On June 23, 2022 the Italian data protection authority (“Garante”) released a general statement (here) flagging the unlawfulness of data transfers to the U.S. resulting from the use of Google Analytics.  The Garante invites all Italian website operators, both public and private, to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law, in particular with regards to the use of Google Analytics and similar services. 

The Garante’s statement follows an order (here) issued against an Italian website operator to stop data transfers to Google LLC in the U.S., and joins other European data protection authorities in their actions relating to the use of Google Analytics (see our previous blogs here and here).

Below we summarize the Garante’s key considerations.

  • Google Analytics’ “IP Anonymization” feature

The Garante analyzes Google Analytics’ so-called “IP-Anonymization” feature, which allows the transfer of user IP addresses to Google Analytics after masking the IP address’ last octet.  The Garante finds that such feature constitutes a pseudonymization of the IP address, and not anonymization.  According to the Garante, the feature does not prevent Google LLC from re-identifying the user, given Google’s capabilities to enrich such data through additional information it holds, especially in circumstances where those users maintain and use a Google account.

  • Inadequacy of supplementary measures

After recalling the CJEU’s findings in Schrems II (see our previous blogs here and here), the Garante goes on to find a lack of adequate supplementary measures in place to protect data subjects’ personal data.  In particular, the Garante highlights that the Italian website operator had based its assessment of the transfer on certain subjective criteria, which it deems to be at odds with the recommendations of the EDPB (see our previous blog here).  The Garante finds that the encryption measures adopted by Google LLC cannot be considered sufficient, so long as the key remains available to the data importer, and recalls the EDPB’s recommendation that contractual and organizational measures are not sufficient in themselves to prevent access to transferred data, in the absence of further technical measures.  The Garante does not clarify what, in its opinion, would constitute appropriate technical measures, but provides that these must be set out by taking into account the EDPB guidance in this area.

The Garante also restates that a data exporter is responsible for implementing appropriate and effective measures under the GDPR and for demonstrating compliance, rejecting the website operator’s argument that it had no capacity, including any bargaining power over Google LLC, to influence the measures applied to the transferred data.

  • The outcome

The Garante ultimately finds that transfers of personal data to the U.S., as a result of the use of Google Analytics, are unlawful.  It orders the website operator to suspend data transfers, and to bring its processing into compliance within 90 days. 

The Garante did not impose a fine, as it considered that (i) the relevant data did not include special categories of personal data, (ii) the website operator had incorrectly assumed that the supplementary measures adopted by Google were appropriate, without having any decision-making power in that respect, (iii) the website operator adopted remedial measures to mitigate the damage to data subjects, and (iv) the website operator cooperated with the Garante in the course of the proceedings.

***

The Covington team will keep monitoring the developments on enforcement cases relating to the CJEU’s Schrems II judgement and Google Analytics, and is happy to assist with any inquiries on the topic.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.