One more watchdog in the fight against Google Analytics abuse comes from Italy

According to the Italian data protection authorities, the usage of Google Analytics by a local online publisher violated EU data protection standards since user data was transmitted to the United States, a nation without an analogous legislative structure to prevent US spy agencies from accessing it.

When the web publisher used Google Analytics, it collected a wide range of user data, including IP address, browser information, operating system (OS), screen resolution and language selection. These data were then transferred to the United States without adequate supplementary measures to raise the level of protection required by EU law, according to the Garante’s findings.

As a follow-up to previous EU DPAs, who have concluded that Google Analytics’ data export policies are in conflict with the bloc’s data protection standards, this new report says that protections put in place by Google were not enough.

The publisher in issue, Caffeina Media Srl, has been given 90 days by Italy’s DPA to correct the compliance infraction. According to a press release [translated from Italian using machine translation], the judgement has broader importance since it has also cautioned other local websites that use Google Analytics to take heed and examine their own compliance.

“[T]he Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through GA [Google Analytics], also in consideration of the numerous reports and questions that are being received by the Office, and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data.”

French data protection authorities published revised advise earlier this month over the improper use of Google Analytics, after a similar finding of fault with a local website’s usage of the programme earlier this year.

Site owners in the EU who want to use Google’s analytics tool legally will need to use additional encryption or a proxy server in order to avoid direct contact between the user’s terminal and Google’s servers, according to guidance from the CNIL, the country’s data privacy watchdog, which was issued in March.

In January, Austria’s DPA upheld a similar complaint over a website’s usage of Google Analytics.

At the beginning of the year, the European Parliament was in hot water over the same fundamental problem.

In August 2020, European privacy campaign group noyb filed a series of strategic complaints against Google Analytics, which targeted 101 websites with regional operators it had identified as sending data to the US via Google Analytics and/or Facebook Connect integrations. The complaints were filed in response to noyb’s findings.

An important court decision by the EU’s top court in July 2020 invalidated a data transfer agreement called Privacy Shield and made it clear that DPAs have a duty to step in and suspend data flows to third countries where they suspect EU citizens’ information is at risk. The complaints followed that landmark ruling.

Noyb founder and long-time European privacy advocate, Max Schrems, filed a complaint against Facebook’s EU-US data transfers, citing monitoring tactics exposed by NSA whistleblower Edward Snowden, which ended up—via judicial referral—in front of the CJEU. The so-called “Schrems II” verdict. (The previous EU-US data transfer agreement was also ruled down by the court in 2015 due to an earlier lawsuit by Schrems.)

It was stated in March by the EU and the US that a new Privacy Shield will be in place by the end of the year.

Prior to its implementation, EU institutions must evaluate and approve the proposed method and establish the legislative elements of the data transfer framework. As a result, EU clients’ usage of cloud services hosted in the United States is still fraught with legal uncertainty.

It’s possible that a new agreement may be signed by the end of the year, but EU customers of Google Analytics won’t be able to use it until then.

It’s also not guaranteed that any agreed substitute would be strong enough to withstand the inevitable judicial challenges to US surveillance legislation and EU privacy law.

In the absence of a major overhaul of current laws, a simple legal patch for this fundamental mismatch of rights and objectives seems to be a high bar to clear (which neither side looks moved to offer).

As a result, many US cloud companies have begun to implement software-level remedies to give European clients more control over data flows in an effort to discover a means to circumvent the legal risk associated with data transfers.