Google Analytics has fallen afoul of another EU regulator

24 Jun 2022

Image: © Aleksei/Stock.adobe.com

The Italian data watchdog has joined its counterparts in France and Austria in claiming the use of Google Analytics breaches GDPR.

The Italian data protection authority has issued a warning to websites using Google Analytics, stating that use of the service without safeguards violates EU data protection laws due to data being transferred to the US.

The Italian watchdog has reprimanded a website operator for its use of Google Analytics and ordered the operator to be in compliance with GDPR in 90 days. It said additional decisions will follow.

This is the latest in a line of challenges regarding the use of the analytics tool in the EU.

In February, France’s privacy regulator ordered a French website manager to stop using Google Analytics under certain conditions. The previous month, the Austrian data protection authority found that the use of Google Analytics by an Austrian website did not comply with EU data protection law.

Google Analytics is a tool designed to monitor website traffic. It can be used to generate reports on visitor numbers, browser parameters and which device visitors are using. It does this by placing a cookie – a small piece of code – on the user’s device, which assigns a unique identification number.

Italy’s data protection authority said it came to its decision after an investigation in coordination with other EU data protection authorities, following a number of complaints.

It found that website operators using Google Analytics collected many types of user data, such as the visitor’s IP address, browser, operating system, screen resolution, selected language and the time the page was viewed. This data was then transferred to the US.

According to the Schrems II ruling in July 2020, transfers of personal data from the EU to the US can only take place if there is a sufficient level of protection. In the latest case, the Italian regulator said US-based government and intelligence agencies may access the personal data being transferred without the required safeguards.

The Italian data protection authority called on all controllers to verify that the use of cookies and other tracking tools on their websites are compliant with data protection laws. It said it wished to draw the attention of all Italian website operators, both public and private, to the unlawfulness of data transfers to the US from the use of Google Analytics.

In January, the European Parliament was reprimanded by an EU privacy watchdog for violating GDPR on its internal Covid-19 testing website through the transfer of data to the US via cookies from Google Analytics and Stripe. This was one of the first decisions implementing the Schrems II ruling, possibly setting a precedent for EU-US data transfer cases.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com