This article has been written in collaboration with Giulio Novellini

On June 9, 2022, the Italian Data Protection Authority (Garante per la protezione dei dati personali – “Garante”) issued a decision banning the use of Google Analytics without implementation of adequate additional safeguards.

The decision is in line with the position of other EU supervisory authorities (including the French CNIL). It came in response to a claim against Caffeina Media S.r.l. (the “Company”) arguing that the use of Google Analytics by the Company on its website involved personal data transfers to the United States in the absence of the guarantees provided under Section V of the General Data Protection Regulation EU 2016/679 (“GDPR”).

In the decision, the Garante found that:

  • Google Analytics service entails the transfer of personal data to a non-EEA country (namely, the United States of America) because Google Ireland (which acts as data processor on behalf of the company managing the websites) avails itself of Google LLC as a sub-processor to provide the Google Analytics service.
  • IP addresses (which are considered personal data, as they make it possible to identify a user) are processed through the Google Analytics cookies, yet U.S. law does not provide sufficient safeguards for it to overcome the “test” required by the European Court of Justice in the Schrems II decision. In this specific case, the Company argued that it considered the risk that U.S. authorities would access the data to be low, based on the type of website and contents provided through the website (entertainment, news, and the like). However, the Garante stated that this was a subjective evaluation and that the “probability” of such access is not an appropriate element to use to assess whether a non-EEA country’s legislation provides adequate safeguards.

Also for this reason, the assessment of adequacy of U.S. law was not considered compliant with the requirements set forth by the GDPR and the European Data Protection Board (“EDPB”).

  • The additional safeguard measures implemented by the Company were not sufficient. These measures consisted of “anonymization” of the data by encrypting part of the IP address. According to the Garante, this is not sufficient in the context of Google Analytics, given that the encryption key is in the hands of Google and that same company has other data of the users. Moreover, the duty to allow access by the U.S. authorities regards data and encryption keys, too; therefore, the safeguard easily could be overcome by U.S. authorities.
  • Other contractual measures undertaken by the Company were also considered insufficient in terms of the accountability principle: for example, assessment of each specific request for access by the U.S. authority, promptly informing the data subject of such requests concerning their data, and so on. Indeed, according to the Garante, these measures alone cannot prevent access to the data by U.S. authorities, and for this reason they alone are not sufficient to ensure that the data transfer is compliant.
  • The Garante dismissed the argument that the imbalanced position of the Company toward Google prevented implementation of adequate safeguards. On the contrary, according to the Garante, the accountability principle requires exporters, with the cooperation of the importer, to ensure that third-country legislation does not affect the Standard Contractual Clauses.
  • Finally, the Garante noted that the cookie policy published by the Company did not mention data transfers, nor did it mention the existence of an adequacy decision by the European Commission or the adopted safeguards, and therefore it was not compliant with Article 13 GDPR.

The Garante considered a number of mitigating circumstances, including the fact that the breach was clearly not intentional, due to the leading market position held by Google, and the fact that the Company had cooperated with the Garante during the investigation and of its own volition implemented additional measures. In light of that, the Company was given a warning and 90 days to comply and undertake additional measures to ensure a higher safeguard standard (as well as to stop the transfer).

The Garante also noted that the decision should be taken into account by any controller processing data through Google Analytics and that after the 90 days given to the company, the Garante will verify—with specific enforcement actions—the controllers’ compliance with the decision. Based on this statement, further enforcement actions can be expected, and it is likely that in the future the Garante will not merely warn companies found using Google Analytics without the necessary additional safeguards.

Given the widespread use of Google Analytics, this decision is expected to have huge impact on the Italian market and the entire European area. First of all, it is an important precedent in the post-Schrems II era, confirming that when the transfer of “unencrypted” data cannot be avoided, the transfer is unlikely to be considered compliant. Second, the Garante explicitly states that obscuring portions of IP addresses as Google Analytics did is not sufficient to consider that data anonymous, because Google Analytics is not then prevented from combining the data collected via Google Analytics cookies with other personal data (which renders anonymization ineffective). Therefore, even if Google adopts additional safeguards for the data to be lawfully transferred, it can reasonably be expected that the exemption from consent established in the latest Cookie Guidelines would not apply to Google Analytics, unless additional specific measures are implemented to ensure that the IP addresses remain truly anonymous.