24 Jul Google Analytics and the GDPR: open issues and knots to unravel
Authors: Giuseppe Fiordalisi, Giada Iovane, Francesca Tugnoli
Introduction
The recent Decision No. 224 of 9 June 2022 (henceforth, the “Decision“) of the Italian Data Protection Authority (henceforth, the “Authority“) regarding the use of the Google Analytics services (henceforth, “GA”) which was declared non-compliant with EU Regulation 2016/679 (henceforth, the “GDPR”). The reason for such declaration was due to the absence of adequate safeguards and a lack of adherence to Chapter V of the GDPR. As of today, such Decision has refocused the spotlight on the urgency of signing a new agreement regarding the transfer of personal data from the European Union (EU) to the United States (US).
The Decision
In this Decision, the Authority censured and encouraged it the Company Caffeina Media S.r.l. to conform with the processing of personal data of its website users collected through GA (with respect with Chapter V of the GDPR) within 90 days. Thus, the Authority requested the Company to adopt additional measures appropriate to the transfer of personal data to the United States.
In particular, according to the Authority, the use of GA’s platform, which allows the tracking of information collected through the navigation of users on a website for the purposes of optimising its services and monitoring its marketing campaigns,[1] violates articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the GDPR.
The Authority also stated that, although GA makes the “IP-Anonymization” function available, that function would not be sufficient for the following reasons. If such function was activated, it would anonymize the user’s IP address, which would make it possible to identify an electronic communication device and the individual using it (which would fall under the category of personal data)[2].
In essence, the GA “IP-Anonymization” function mostly pseudonymises data relating to the user IP address. This, however, does not, permit the lawful transfer of data outside the European Economic Area[3]. Moreover, as observed by the Authority, when an individual accesses their own Google account, would allow Google the combination of that data with other information present in the relevant account, such as the e-mail address (which constitutes the user ID of the account), the telephone number and any further personal data, including gender, date of birth or profile picture.
The Decisions of the Austrian and French Authorities
On closer inspection, the Italian Authority is not the first Authority to have dealt with GA; in fact, other Authorities (such as the Austrian and French) have also had occasion to advise certain website operators to stop using the tool in question.
In particular, the Austrian Data Protection Authority, (the ‘Datenschutzbehörde‘ or ‘DSB’) and the French Authority (the ‘Commission Nationale de l’Informatique et des Libertés‘ or ‘CNIL‘) had already expressed their views on GA’s non-compliance with the GDPR, prompted by various complaints made by the NOYB organisation[4]. Maximilian Schrems, the honorary president of this organisation, is well known for having prompted the issuance of the 2015 “Schrems I (C-362/14) and 2020 “Schrems II”(C-311/18) judgments of the Court of Justice of the European Union (also known as “CJEU“), which decreed the invalidity of the Safe Harbour and the Privacy Shield, respectively[5].
Taking into account the Decision of the first of the two aforementioned Authorities, the DSB, had the chance to point out that the mere use of standard contractual clauses[6] as a mechanism to regulate the transfers carried out by Google in the United States cannot be deemed sufficient to ensure their compliance with the GDPR and to protect European citizens from undue access to their data by the US authorities under 50 US Code § 1881a (‘Fisa 702‘)[7], since Google is one of the providers of electronic communication services (as seen under Art. 50 US Code § 1881 subject to this obligation.
In line with this Decision is the one of the CNIL, Decision of 10 February 2022, which censured the transfer of personal data outside the EU in connection with the use of the GA service. From the point of view of the CNIL, the additional measures implemented by Google were not suitable for preventing access to the data by the US authorities, which amounted to a violation of the GDPR.
Conclusions and take away
First of all, it should be noted that the warning issued by the Italian Authority should not be considered to be limited solely to the Company under inspection (Caffeina Media S.r.l.): in its note of 23 June 2022, the Authority, stated that the issue is that there is a potential impact for all Italian website operators that use GA. In this way, the Italian Authority anticipated that it will carry out further inspections against other companies.
Therefore, in order to comply with the indications of the aforementioned Authorities, it is firstly advisable to immediately discontinue GA in favour of other instruments: similarly, even the use of the most recent GA 4 version[8] does not resolve the critical issues highlighted regarding the non-compliance of the tool since, as things stand, ‘a compliance check will have to be carried out’ as stated by Guido Scorza, member of the College of the Italian Data Protection Authority in an interview from 24 June 2022.
In view of what has been stated above, regarding the discontinuation of the GA tool as a first useful suggestion in order not to incur any warnings from the Authority, it should also be noted that in its recent indications, the CNIL has proposed an alternative technical solution to make the use of GA compliant with the GDPR, i.e., the installation of a proxy server that allows pseudonymization of data prior to export, provided that such pseudonymization is not traceable to a natural person who can be identified even indirectly through the use of other information. Finally, it is worth mentioning the CNIL’s further operational indications on the correct implementation of cookies and other tracers for analytical purposes, also in order to be able to serve such cookies without consent: the CNIL, in fact, identifies a number of European providers that, by offering tools similar to Google Analytics and GDPR-compliant, could represent a valid alternative solution to the use of Google Analytics, in the event of the latter’s discontinuation.[9]
[1] See the Decision on p. 5 which considers that the data collected through Google Analytics consist of: “unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the website operator itself (through the Google Account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, operating system, screen resolution, selected language, as well as date and time of the website visit”.
[2] Article 29 Working Party, WP 136 – Opinion No. 4/2007 on the concept of personal data, 20 June 2007, p. 16.
[3] See the Decision at p. 5, on “IP-Anonymization”, understood as a pseudonymisation of the data “in so far as the truncation of the last octet of the IP address does not prevent Google LLC from re-identifying the user, taking into account the information it holds on web users as a whole”.
[4] NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017. NOYB aims to launch strategic court cases and media initiatives in support of the GDPR and privacy in general.
[5] For more information on this topic, see the previous articles authored by ICTLC:
https://www.ictlc.com/whats-new-in-personal-data-transfers-from-the-eu-to-the-usa/?lang=en
https://www.ictlc.com/privacy-shield-joint-annual-review-in-september-2017/?lang=en
https://www.ictlc.com/personal-data-transfers-between-uncertainties-and-new-requirements/?lang=en
[6] Standard contractual clauses under Article 46 Par 2 GDPR may constitute adequate safeguards for the transfer of data to third countries in the absence of an adequacy decision under Article 45, Par 3 GDPR.
[7] The US Law “Title 50 United States Code, Foreign Intelligence Surveillance, Chapter 36, Subchapter VI—Additional Procedures Regarding Certain Persons Outside, “FISA 702” (o 50 U.S.C. §1881a) was passed in 2008 and substantially expanded surveillance and data access options for U.S. authorities: unlike “traditional” FISA surveillance, Section 702 does not require that the surveillance target be a suspected terrorist, spy, or other agent of a foreign power but only requires that the targets be non-U.S. persons located abroad.
[8] Google Analytics 4 (GA4) is a new version of the Analytics tool released by Google that, according to the manufacturer, ensures GDPR compliance in that it allows customers to manage and minimize at a granular level the scope of data collected at the user level and, as such, can help solve problems related to the possible merging of data and identification of users.
[9] Beyable, Matomo, Wizaly, Retency, Piwik pro, are some of the vendors that offer alternative tools to Google Analytics, as indicated by the CNIL.
