Ita­ly: Use of Goog­le Ana­ly­tics also prohibited

Accord­ing to Austria (data pro­tec­tion aut­ho­ri­ty) and Fran­ce (CNIL) Ita­ly (the Garan­te) also restricts the use of Goog­le Analytics:

The Gua­ran­tor agrees with the deci­si­ons of Austria and Fran­ce on the merits. First of all, the­re is a Dis­clo­sure of per­so­nal data before:

  • When using Goog­le Ana­ly­tics, infor­ma­ti­on about the beha­vi­or on a web­site is collec­ted by coo­kies, inclu­ding the IP address. In the pre­sent case, the com­pa­ny con­cer­ned had still con­clu­ded the usa­ge agree­ment with Goog­le LLC in the USA.
  • A IP address is a per­so­nal databecau­se it iden­ti­fies an elec­tro­nic com­mu­ni­ca­ti­on device and thus makes the data sub­ject iden­ti­fia­ble as a user. This app­lies “in par­ti­cu­lar” if the IP address is lin­ked to fur­ther infor­ma­ti­on about the brow­ser used and the date and time of the visit, as in the pre­sent case.
  • In addi­ti­on, the collec­ted data can be lin­ked to fur­ther infor­ma­ti­on of the respec­ti­ve user account at Google.
  • In the pre­sent case, the opti­on to IP address shor­tening was not acti­va­ted pri­or to onward trans­mis­si­on to the USA. Such “IP anony­miz­a­ti­on” is, howe­ver, only a pseud­ony­miz­a­ti­on, becau­se Goog­le can iden­ti­fy the user through fur­ther information.

This announ­ce­ment was Not allo­wed:

  • In its defen­se, the com­pa­ny con­cer­ned had refer­red, among other things, to the pro­ba­bi­li­ty of the risk of data being acces­sed by aut­ho­ri­ties and the seve­ri­ty of the risk. The gua­ran­tor recalls here that the ECJ in the Schrems II judgment Court of Jus­ti­ce in the abo­ve-men­tio­ned judgment not refer to sub­jec­ti­ve fac­tors such as the likeli­hood of access to the data taken have.
  • The Gua­ran­tor fur­ther opi­nes in this regard that the laws and customs of the third coun­try pre­vent the importer in the pre­sent case from ful­fil­ling its obli­ga­ti­ons under the SCC without fur­ther con­si­de­ra­ti­on of this issue. Con­se­quent­ly addi­tio­nal mea­su­res requi­red to ensu­re a level of pro­tec­tion equi­va­lent to the GDPR.
  • The mea­su­res taken by Goog­le Encryp­ti­on mea­su­res are not suf­fi­ci­ent becau­se the key remains in the hands of Goog­le, so that aut­ho­ri­ties can access it and the encryp­ted data accordingly.

The deci­si­on of the gua­ran­tor is no lon­ger sur­pri­sing and hard­ly calls for com­ments. The gua­ran­tor also only exami­nes whe­ther the­re are defi­ci­ent legal bases in the USA (which is gene­ral­ly assu­med sin­ce Schrems II without its own exami­na­ti­on), but not the likeli­hood that an aut­ho­ri­ty will make use of them.