Italian websites that use Google Analytics to map visitor behaviour violate European privacy legislation. They transfer user data across the US, a country that currently does not offer an adequate level of data protection. Companies have 90 days to adapt the transfer of personal data to the European standard.
The Garante per la Protezione dei Dati Personali (GPDP) announced this in a press release .
GPDP: ‘US does not offer an adequate level of protection of personal data’
The Italian regulator says that website operators who use Google Analytics collect information about the behaviour of and interaction with visitors via cookies. They know, among other things, which pages they visit, how much time they spend there and which searches they perform. Google’s statistics program also allows them to collect information about the device they surf with, the web browser and the operating system they use, the screen resolution, language settings, and date and time.
All this data is forwarded to servers in the US. The processing of this data is unlawful, according to the GPDP. The General Data Protection Regulation (GDPR) considers IP addresses to be personal data that can be traced back to individuals. To make matters worse, IP addresses are not anonymized by default. Even if it did, Google can enrich this data with additional information that the tech company has.
The fact that the American government and intelligence services have access to the personal data transmitted via Google Analytics was also a thorn in the side of the Italian regulator. The country thus offers “no adequate level of protection” for personal data.
Italian regulator gives companies 90 days to comply with GDPR
For the above reasons, an Italian website owner is reprimanded by the regulator. The company in question is given 90 days to bring the processing of personal data in accordance with European privacy legislation. Should the company fail to do so, it must suspend all data flows resulting from the use of Google Analytics. The only alternative that remains is to use a GDPR-friendly statistics and analysis program.
After the 90-day period has elapsed, the GPDP will conduct random inspections to verify that the data collection and transfer is in compliance with the GDPR. To this end, the supervisor will carry out ad hoc inspections.
More national regulators condemn the use of Google Analytics
More and more privacy watchdogs in Europe are coming to the same conclusion as the GPDP. The Datenschutzbehörde (DSB) was the first to declare that the use of Google Analytics is in violation of European privacy legislation. The Austrian regulator ruled that Google’s analysis software continuously collects IP addresses and cookie data from internet users and stores them on servers in the US.
The Norwegian regulator EDPS drew a similar conclusion not much later. The privacy watchdog pointed out that Google Analytics collects IP addresses that can be traced back to individual users. It is possible to mask IP addresses, but that does not solve the problem, according to the regulator. That’s because Google Analytics also collects cookie data. This makes it possible to link user data to users if they are logged in to their Google account. This is in violation of European privacy legislation and is therefore illegal.
The Commission Nationale de l’Informatique et des Libertés (CNIL) also has difficulties with the way in which data from website visitors to the US is sent and processed. “Although Google has put in place several measures to regulate data transmission to other countries, they are not sufficient to protect access by US intelligence services,” the French regulator said.
At the end of May, the Dutch Data Protection Authority completed its investigation into Google Analytics. The findings are currently with the Enforcement Department, which determines whether Google will actually be fined. In the course of the year, the regulator will present its conclusions.
Catch up on more articles here
Follow us on Twitter here