Ita­ly: Use of Goog­le Ana­ly­tics also prohibited

Accor­ding to Austria (data pro­tec­tion aut­ho­ri­ty) and France (CNIL) Ita­ly (the Garan­te) also rest­ricts the use of Goog­le Analytics:

• Media release (EN)
• Decis­i­on (PDF, IT)
• Decis­i­on trans­la­ted (PDF, DE)

The Gua­ran­tor agrees with the decis­i­ons of Austria and France on the merits. First of all, the­re is a Dis­clo­sure of per­so­nal data before:

• When using Goog­le Ana­ly­tics, infor­ma­ti­on about the beha­vi­or on a web­site is coll­ec­ted by coo­kies, inclu­ding the IP address. In the pre­sent case, the com­pa­ny con­cer­ned had still con­clu­ded the usa­ge agree­ment with Goog­le LLC in the USA.
• A IP address is a per­so­nal databecau­se it iden­ti­fi­es an elec­tro­nic com­mu­ni­ca­ti­on device and thus makes the data sub­ject iden­ti­fia­ble as a user. This applies “in par­ti­cu­lar” if the IP address is lin­ked to fur­ther infor­ma­ti­on about the brow­ser used and the date and time of the visit, as in the pre­sent case.
• In addi­ti­on, the coll­ec­ted data can be lin­ked to fur­ther infor­ma­ti­on of the respec­ti­ve user account at Google.
• In the pre­sent case, the opti­on to IP address shor­tening was not acti­va­ted pri­or to onward trans­mis­si­on to the USA. Such “IP anony­mizati­on” is, howe­ver, only a pseud­ony­mizati­on, becau­se Goog­le can iden­ti­fy the user through fur­ther information.

This announce­ment was Not allo­wed:

• In its defen­se, the com­pa­ny con­cer­ned had refer­red, among other things, to the pro­ba­bi­li­ty of the risk of data being acce­s­sed by aut­ho­ri­ties and the seve­ri­ty of the risk. The gua­ran­tor recalls here that the ECJ in the Schrems II judgment Court of Justi­ce in the abo­ve-men­tio­ned judgment not refer to sub­jec­ti­ve fac­tors such as the likeli­hood of access to the data taken have.
• The Gua­ran­tor fur­ther opi­nes in this regard that the laws and cus­toms of the third coun­try pre­vent the importer in the pre­sent case from ful­fil­ling its obli­ga­ti­ons under the SCC wit­hout fur­ther con­side­ra­ti­on of this issue. Con­se­quent­ly addi­tio­nal mea­su­res requi­red to ensu­re a level of pro­tec­tion equi­va­lent to the GDPR.
• The mea­su­res taken by Goog­le Encryp­ti­on mea­su­res are not suf­fi­ci­ent becau­se the key remains in the hands of Goog­le, so that aut­ho­ri­ties can access it and the encrypt­ed data accordingly.

The decis­i­on of the gua­ran­tor is no lon­ger sur­pri­sing and hard­ly calls for comm­ents. The gua­ran­tor also only exami­nes whe­ther the­re are defi­ci­ent legal bases in the USA (which is gene­ral­ly assu­med sin­ce Schrems II wit­hout its own exami­na­ti­on), but not the likeli­hood that an aut­ho­ri­ty will make use of them.