**Important – This is not legal counsel, the materials provided are for informational purposes only and not for the purpose of providing legal advice. Final decisions must be made by your own legal representation.**
On June 9, 2022, Italy’s Guarantor For The Protection of Personal Data issued a ruling deeming the usage of Google Analytics on an Italian website to be illegal. The opinion follows past decisions from Austria’s DPA and France’s CNIL deciding the same. What are the facts of the Italian case and what does this mean for the usage of Google Analytics (GA) more broadly in the EU? Let’s dive in to discuss.
What was the original complaint being evaluated?
The Italian decision was the most recent ruling in response to the long list of complaints submitted by NOYB against websites across the EU in August of 2020. The complaint being evaluated in Italy raises the issue of a GDPR violation due to the transfer and processing of EU user’s personal data to an organization in the United States (Google). Further context provided by the offending organization about their usage of GA was also provided throughout 2021 and the first quarter of 2022 and considered in the decision.
What are the main findings from the case?
The Italian GDPD found that the website in question was collecting data using GA. The set of data collected did constitute personal data due to the inclusion of user IP address along with browser and device data, as well as unique IDs assigned to the user’s device by GA. As a part of processing, this data was transferred and processed in the United States. Further, the Italian SA maintained that the technical and operational measures in place by Google for the protection of EU users’ personal data were insufficient to satisfy the requirements of an international transfer. It was also found that the website did not provide sufficient disclosures on the site to notify users of the data collection by GA and transfers that occurred.
How does this differ from the previous Austrian and French DPA opinions?
The findings in many respects mirror the findings of the previous DPA decisions—further indicating an alignment amongst EU DPAs as to the illegality of the use of GA due to the issue of international data transfers with the United States.
Interestingly, this case helps resolve an outstanding question as to the efficacy of the use of the “Anonymize IP” functionality provided within GA. In this case, it was determined that the IP address is personal data and is not anonymized even if it were truncated (which is what happens as part of GA’s anonymization of the IP address). This was found to be the case due to the ability for Google to enrich the full dataset with the additional device and browser information it also collects as part of standard GA data collection and processing. Basically this means that no, the “Anonymize IP” feature is insufficient on its own to address the collection of personal data when using GA and remove GDPR compliance risk.
What does this mean—is GA illegal in the EU?
Not definitively. An important consideration is that all of the DPA decisions to date (including this one) have considered GA prior to Google’s most recent GA4 privacy updates made in April of 2022. As a part of this update two critical architectural updates were made for Google Analytics 4 (GA4) specifically:
- GA4 no longer logs the IP address of the user, instead doing an initial high-level location lookup which is conducted in the EU for EU users.
- EU data is received and processed in the EU for EU users.
The usage of GA (specifically GA4) has, as of July 2022, yet to be fully evaluated with these changes being in place.
Uncertainty remains in a definitive sense as to the legality of using GA. To further cloud the landscape is the potential for an actual legal agreement for a new EU-US Data Transfer Framework on the heels of the political announcement made on March 25, 2022 that one will be put in place. For now the saga continues! Stay tuned for additional updates as the landscape becomes more clear.