Italian Supervisory Authority denies use of Google Analytics

The Italian supervisory authority has reprimanded the use of Google Analytics as it violates the GDPR because it transfers data to the USA, even when anonymized, as explained below:

The Italian SA came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU data protection authorities following complaints it had received. The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on the browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is personal data and would not be anonymized even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds. Source: garanteprivacy.it

the Italian SA reiterated that an IP address is personal data and would not be anonymized even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.

Google Analytics response

Italy thereby follows suit with the strict stance of Germany & France and others. The Italian authority has stated to all websites using Google Analytics or similar services to revisit the use of tracking services or find a suitable alternative. It has given a 90-day (September 2022) deadline when it will revisit ad-hoc inspections on these matters.

Recent proposals from Google to circumvent this issue, even as recent as June 2022 negotiations, have not been fruitful and Google’s proposals of anonymization and encryption do not solve the issue of the transfer and entry of data in the United States. A country’s GDPR does not consider a country with appropriate data protection.