The use of Google Analytics violates the GDPR: what now?

With the provision of June 9, 2022, the Italian DPA affirmed that the use of Google Analytics violates the GDPR because it implies the transfer of data in the United States of America, a country lacking of the adequate level of protection of the users’ data.

The situation concerned the use of Google Analytics by an Italian company for statistical purposes to obtain aggregated information on the users’ activity on its website. Through Analytics, in fact, the owner of a website can obtain detailed statistical reports on the users’ activity in order to optimize the services offered and to monitor marketing campaigns.

The Italian DPA, in the case examined, ascertained that, through the use of Google, analytical cookies, users’ personal data such as the IP address of the device used by the user and information relating to the browser, the operative system, the display resolution, the selected language and the time and day of the website visit, was collected

Following the investigation, the DPA concluded that the Google Analytics service implies the transfer from Europe to the United States of data allowing to identify the visitors of the website using Analytics. Therefore, on the basis of the same motivations already expresses by the European Court of Justice on July 16, 2020 (the so-called Schrems II judgement) the DPA affirmed the non-conformity to the GDPR of the Analytics tool.

The decision of the Italian DPA involves thousands of Italian companies using this tool and, to this day, it is not clear which measures must be taken in order to comply the websites with the conclusions of the DPA.

Google itself, with the announcement of June 23, 2022, replied to the decision of the Italian DPA highlighting that the purpose of Analytics is exclusively to help website owners to understand how users interact with their website and that “it is not allowed to upload information that could be used by Google to identify a person”. Moreover, Google highlighted that “the use of Google Analytics is at the complete discretion of the organizations that have a website or an app. It is they, not Google, who establish what data to collect and how to collect them”. Moreover, as stated in the announcement, the users of Google Analytics are provided with several tools to manage data, including the possibility to “Enable the IP anonymization (or IP masking) on their website to allow the whole IP address to never be processed or registered”.

The Italian DPA, however, expressed strong doubts even on the feature of IP anonymization offered by Google, nonetheless activated even by the company cautioned with the provision in question. As a matter of fact, in the opinion of the Italian DPA, the “IP Anonymization” obscures only the last part of the IP address but it does not stop Google to re-identify the user by combining all the pieces of information collected and other already in Google’s possession (like those of the Google Account). Therefore, the data would be only pseudo-anonymized and not anonymous.

Therefore, it is difficult to find a valid alternative to the censured version of Google Analytics.

As of now, the Google Analytics 4 version is sparking a lot of attention precisely because it does not stow the IP addresses, but it uses them only to determine the location of the users without storing them on the server. Due to the fact that Analytics 4 sets by default the anonymization feature, according to some it could be GDPR compliant.

Nevertheless, even this setting could prove to be insufficient on the basis of the considerations already expressed by the Italian DPA on the IP-anonymization feature.

Anyway, Analytics 4 has not been examined by the Italian DPA yet and it is not possible to anticipate its conclusions. In two months from now, the company cautioned by the DPA will have to communicate which activities have been undertaken for the implementation of the provision in question, and, perhaps, on this occasion it will be possible even to shed light on the use of Analytics 4.

A hope comes from the CNIL, the French DPA, which seems to have suggested as a possible solution the use of Analytics 4 with the addition of a proxy server (provision of June 7, 2022).

What can be stated for sure is the urgent need of a new agreement between the US and the EU that could replace the Privacy Shield. In fact, in absence of precise indications by the European institutions, the operator will hardly find technical and juridical solutions compliant with the GDPR.

Ilaria Feriti