According to Austria (data protection authority) and France (CNIL) Italy (the Garante) also restricts the use of Google Analytics:
The Guarantor agrees with the decisions of Austria and France on the merits. First of all, there is a Disclosure of personal data before:
- When using Google Analytics, information about the behavior on a website is collected by cookies, including the IP address. In the present case, the company concerned had still concluded the usage agreement with Google LLC in the USA.
- A IP address is a personal databecause it identifies an electronic communication device and thus makes the data subject identifiable as a user. This applies “in particular” if the IP address is linked to further information about the browser used and the date and time of the visit, as in the present case.
- In addition, the collected data can be linked to further information of the respective user account at Google.
- In the present case, the option to IP address shortening was not activated prior to onward transmission to the USA. Such “IP anonymization” is, however, only a pseudonymization, because Google can identify the user through further information.
This announcement was Not allowed:
- In its defense, the company concerned had referred, among other things, to the probability of the risk of data being accessed by authorities and the severity of the risk. The guarantor recalls here that the ECJ in the Schrems II judgment Court of Justice in the above-mentioned judgment not refer to subjective factors such as the likelihood of access to the data taken have.
- The Guarantor further opines in this regard that the laws and customs of the third country prevent the importer in the present case from fulfilling its obligations under the SCC without further consideration of this issue. Consequently additional measures required to ensure a level of protection equivalent to the GDPR.
- The measures taken by Google Encryption measures are not sufficient because the key remains in the hands of Google, so that authorities can access it and the encrypted data accordingly.
The decision of the guarantor is no longer surprising and hardly calls for comments. The guarantor also only examines whether there are deficient legal bases in the USA (which is generally assumed since Schrems II without its own examination), but not the likelihood that an authority will make use of them.