We report a recent measure adopted by the Italian Privacy Guarantor on June 9, 2022 against the company Caffeina Media srl. The company, in particular, was admonished for using the Google Analytics service.
Google Analytics is a web analytics service that allows website operators to analyze statistics about each user in order to index and optimize their marketing campaigns. Its growing popularity and use in many countries has raised quite a few concerns with reference to the risk to data security and privacy.
While the transmission of personal data to and from countries outside the Union is certainly functional and necessary for the expansion of international trade and international cooperation, on the other hand - where personal data are transferred from the Union to controllers, processors and/or other recipients in third countries and/or to international organizations - the level of protection of individuals guaranteed by European law cannot be compromised (Recital 101 of GDPR Regulation 2016/679).
In the case at hand, therefore, according to the Italian Privacy Guarantor, any website that uses Google Analytics - given the absence of guarantees provided by the European legislation - violates the legislation on the protection of personal data through the collection, by means of cookies, of information on users' interactions with the aforementioned site, as well as with individual pages and the services offered.
Assessments have, in fact, revealed that the use of Google Analytics involves the transfer of personal data to Google LLC based in the United States and, therefore, violates the GDPR Regulation 2016/679. The transfer of such data, in fact, takes place in a country that does not guarantee an adequate level of protection, from which it follows that it must be carried out only in the cases and under the conditions provided by Chapter V of the aforementioned Regulation.
The data collected by Google Analytics
The service offered by Google LLC collects elements such as: unique online data that allow both the identification of the user's browser or device, and of the website operator itself; address, website name and navigation data; IP address of the device used by the user; information related to the browser, operating system, screen resolution, selected language, as well as date and time of the visit to the website.
The Garante dwells on one piece of data in particular, namely the IP address of the device used by the user, which "constitutes personal data to the extent that it allows for the identification of an electronic communication device, thereby indirectly making the data subject identifiable as a user."
In a similar vein, Recital 30 of GDPR Regulation 2016/679 reiterates that: "natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This can leave traces that, in particular, when combined with unique identifiers and other information received by servers, can be used to create profiles of individuals and identify them."
The data collected by Google Analytics, in particular IP addresses, are, therefore, qualifiable as personal data insofar as they allow the identification of a user, and therefore, subject to the protection of GDPR Regulation 2016/679.
The ineffectiveness of the "IP-Anonymization" service
The use of Google Analytics, according to the Guarantor's exposition, would violate the data protection regulations even in the event that the operator of the site made use of the "IP-Anonymization" service.
Google, in particular, provides users with the ability to choose the "IP-Anonymization" option, which involves sending Google Analytics the user's IP address after obscuring the least significant octet. This service, however, as the same Guarantor states, "consists in fact in a pseudonymization of the data related to the user's network address, since the truncation of the last octet does not prevent Google LLC from re-identifying the same user, taking into account the overall information held by it regarding web users."
There is, moreover, in the hands of Google itself the possibility, if one logs in to one's Google profile, to associate the IP address with additional information already in its possession. Despite the activation of "IP-Anonymization," therefore, the system still allows the user to be identified.
In the June 23 order, the Garante has, admonished Caffeina Media srl, obliging it to comply with the GDPR within ninety days, under penalty of suspending data flows made through Google Analytics to the United States.
In conclusion, any transfer of personal data made through Google Analytics to the United States is unlawful.
Although it is not yet clear what will happen as a result of these announcements, it is clear that new measures will be taken to protect personal data and its transfer to third countries.
At the moment, the Authority has invited data controllers, processors and/or other recipients in third countries and/or to international organizations to verify the compliance of the way cookies and other tracking tools used on their websites, with particular attention to Google Analytics and other similar services, are used with data protection regulations.
Bologna – October 30th 2022
Edited by Dr. Betul Fatsa and Dr. Fabiola Masotta – De Capoa and Associates Law Firm – Bologna