The Italian Data Protection Authority by Order No. 224/2022, declared the unlawfulness of the processing of personal data of users of a website carried out by the data controller through the use of Google Analytics, in violation of the legislation on the transfer of personal data outside the European Economic Area (to USA).
Google Analytics: privacy and USA
WHAT IS GOOGLE ANALYTICS?
Google Analytics is a web analytics tool provided by Google, which allows website operators to analyze detailed statistics about users in order to optimize their services and monitor their marketing campaigns. In the present case, the company admonished by the Italian Data Protection Authority by using Google Analytics was collecting information regarding users' interaction with the site through cookies, and in particular, collecting certain data including the IP address of the device used by the user. This information constitutes personal data insofar as it allows the identification of an electronic communication device and therefore the data subject as a user.
THE ILLEGITIMATE USE OF GOOGLE ANALYTICS
- The Italian Data Protection Authority on June 23, 2022 declared that the website using Google Analytics without the safeguards provided by the EU Regulation, violated the data protection legislation, since it transferred such data to the United States, that do not ensure an adequate level of protection.
- The transfer of personal data to the U.S., which was previously governed by the legal regime of the so-called Privacy Shield declared invalid by the Court of Justice of the European Union in July 2020 in the Schrems II ruling, currently has to be guaranteed through special instruments.
- Therefore, the transfer of data to the U.S. should not be considered prohibited in advance: it would be necessary to understand whether there is a modality to use Google Analytics that complies with data protection regulations.
THE ORDER OF THE ITALIAN DATA PROTECTION AUTHORITY
In Order No. 224/2022, the Italian Data Protection Authority warned the company to comply with the GDPR within 90 days, in order to allow the website operator to take additional appropriate measures for the transfer to the U.S., including through the use of Google Analytics.
Following the Italian Data Protection Authority's Order, Italian website operators will have to conduct an audit regarding the modality of use of Google Analytics and similar services in compliance with the data protection regulation. While waiting for a possible agreement between the European Union and the U.S. on the transfer of personal data, we suggest exploring other similar tools.