Italy’s data watchdog latest to warn on use of Google Analytics – Meczyki.Net

Another strike against the use of Google Analytics in Europe: the Italian data protection authority found it A local web publisher’s use of the popular analytics tool is attributable to non-compliance with EU data protection rules as user data is transferred to the US – a country in which to protect the information from being accessed by US spooks. There is a lack of uniform legal framework for

guarantee found that the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, OS, screen resolution, language selection, as well as the date and time of site visits, which were assigned to the Site. was transferred to. Without adequate complementary measures to raise the level of protection to the required EU legal standard, the U.S.

The security enforced by Google was not sufficient to address the risk, it added, echoing the conclusions of several other EU DPAs, who have also found the use of Google Analytics violates the block’s data protection rules on the data export issue.

Italy’s DPA has given the publisher (a company called Caffeina Media Srl) 90 days to correct the compliance violation. But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing a press release. [translated from Italian with machine translation],

,[T]That authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made through GA to the United States [Google Analytics]Taking into account the numerous reports and queries the Office is receiving, and invites all data controllers to verify compliance with the methods of use of cookies and other tracking tools used on its websites, in particular from Google Analytics and other similar services, in line with the law on the protection of personal data.”

Earlier this month, France’s data protection regulator issued an updated guidance warning on illegal use of Google Analytics – after discovering a similar fault with the software’s local website use in February.

CNIL’s guidance suggests only very limited possibilities for EU-based site owners to use Google’s analytics tools legally – either by applying additional encryption where keys are kept under the exclusive control of the data exporter or other institutions established in the area offering an adequate level of protection; Or by using a proxy server to avoid direct contact between the user’s terminal and Google’s servers.

Austria’s DPA also upheld a similar complaint in January over the use of Google Analytics by a site.

Whereas the European Parliament found itself in hot water earlier in the year over the same basic issue.

All of these are linked to a series of strategic complaints filed in the strike against Google Analytics August 2020 By European privacy campaign group Noyb – which targeted 101 websites with regional operators, it was identified as sending data to the US via Google Analytics and/or Facebook Connect integration.

The complaints followed a landmark decision by the bloc’s top court in July 2020 – which invalidated a data transfer agreement between the EU and the US called the Privacy Shield, and made it clear that DPAs have a duty to that it moves and suspends the data flow to a third location. Countries where they suspect the information of EU citizens to be at risk.

The so-called ‘Schrems II’ ruling is named after Noyb founder and longtime European privacy campaigner Max Schrems, who filed a complaint against Facebook’s EU-US data transfer, citing surveillance practices revealed by NSA whistleblower Edward Snowden. which ended up – through legal referral – before the CJEU. ,The previous EU-US data transfer arrangement was annulled by the court in 2015 as a result of an earlier challenge by Schrems.)

In another recent development, a replacement for Privacy Shield is on the way: In March, the European Union and the US announced that they had reached a political settlement on this.

However the legal details of the planned data transfer framework still have to be finalized – and the proposed mechanism reviewed and adopted by EU institutions – before it can be put to any use. Which means the use of US-based cloud services is fraught with legal risk for EU customers.

The bloc’s lawmakers have suggested the replacement deal could be finalized by the end of this year – but in the meantime EU users of Google Analytics can’t access any easy legal patches.

Additionally, tThe gap between US surveillance law and EU privacy law continues to widen in some respects – and it is by no means certain that the negotiated replacement will be strong enough to avoid inevitable legal challenges.

A simple legal patch looks like a high bar for such a fundamental conflict of rights and priorities – failing to adequately reform existing laws (which neither side is tempted to introduce).

That’s why we’ve started to see software-level responses by some US cloud giants – in a bid to find a way around data transfer legal risk – to give European customers more control over data flow.