After Austria and France, Italy is taking a position on Google Analytics. This website audience analysis service, used by the vast majority of website administrators, has been declared illegal by the Garante per la protezione dei dati personali, the Italian data protection authority, in a decision returned on June 23.
90 days to comply
The Garante launched a review following several complaints and in coordination with its European counterparts. At the end of these investigations, it gave Caffeina Media Srl, a website operator, formal notice to comply with the General Data Protection Regulation (GDPR) by stopping the use of Google Analytics in 90 days.
The Italian authority underlined – as do its Austrian and French counterparts – the possibility for “US government authorities and intelligence agencies to access the personal data transferred“. The measures adopted by Google are not sufficient to eliminate this risk, it adds in its decision.
Since the invalidation of the Privacy Shield by the Court of Justice of the European Union, there is no longer an adequacy decision for the transfer of personal data between the European Union and the United States. Important clarification: the signing of a new political agreement does not constitute a new decision.
Consequently, in order to be able to transfer data across the Atlantic, entities must comply with particularly demanding additional guarantees (end-to-end encryption, risk assessment, etc.). However, according to the European authorities, Google does not meet these criteria and therefore cannot legally offer its service within the European Union.
Unable to set Google to use it legally
The National Commission for Computing and Liberties (Cnil) took a similar position in early June as part of a frequently asked questions. She was very firm in judging that it is not possible to configure Google so as not to transfer personal data outside the EU. In effect, “the use of solutions offered by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to dataAs is the case in the United States, technology companies, such as Google, may be compelled to disclose information about its users by legal authorities.
To help businesses using Google’s service, the CNIL has published a list of audience measurement tools that may be exempt from consent when properly configured. On the other hand, and it is important to specify this, this list does not currently examine the issues raised by international transfers, in particular the consequences of the invalidation of the Privacy Shield. In other words, there is no guarantee that they will not suffer the same fate as Google Analytics in a few months.
This vagueness worries the actors of the sector. Indeed, by not complying, they risk being prosecuted by the Cnil and being sanctioned for violation of the GDPR.