Google Analytics, the world’s most widely used web tool for monitoring website visitor activity and traffic for marketing purposes, is no longer welcome in Italy. The country’s data protection authority (DPA) has ruled that the service’s data transfers to servers in the United States fall afoul of the rules of the General Data Protection Regulation (GDPR), specifically the revised terms governing international passing of user data established by the 2020 Schrems II ruling.
The decision follows months of murmurs that Google Analytics might be in serious trouble in the EU due to failing to sufficiently anonymize the data it “phones home” with to Google’s US servers. This is the conclusion that the Italian DPA reached, finding that Google does not anonymize the IP addresses of website visitors sufficiently to guarantee they cannot be identified by other information that the company collects.
EU-US data transfers continue to be a thorn in big tech’s side
Google Analytics is in something of a unique situation in terms of compliance with GDPR rules for international data transfers. The service allows webmasters to view how individual users interact with their sites in a variety of ways, but in a manner that does not reveal the identity of the visitor.
The way in which it functions would likely be sufficient for any other stand-alone operator of a similar analytics service. Not so much for Google, thanks to its internet-spanning system of data harvesting via its advertising networks, apps and cloud services. The argument for GDPR violation hinges on the fact that the user’s IP address remains sufficiently visible to Google internally, such that it can be paired with Google’s trove of user data to identify the end user should the company so desire.
The Schrems II decision found that the US was not an adequate partner for data transfers due to laws on the books that allow for surveillance of the internet traffic of foreign nationals, and due to clandestine spying programs revealed by the Edward Snowden leaks nearly a decade ago. The US is essentially stuck in this state until it passes a federal-level data privacy law with terms comparable to those of the GDPR or comes up with a replacement for the prior “Privacy Shield” agreement that will survive an inevitable court challenge.
Just such a replacement has been in the works and seen significant development in recent months, but Andrew Barratt (Vice President at Coalfire) sees this ruling as potentially undermining the entire thing: “This decision by the Italian DPA seems to be mostly in contravention to the new Trans-Atlantic Data Privacy Framework, which was intended to underpin adequacy for data transfer between EU countries and the US. This move could potentially jeopardize years of negotiation with the USA and the EU. It’s also not clear how the data they are referring to immediately impinges on the rights and freedoms of specific citizens. There is some clear anti-US rhetoric from the Italian DPA – which may have further diplomatic consequences or lead Google to move operations and capabilities to other countries with more favorable intelligence sharing relationships such as the five eye nations. The complaint seems to be largely targeted at someone’s misuse of Google Analytics and not directly at Google themselves. It’s plausible this could have been a management oversight by Caffeine Media that has been punitively responded to and Google’s name thrown into them mix purely as the technology in question.”
The ruling from the Italian DPA stems from a case involving a specific website called “Caffeina Media SRL,” which was given 90 days to cease use of Google Analytics. This effectively puts all websites in Italy on the same notice. The court said that Italian authorities would begin conducting “ad hoc” inspections of the country’s websites for compliance at the end of the 90-day window. This follows a similar ruling from France’s DPA in June, which gave websites in that country one month to discontinue using the service.
Potential for Google Analytics to make needed adjustments, but impacted websites will likely have to switch analytics tools
Aside from the fact that Google stockpiles data via its broad variety of services, the Italian DPA’s decision was centered on how Google Analytics handles the IP addresses of website visitors. To be compliant with the GDPR rules for data transfers, these IP addresses would have to be fully anonymized. By default Google only masks the final octet of the address, which the DPA classed as “pseudonymization” and not good enough to meet the standards for guaranteeing Google itself cannot internally identify the individual user.
If it were to implement a means of encrypting this data that demonstrably takes the “master key” out of its own hands, Google might keep the service in the good graces of EU data privacy law. Until then, individual website operators can be held responsible for violations as “data exporters” knowingly using a service that engages in inappropriate data transfers. Google had previously attempted to argue that it offers non-default optional settings that allow webmasters to enable a greater amount of anonymization in Analytics, but the Austrian DPA shot that argument down earlier this year as part of a Schrems-related complaint.
Other major tech platforms have data harvesting operations that rival Google’s in scope, but none (perhaps save Adobe) is in the position of also offering a widely used analytics tool that engages in data transfers across international borders. Some of their marketing services, such as Microsoft Advertising, do have comparable tools built in that this decision could ultimately apply to. Other tech companies have run into major trouble competing in this area; Facebook attempted to offer a similar product for years with Facebook Analytics, but adoption remained low and the company shuttered it just over a year ago.
