Google Analytics banned in Italy

GPDP: 'US does not provide adequate level of personal data protection'

The Italian regulator says website operators who use Google Analytics collect information about visitors' behavior and interaction with them through cookies. Among other things, they know which pages they visit, how much time they spend there and what searches they perform. Also, Google's statistics program allows them to collect IP addresses, information about the device they surf with, the Web browser and operating system they use, screen resolution, language settings, date and time.

All this data is transmitted to servers in the US. The processing of this data is unlawful, the GPDP ruled. The General Data Protection Regulation (AVG) considers IP addresses to be personal data, traceable to individuals. To make matters worse, IP addresses are not anonymized by default. Even if they were, even then Google can enrich this data with additional information the tech company has at its disposal.

The fact that U.S. government and intelligence agencies have access to personal data transmitted through Google Analytics was also a thorn in the side of the Italian regulator. In doing so, the country "does not provide an adequate level of protection" of personal data.

Italian regulator gives companies 90 days to comply with AVG

For the above reasons, an Italian website owner is being taken to task by the regulator. The company in question will be given 90 days to bring its processing of personal data into compliance with European privacy laws. Should the company fail to do so, it must suspend all data flows resulting from the use of Google Analytics. The only alternative left then is to use an AVG-friendly statistics and analytics program.

The ruling does not only apply to the company that the regulator received a complaint about. All public and private website owners in Italy who use Google Analytics must eventually stop using Google's statistics package. "The Italian regulator calls on all data controllers to verify that the use of cookies and other tracking tools on their websites complies with data protection legislation," the press statement reads.

After the expiration of the 90-day period, the GPDP is going to conduct random inspections to verify that data collection and transfer is in compliance with the AVG. For that, the regulator is going to conduct ad hoc inspections.

More national regulators condemn use of Google Analytics

More and more privacy watchdogs in Europe are coming to the same conclusion as the GPDP. The Datenschutzbehörde (DSB) was the first to call out that the use of Google Analytics violates European privacy laws. The Austrian regulator ruled that Google's analytics software continuously collects and stores Internet users' IP addresses and cookie data on servers in the US.

The Norwegian regulator EDPS drew a similar conclusion not much later. The privacy watchdog pointed out that Google Analytics collects IP addresses that can be traced back to individual users. It is possible to mask IP addresses, but that does not solve the problem, according to the regulator. That's because Google Analytics also collects cookie data. That makes it possible to link user data to users when they are logged into their Google account. That violates European privacy laws, and is therefore illegal.

The Commission Nationale de l' Informatique et des Libertés (CNIL) is also troubled by the way website visitor data is sent and processed to the US. "Although Google has established several measures to regulate data transmission to other countries, these are not sufficient to protect access by US intelligence agencies," the French regulator said.

In late May, the Autoriteit Persoonsgegevens completed its investigation into Google Analytics. The findings are currently with the Enforcement Department, which will determine whether Google will actually be fined. In the course of the year, the regulator will present its conclusions.