The Italian privacy authority, the Garante, deemed that the use of Google Analytics results in unlawful transfers of personal data to the United States in violation of the principles outlined in the Schrems II ruling.
In Order No. 224 of June 9, 2022, the Italian data protection authority found that transfers of personal data to the United States by an Italian website through the use of Google Analytics violates the GDPR.
Aligning with positions already expressed by privacy regulators in Austria and France, the Garante has taken a clear stance on the compliance of data transfers to the United States made through Google Analytics, ordering the website provider to suspend its use if it does not comply with the Garante’s requests.
The decision follows a complaint filed with the Garante in Italy by an individual represented by NOYB, the association headed by privacy activist Max Schrems, against both the website provider (in its role as a data exporter) and Google LLC (in its role as a data importer), alleging that both parties violated Articles 44 et seq. of the GDPR, in light of the Schrems II ruling (CJEU Decision C-311/18) by transferring their personal data to Google LLC in the United States of America.
The disputed facts
The main point contested is that Google LLC qualifies as an “electronic communications service provider” under 50 U.S. Code § 1881(b)(4), which subjects the company to the surveillance of U.S. intelligence services, which can therefore order Google to provide access to the data of European citizens (who browse the website).
Following a thorough investigation and analysis of the defence briefs produced by the company, the Garante, in its order, found that:
- there was a processing of personal data through Google Analytics because of the possibility of identifying the user through the data collected by Google, such as:
- unique online identifiers that allow both the identification of the browser or device of the user visiting the website and the website operator itself (through the Google Account ID);
- address, website name and browsing data;
- the IP address of the device used by the user;
- information about the browser, operating system, screen resolution, selected language, and date and time of the website visit;
- the company was using the free version of Google Analytics and had not implemented the IP-Anonymization feature;
- Google LLC qualifies as the importer of the data, and the data transfer was put in place through the Standard Contractual Clauses (2010 version);
- the company had deemed the measures taken concerning Google Analytics “relevant and effective in relation to the nature of the data and the context in which it was collected” as well as the level of risk of the transfer.
The key points of the Garante’s decision on Google Analytics
The decision offers interesting insights into the approach from the Garante to transfers of personal data outside the European Economic Area via Google Analytics. Still, the same principles apply to any other transfer as well. In particular, the authority in the findings that led to the decision points out that:
- where the IP address makes it possible to identify an electronic communication device, it constitutes personal data. The possibility of user identification is increased in the case of Google Analytics because if the website visitor accesses his or her Google account – a circumstance that occurred in the case at hand – the data mentioned above can be associated with other information in the relevant account, such as email address, telephone number and any additional personal data including gender, date of birth or profile picture.
- the old Standard Contractual Clauses are insufficient, particularly for data transfers to the United States, while the new SCCs have not been addressed in this case, as the decision relates to events before their adoption;
- the supplementary measures taken by Google to bring the data transfer into compliance with the GDPR were deemed insufficient, as any additional measures can only be considered effective if they address the specific deficiencies identified in the assessment of the situation in the third country, i.e., the access and surveillance possibilities of U.S. intelligence services;
- any additional measures can only be considered effective if they address the specific deficiencies identified in the assessment of the situation in the third country, i.e., the access and surveillance capabilities of U.S. intelligence services; encryption (both in transit and at rest) is not an appropriate measure if the recipient possesses the decryption key, as he or she may be required to disclose it to foreign authorities along with the data;
- the “IP-Anonymization” function consists of a pseudonymization of the user’s network address data, as truncation of the last octet does not prevent Google LLC from re-identifying that user, taking into account the overall information it holds about web users; and
- contractual and organizational measures alone are generally unable to bind third country authorities but must be supplemented with other measures.
Yet, the Garante censured the privacy information notice on the processing of personal data produced with the automated online service used by the company because it did not clearly define the elements referred to in Article 13(1)(f) of the GDPR concerning the transfer.
The decision from the Garante on unlawful transfers through Google Analytics
The Italian data protection authority declared the processing carried out by the company through Google Analytics unlawful. However, it took into account some aspects in determining the applicable sanction, such as:
- the asymmetry of bargaining power resulting from the primary market position assumed by Google in the field of web analytics services;
- the steps taken by the data controller to remedy the situation; and
- the absence of special categories of personal data and the negligent conduct undertaken.
Therefore, the Garante opted for a warning and urged the company to implement within 90 days appropriate measures to secure the transfers or alternatively suspend them.
Potential impacts for website operators
The Garante’s decision impacts not only the disputed website but potentially all websites that use Google Analytics and other similar technologies involving transfers outside the European Economic Area to countries considered inappropriate.
The Garante, through a press release, has specifically called to the attention of all website operators, public and private, the illegality of transfers made to the United States through Google Analytics, also because of the numerous reports and queries received on the issue, inviting all data controllers to verify the compliance of the way cookies and other tracking tools used on their websites.
Several European alternatives to Google Analytics are already available on the market today. But switching from Analytics to other technologies, besides being operationally burdensome, is not the only relevant issue.
It is difficult to think that all European websites can suddenly stop using Google Analytics. However, it is also hard to justify how almost two years after the Schrems II ruling, several companies still have not adopted solutions to map data transfers and conduct transfer impact assessments, as requested by the EDPB and emphasized by the Garante in light of the Schrems II ruling. There is the wrong impression that implementing the new standard contractual clauses is sufficient to ensure data transfer, but this is not the case.
However, we believe that the Garante – as previously the Austrian and French privacy authorities – has not adequately evaluated the need to analyze the actual risk of access by foreign authorities to data and the possible harm to individuals deriving from such access.
This concrete risk analysis is expressly provided in the new Standard Contract Clauses. Still, it can only emerge as a result of a detailed assessment of the data transfer, such as can be carried out with the legal tech tool “Transfer” and related methodology developed by DLA Piper.