If you are wondering if the use of Google Analytics has become illegal, you have most likely witnessed the media hype on websites and social networks that followed the recent ruling of the Privacy Guarantor on the “Caffeina Media s.r.l. case”.
The specific case from which the decision originated, in fact, concerns the aforementioned company and its use on its Google Analytics website.
What is Google Analytics?
Let’s start by saying that Google Analytics is a web analysis service, obviously from Google, which allows you to obtain interesting statistics on visitors to a website and their behavior (e.g. geographical location of the user, number of pages visited, duration session etc.)
It is estimated that this tool is used by around 56% of websites.
Do you want to know how to increase visits to your website?
Book a free appointment online now.
What has the Privacy Guarantor established regarding Google Analytics?
On 9 June 2022 the Italian Privacy Guarantor asked the company Caffeina Media s.r.l. (through a provision then published on the 23rd of the same month) to remove Google Analytics from its website within 90 days, believing that the data processing methods operated by this tool did not comply with the requirements contained in the GDPR as they involve the transfer of user data (including the IP address of visitors, considered to all intents and purposes as personal data) in the United States.
From this pronunciation we can deduce the following information:
- For the moment no sanction has been issued but a period of time has been granted to the company Caffeina Media s.r.l. to adapt.
- Although the decision concerned a single legal person, the invitation to comply with the GDPR by abandoning the use of GA concerns all those who use this analysis tool on their site.
In fact, the Guarantor, by means of the press release relating to the adoption of the provision in question, has expressed its intention, once the 90 days granted have elapsed, to begin inspections and checks on the matter.
- It is not Google Analytics itself that is illegal but the transfer of data that the latter operates to the United States.
And now we will see why.
The abolition of the Privacy Shield
Articles 45 and ss. The GDPR establish in which cases the data controller can legitimately carry out the transfer of data to a third country.
Among these is the adequacy decision recognized by the European Commission, a decision that with reference to the United States was adopted on 12 July 2016 (n.2016/1250).
This decision, which has in fact taken the name of Privacy Shield, originates from an agreement between the European Commission and the United States Department of Commerce with the aim of protecting the confidentiality of the personal data of European citizens in case of transfer for commercial purposes in the United States.
Without going into technicalities, it is enough to know that the Court of Justice of the European Community, with a sentence of 16 July 2020, declared the invalidity of this decision (so-called “Schrems Il” judgment).
It should be noted that the loss of the Privacy Shield is not enough to consider a transfer of data to the United States as illegitimate tout court, because this transfer could well be based on one of the other hypotheses of legitimacy provided for by the GDPR (eg the consent of the interested party).
For the sake of concreteness, however, it is necessary to state that these other requirements, required by law to carry out a transfer, are often not within the reach of all companies, especially the millions of SMEs that enjoy limited resources when compared to the much larger ones of multinationals.
Google Analytics 3
At this point, it is necessary to make an extremely important clarification.
The ruling of the Italian Privacy Guarantor concerned the use of Google Analytics 3 (or Universal Analytics), a version that in any case will be discontinued in July 2023 to be definitively replaced by Google Analytics 4 (GA4).
The possibility of anonymizing the IP was already provided in version 3.
However, this foresight was not deemed sufficient by the Authority in charge.
In fact, the Italian Privacy Guarantor affirms that:
“IP-Anonymization” actually consists of a pseudonymization of the data relating to the user’s network address, as the truncation of the last octet does not prevent Google LLC from re-identifying the user, taking into account the overall information held by the same relating to web users. Furthermore, Google LLC has the possibility – if the interested party has accessed his / her Google profile – to associate the IP address with other additional information already in his possession (such as the information contained in the user account ). This operation, therefore, despite the activation of “IP-Anonymization”, still allows the possible re-identification of the user “.
In conclusion, the IP anonymization in Google Analytics 3 does not make this tool compliant.
Will GA4 be GDPR compliant?
We will try to answer this question in an extremely honest way.
As anticipated, the Guarantor did not pronounce on the new version of Google Analytics because the company subject to the provision did not use it.
At the moment we cannot therefore know for sure if the authorities will deem the use of Google Analytics 4 compliant with the GDPR, since the Italian Guarantor has limited himself to stating that if you choose to continue using Google Analytics, additional security measures are necessary. , but did not specify which ones.
What we can limit ourselves to saying is that Google Analytics 4, although it cannot guarantee compliance with the GDPR, is a step forward and a better alternative than the previous version by offering additional options and settings regarding privacy.
For example, regarding the anonymization of IP addresses, Google stated that “in Google Analytics 4 it is not necessary, since IP addresses are not recorded or stored“.
In addition, the account administrator is given the option not to share GA4 data with Google Signals.
Doubts about GA4
According to what was stated by Google GA4 will no longer carry out the registration of user IPs, which will be used in a volatile manner, for the sole purpose of receiving other meta data (eg physical place of connection), obtained which the IP will be completely ignored.
Given this, since it is Google itself that discards such data after receiving them, the doubt arises that in the time elapsed between receipt and rejection, it may be forced to send them to US government agencies that request them in the manner and manner. times required by US law.
In addition to this, it is necessary to assess whether, regardless of the IP, GA4 collects other sufficient data to identify users.
As for the fact that Google claims that EU user data will be stored and stored on servers resident in the EU, this is not enough to settle the question of the possible subsequent transfer to the USA.
Does the pronouncement of the Privacy Guarantor only concern Google Analytics?
The answer is no.
There are dozens of services from Google and other companies with data centers in the United States and which then transfer the collected data to this country.
We think of advertising platforms used for web marketing such as Facebook Ads, Google Ads, YouTube Ads, etc.
But also to email marketing tools such as Mailchimp, with respect to whose use the Bavarian Privacy Guarantor has already ruled negatively in 2021, again due to the illegal transfer of data to the United States.
What can I do now if I am using Google Analytics?
The question is more than legitimate and shared unanimously.
The hope of course is that the solution to this problem is not left in the hands of the individual users of the service but found upstream, healing the void left by the “Schrems Il” ruling.
In addition, on March 25, the intention to reach a new agreement on data transfer between the EU and the US was announced. This agreement, currently under discussion, should solve the problem of illegal data transfers outside Europe.
In the meantime, of course, if they really want to stay in an iron barrel, users can evaluate whether to temporarily suspend the use of the service or turn to European alternatives.
Our advice, if you decide to contact European services, is in any case to evaluate their compliance with the GDPR.
The fact of not transferring data outside the EU does not in itself make a compliant service because it may not comply with other requirements set by the GDPR. So you would risk “moving” for nothing.