's device and information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit on the web. This information was found to have been transferred to the United States. In declaring the unlawfulness of the processing, it was reiterated that the IP address constitutes personal data and even if it were truncated it would not become anonymous, given the ability of Google to enrich it with other data in its possession "2.
The ban on using Google Analytics
A first warning was issued yesterday against Caffeina Media srl, guilty of using Google Analytics within its own sites. But the question concerns all the sites that exploit the tool, which will therefore have to study alternative solutions. Or resign yourself to the idea of no longer being able to monitor your users.
The deadline for complying with the decision is 90 days, after which the Guarantor will verify that all sites comply with the European regulation for the transfer of personal data. Otherwise there is a risk of “suspension of the data flows carried out, through Google Analytics, to the United States "and, possibly, an administrative sanction. Managers advised….
How do the site managers respond?
Who is familiar with Google Analytics knows how important this tool is for an e-commerce (Click here for more information). And now that it has been banned how to do it? Following the news, website operators have begun to study alternative solutions but, despite everything, the ban on GA is destined to have a strong impact on the sector.
The solutions initially proposed include:
- the abandonment of Google Analytics in favor of European paid services (and therefore with servers located in Europe);
- the use of Google Consent Mode;
- the anonymization of data before sending them to Analytics, through proxying services;
- create your own analysis service through open source platforms.
In reality, the situation is constantly changing. While looking for the optimal solution, in fact, we also await the transition from Universal Analytics to Google Analytics 4. The latest version of the tool treats data differently than its predecessor and allows a certain degree of anonymization.
We just have to wait and see if these innovations will receive the approval of the Privacy Guarantor. In the meantime, for those wishing to further explore the topic, please refer to the section CNIL FAQ.