On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics. The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law, in particular with regards to the use of Google Analytics and similar services.
The Garante’s statement follows an order (here) issued against an Italian website operator to stop data transfers to Google LLC in the U.S., and joins other European data protection authorities in their actions relating to the use of Google Analytics (see our previous blogs here and here).
Below we summarize the Garante’s key considerations.
- Google Analytics’ “IP Anonymization” feature
The Garante analyzes Google Analytics’ so-called “IP-Anonymization” feature, which allows the transfer of user IP addresses to Google Analytics after masking the IP address’ last octet. The Garante finds that such feature constitutes a pseudonymization of the IP address, and not anonymization. According to the Garante, the feature does not prevent Google LLC from re-identifying the user, given Google’s capabilities to enrich such data through additional information it holds, especially in circumstances where those users maintain and use a Google account.
- Inadequacy of supplementary measures
After recalling the CJEU’s findings in Schrems II (see our previous blogs here and here), the Garante goes on to find a lack of adequate supplementary measures in place to protect data subjects’ personal data. In particular, the Garante highlights that the Italian website operator had based its assessment of the transfer on certain subjective criteria, which it deems to be at odds with the recommendations of the EDPB (see our previous blog here). The Garante finds that the encryption measures adopted by Google LLC cannot be considered sufficient, so long as the key remains available to the data importer, and recalls the EDPB’s recommendation that contractual and organizational measures are not sufficient in themselves to prevent access to transferred data, in the absence of further technical measures. The Garante does not clarify what, in its opinion, would constitute appropriate technical measures, but provides that these must be set out by taking into account the EDPB guidance in this area.
The Garante also restates that a data exporter is responsible for implementing appropriate and effective measures under the GDPR and for demonstrating compliance, rejecting the website operator’s argument that it had no capacity, including any bargaining power over Google LLC, to influence the measures applied to the transferred data.
- The outcome
The Garante ultimately finds that transfers of personal data to the U.S., as a result of the use of Google Analytics, are unlawful. It orders the website operator to suspend data transfers, and to bring its processing into compliance within 90 days.
The Garante did not impose a fine, as it considered that (i) the relevant data did not include special categories of personal data, (ii) the website operator had incorrectly assumed that the supplementary measures adopted by Google were appropriate, without having any decision-making power in that respect, (iii) the website operator adopted remedial measures to mitigate the damage to data subjects, and (iv) the website operator cooperated with the Garante in the course of the proceedings.
***
The Covington team will keep monitoring the developments on enforcement cases relating to the CJEU’s Schrems II judgement and Google Analytics, and is happy to assist with any inquiries on the topic.