Garante found that the use of Google Analytics by web publishers resulted in the collection of many types of user data, including device IP addresses, browser information, operating system, screen resolution, language choice, and the date and time of website visits, which were transferred to the United States , without taking sufficient supplementary measures to raise the level of protection to the necessary EU legal standards.
It added that the protections applied by Google were insufficient to address the risks, in line with the conclusions of several other EU DPAs who also found that the use of Google Analytics violated the group’s data protection rules when it comes to data export.
Italy’s DPA has given the publisher in question, a company called Caffeina Media Srl, 90 days to resolve the breach. But the decision has broader implications, as it also warns other local sites that are using Google Analytics to take note and check their own compliance, it wrote in a release.
Earlier this month, France’s data protection watchdog issued updated guidance warning of the illegal use of Google Analytics – after a local website found a similar error in using the software in February.
The CNIL’s guidance suggests that EU-based website owners have only a very narrow possibility to legally use Google’s analytics tools — either by applying additional encryption, where the keys are established by the data exporter itself or in a region that provides an adequate level of protection the exclusive control of other entities; or by using a proxy server to avoid direct contact between the user’s terminal and Google’s servers.
Austria’s DPA in January upheld a similar complaint about a website’s use of Google Analytics.
And the European Parliament found itself mired in the same core issues earlier this year. All of these crackdowns on Google Analytics are related to a series of strategic complaints filed in August 2020 by the European privacy movement noyb – which targeted regional operators of 101 websites, determined to be integrated via Google Analytics and/or Facebook Connect Send data to the United States.
The complaints follow a landmark July 2020 Group Supreme Court ruling – which invalidated the data transfer agreement between the EU and the US, known as the “Privacy Shield”, and made it clear that the DPA was liable Step in and suspend the flow of data to third countries where they suspect the information of EU citizens is at risk.
The so-called “Schrems II” ruling is named after noyb founder and longtime European privacy campaigner Max Schrems, who filed a complaint about Facebook’s EU-US data transfers, citing surveillance disclosures by NSA whistleblower Edward Snowden, Finally, through legal referral, it is submitted to the Court of Justice of the European Union. (Schrems’ previous challenge also resulted in the previous EU-US data transfer arrangement being dismissed by a court in 2015).
In recent developments, privacy-preserving alternatives are underway. In March, the European Union and the United States announced that they had reached an agreement on this.
However, the legal details of the planned data transfer framework still need to be finalized – with the proposed mechanism reviewed and approved by EU institutions – before it can be put into use. This means that for EU customers, the use of US-based cloud services is still shrouded in legal risk.
The group’s lawmakers suggested that a replacement agreement could be finalized by the end of the year, but in the meantime there is no easy legal patch for Google Analytics’ EU users to use.
Moreover, the gap between U.S. surveillance law and EU privacy law continues to widen in some respects—and there is no certainty that a negotiated replacement agreement will be strong enough to withstand the inevitable legal challenges.
Simple legal tinkering with this fundamental conflict of rights and priorities appears to be a high bar, and it will not be possible without substantial reform of existing laws.