The Italian Data Protection Authority (Garante Privacy) has become another regulator to conclude that the use of Google Analytics in Europe violates EU’s data protection rules when a wide variety of user data is collected by the tool, and then transferred to the US.
And in the US, that data does not enjoy the same standard of protection, meaning that Europeans’ personal information becomes accessible to US law enforcement.
Garante Privacy made this decision after examining the case involving a web publisher, Caffeina Media, who uses Google Analytics. The data in question reveals IP address, type of OS, browser details, language, and data and time of visit to the site.
Before Italy, data protection agencies in France and Austria made similar conclusions, saying that Google’s own actions to protect data and bring that up to EU rules are not sufficient.
Garante Privacy has now given the publisher three months to fix the issue, telling at the same time other sites to make sure their use of Google Analytics complies with data protection regulation, warning that data transfers to the US through Google Analytics are illegal. This applies to both private and public companies that are managing websites.
Meanwhile, those in charge of controlling the level of compliance are asked to check how cookies and other tracking tools are used, particularly when it comes to Google Analytics.
The French regulator, CNIL, earlier said that the only way for EU sites to implement Google Analytics legally would be to add encryption, where data exporters or others who guarantee necessary levels of protection hold the keys. Another is to use a proxy server between the user and Google.