Google Analytics, the Italian Data Protection Authority rules on the use of the tool: what to do now?

The measure, in particular, stated that: 

The Authority recalled that with the invalidation of the Privacy Shield by the Schrems II ruling, the USA is no longer an adequate country where to transfer data. Standard contractual clauses remain a possible basis for transferring data. Not alone, however. The safeguards in the contractual clauses must be assessed as adequate with regard to the third country of destination by providing - where appropriate - for additional measures. In particular, the risk of interference by US authorities requires data controllers as exporters to verify, on a case-by-case basis and, where necessary, in cooperation with the importer in the third country, whether the latter's law or practice affects the effectiveness of the adequate guarantees contained in the aforementioned clauses.

In the case of Google, the possibility of access by the US authorities would be proved, according to the Garante, by the 'Transparency report on United States national security requests for user information' report where the numerical data inherent to access requests (which, as expressly reported therein, may also concern 'non-content metadata' such as IP addresses) received by Google are included.

Only if the exporters (the subjects that by using Google Analytics transfer data outside of the EU) take additional measures to ensure a level of protection of personal data substantially equivalent to that provided for in European Regulation 2016/679 ('GDPR').

Measures, however, which in the present case do not appear to have been deemed adequate for Google Analytics by the Garante.

From a technical point of view, the data encryption mechanism chosen during the transfer between systems (in transit) and at rest is not adequate in the present case because the encryption keys are held by Google, by virtue of the need to have the data in plain text in order to carry out processing and provide services. Google would be therefore required to hand them over to the Authority in the event of a request. Encryption in transit is adopted where data are transferred between different systems, services or data centres through networks or infrastructures not controlled by the company (e.g. geographical networks). Encryption at rest, on the other hand, concerns user data that are stored on disk drives or in backup drives and is based on encrypting the data using standard algorithms (usually using AES256) and encrypting them at different levels, starting with encryption at the hardware level, depending on the type of application and specific risks.

As long as the encryption key remains at the importer's disposal (that is Google), the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., para. 95).

The inadequacy of the technical measures would irreparably undermine the contractual measures taken, concerning for instance the prior verification of each access request as well as its prompt communication to the data subject or the publication of the policy for the handling of access requests to user data being transferred by the US public authorities.

With reference to the data processing also implied by the Anonimyze IP solution, it seems appropriate to assess a qualification of Google Analytics cookies in terms of non-anonymised analytical cookies and, therefore, as such, unrelatable to technical cookies: such an interpretation would require an ad hoc consent for the activation of these tracking tools, according Authority’s Guidelines on cookies dating 9 January 2022.

With reference to the resulting data transfer, this must be considered unlawful – without additional guarantess - because the United States is not considered a suitable country to guarantee adequate standards of guarantee.

It will be necessary to carry out a Data Transfer Impact Assessment (so called “DTIA”) documenting:

The DTIA in the case of Google Analytics will presumably have a negative outcome: in fact, Google does not currently have any measures deemed adequate by the Authority and additional guarantees would be needed that would be difficult to implement by the data controller alone.

Therefore, the data controller that uses the tool may - following the DTIA, which must in any case be carried out:

1. Embrace a more low-risk solution:

2. Embrace a more high-risk solution:

In the absence of safe and compliant solutions, and expecting that Google will take appropriate measures as soon as possible, including providing technical reassurances on its services, the data controller should turn to one of the 'low-risk' solutions mentioned above.

For more information on the management of the delicate transition phase, please contact the Privacy Department.