Jun 24, 2022, 00:29 am
Written by Luca Bertuzzi
Published: June 23, 2022
The Italian privacy watchdog joined its peers from Austria and France in banning Google’s service for unlawfully transferring data to the United States.
Italy’s privacy guarantor, Garante, issued a decision on Thursday (23 June) stating that websites using the web analytics service provided by Google without the necessary safeguards violate the General Data Protection Regulation (GDPR), the EU’s data protection law.
The decision is the last in a row against Google Analytics, which data protection authorities accuse of illegally transferring data to the United States, a country that is considered not to have an adequate level of data protection since the landmark Schrems II ruling of the EU Court of Justice in July 2020.
The privacy activist Max Schrems, who gave the name to the lawsuit, filed together with his NGO, NOYB, tens of complaints across EU countries against Google Analytics. The first decision that followed was from the Austrian authority, thereafter by the French one.
In a statement, the authority said that the decision was the result of a complex investigation based on a series of complaints and in coordination with other European privacy watchdogs.
The probe found that the analytical tool collects several types of user data, including the type of web browser, operation system, language, date, time, screen resolution and, perhaps most importantly, the Internet Protocol (IP) address, a number that is unique for every device.
IP addresses are considered personal data, as it can be traced back to a specific person. For the Garante, the fact that the IP address was transferred to the United States in a partial way does not constitute in itself anonymisation, since Google is able to combine it with other data, for instance, the email address.
“The Italian DPA has clarified that Google Analytics does not use anonymous data. What Google calls “IP-Anonymization” is actually mere pseudonymization, because the deletion of part of the IP address does not prevent Google from re-identifying that user, taking into account the information it holds on web users as a whole,” explained Gianclaudio Malgieri, an associate professor of law & technology at the EDHEC Business School.
The Italian authority is not the only one that put to rest any hope that the analytics tool could be used in a lawful way if certain safeguards were in place.
In a recently published Q&A regarding its Google Analytics decision, the French authority Commission nationale de l’informatique et des libertés specified that no safeguard could be deemed satisfactory since all the data collected by the Google service is hosted on US soil.
“Under the accountability principle, both Google and the EU data controller using Google Analytics might and should adopt additional safeguards to make the data transfer lawful. To date, the measures proposed by Google Analytics are considered inadequate,” Malgieri added.
“Google Analytics helps publishers understand how well their sites and apps are working for their visitors – but not by identifying individuals or tracking them across the web. These organisations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance,” a Google spokesperson told EURACTIV.
The authority gave the data processor in question 90 days to bring its website in line with the EU data protection rules. For the Garante, that means basically stopping the use of Google Analytics altogether, since no safeguards can be put in place to prevent the US intelligence services to access personal data coming from the EU.
All website managers are to be similarly warned by the watchdog, who stressed that they will have to reassess the use of Google Analytics or similar tools that illegally transfer personal data to the United States.
https://www.euractiv.com/section/data-pr...analytics/
Published: June 23, 2022
The Italian privacy watchdog joined its peers from Austria and France in banning Google’s service for unlawfully transferring data to the United States.
Italy’s privacy guarantor, Garante, issued a decision on Thursday (23 June) stating that websites using the web analytics service provided by Google without the necessary safeguards violate the General Data Protection Regulation (GDPR), the EU’s data protection law.
The decision is the last in a row against Google Analytics, which data protection authorities accuse of illegally transferring data to the United States, a country that is considered not to have an adequate level of data protection since the landmark Schrems II ruling of the EU Court of Justice in July 2020.
The privacy activist Max Schrems, who gave the name to the lawsuit, filed together with his NGO, NOYB, tens of complaints across EU countries against Google Analytics. The first decision that followed was from the Austrian authority, thereafter by the French one.
In a statement, the authority said that the decision was the result of a complex investigation based on a series of complaints and in coordination with other European privacy watchdogs.
The probe found that the analytical tool collects several types of user data, including the type of web browser, operation system, language, date, time, screen resolution and, perhaps most importantly, the Internet Protocol (IP) address, a number that is unique for every device.
IP addresses are considered personal data, as it can be traced back to a specific person. For the Garante, the fact that the IP address was transferred to the United States in a partial way does not constitute in itself anonymisation, since Google is able to combine it with other data, for instance, the email address.
“The Italian DPA has clarified that Google Analytics does not use anonymous data. What Google calls “IP-Anonymization” is actually mere pseudonymization, because the deletion of part of the IP address does not prevent Google from re-identifying that user, taking into account the information it holds on web users as a whole,” explained Gianclaudio Malgieri, an associate professor of law & technology at the EDHEC Business School.
The Italian authority is not the only one that put to rest any hope that the analytics tool could be used in a lawful way if certain safeguards were in place.
In a recently published Q&A regarding its Google Analytics decision, the French authority Commission nationale de l’informatique et des libertés specified that no safeguard could be deemed satisfactory since all the data collected by the Google service is hosted on US soil.
“Under the accountability principle, both Google and the EU data controller using Google Analytics might and should adopt additional safeguards to make the data transfer lawful. To date, the measures proposed by Google Analytics are considered inadequate,” Malgieri added.
“Google Analytics helps publishers understand how well their sites and apps are working for their visitors – but not by identifying individuals or tracking them across the web. These organisations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance,” a Google spokesperson told EURACTIV.
The authority gave the data processor in question 90 days to bring its website in line with the EU data protection rules. For the Garante, that means basically stopping the use of Google Analytics altogether, since no safeguards can be put in place to prevent the US intelligence services to access personal data coming from the EU.
All website managers are to be similarly warned by the watchdog, who stressed that they will have to reassess the use of Google Analytics or similar tools that illegally transfer personal data to the United States.
https://www.euractiv.com/section/data-pr...analytics/