Italian warning on Google Analytics adds to EU-US data-transfer woes

EU-based websites mustn't use Google Analytics because of rules against transferring personal data to the US, the Italian privacy watchdog ruled today, joining a growing list of European regulators warning against its use.

The Italian Data Protection Authority said it has given website operator Caffeina Media 90 days to stop using Google Analytics, a widely used audience-measurement tool that has emerged as a proxy for the long-running EU-US battle over trans-Atlantic data transfers.

Following the EU Court of Justice's “Schrems II” ruling in 2020, which invalidated the EU-US Privacy Shield legal transfer mechanism and made corporate data transfers significantly more difficult, privacy campaign group Noyb made a series of complaints to regulators in the EU about websites’ use of Google Analytics.

Austria's data-protection authority was the first to rule on the matter, in January this year, saying that the use of Google Analytics breaches the General Data Protection Regulation because it involves the transfer of data to the US. Since then, regulators in France, Norway and the Netherlands have also warned against its use.

The Schrems II case was about potential US government access to EU citizens’ personal data. The EU court ruled that citizens of the bloc did not have access to proper judicial redress in relation to this, and that US surveillance was not proportionate.

The Italian watchdog said today that the use of Google Analytics violates the GDPR because the US does not currently have an adequate level of data protection. As well as giving Caffeina Media a deadline to stop, it gave a general warning for website operators over the service, saying they should check the compliance of their cookies and tracking tools.

The regulator also cited guidance by the European Data Protection Board, the umbrella group of EU data protection authorities, on additional protections that companies can use to protect data while transferring it out of the bloc. The Italian regulator said it has interpreted the guidance as meaning that safeguards used by Google Analytics do not sufficiently protect data.

A Google spokesperson said the websites using Google Analytics control the data that is collected, not Google, and that the analytics service does not identify individuals or track them across the web. Google also provides a “range of safeguards, controls and resources for compliance,” the spokesperson said.

In January, Kent Walker, chief legal officer at Google, said in blog post that it doesn’t make sense for a “theoretical” risk of data access by US authorities to block international data flows. In the 15 years that Google has offered its analytics services, the search and advertising giant has “never once received the type of demand the [Austrian authority] speculated about,” Walker said.