Google Analytics is qualified as persona non grata in Italy. The Italian data protection authority has deemed the use of Google Analytics illegal due to the risk of personal data transfers to the United States. By taking this decision, she joins the ranks of the French and Austrian authorities.
Garante per la protezione dei dati personali, the Italian equivalent of the French CNIL hardens its tone against Google Analytics, the American Web audience measurement console. The sanction fell at the end of the week after an investigation called ” complex “. It was launched following a wave of complaints and in coordination with its European counterparts. Garante denounces violations by Google, the parent company. According to her, from the United States, American government and intelligence agencies can have access to the personal data transferred without the required guarantees. The Italian regulator claims that the measures adopted by the American technology giant to accompany the data transfer instruments, do not ensure an appropriate level of protection of users’ personal data.
Garante’s investigations show that website operators using Google Analytics collect, via cookies, information on user interactions, websites, pages visited, services offered and other sensitive information. It has, in fact, challenged all Italian website operators (public and private) on the illegality of data transfers to the United States related to the use of Google Analytics.
Therefore, a website that uses Google Analytics without the safeguards set out in the GDPR violates data protection laws because it transfers user data to the United States, a country that does not have a level of data protection. data needed. At the end of the 90-day period set in its decision, the Italian authorities will verify that the data transfer in question complies with the EU GDPR, including special control channels. Since the Court of Justice of the European Union declared the invalidation of the Privacy Shield, transfers of personal data between the EU and the United States are no longer adequately determined.
Moreover, the signing of a new political agreement does not constitute a new decision. Thus, in order to be able to transmit data across the Atlantic, entities must comply with additional, particularly demanding guarantees (end-to-end encryption, risk assessment, etc.). However, according to European authorities, Google does not meet these standards and therefore cannot legally offer its services within the EU.