In the spring of this year, the decisions of the Austrian and French data protection authorities stating that Google Analytics violates the GDPR were a wake-up call for the online marketing industry.
Italian data protection authority follows suit
In the meantime, the Italian data protection authority has also taken this view and announced that a decision stating that Google Analytic violates the GDPR. The measures taken by Google are not sufficient to guarantee an adequate level of protection for user data in the United States.
The authority also used the opportunity to draw the attention of all Italian website operators to the illegality of comparable data transfers to the United States and to call on them to review their use of cookies and other tracking tools for compatibility with the GDPR.
CNIL publishes another opinion on Google Analytics
In June, the CNIL also published another opinion on this issue, in which it outlines a possible path to a privacy-compliant use of Google Analytics.
Standard contractual clauses and changes to the settings are not sufficient
For Google Analytics to be data protection-compliant, it is not sufficient to merely rely on
standard contractual clauses (SCCs) and adjustments to the standard settings. The CNIL also considers encryption of the data to be insufficient, because even then, personal data (especially the IP address) would be transmitted to the US. From the CNIL’s point of view, the direct HTTPS connection between a user’s device and Google’s servers stands in the way of solving the problem of access to data by non-European authorities.
Possible solution: using a proxy server, but with strict requirements
The CNIL sees the only solution for a GDPR-compliant use of Google Analytics in interrupting the connection between the user’s end device and Google’s servers. Proxy servers could be used for this purpose, but they must effectively pseudonymise the data before exporting it.
The Italian data protection authority is now also following suit with the Austrian and French data protection authorities – a decision from Germany should only be a matter of time. Admittedly, the decisions have so far only covered Google Analytics. But the use of all Google services, if not all US-based online services, is currently subject to considerable risks.
At the same time, measures that could enable a GDPR-compliant use are associated with high effort and costs.
The CNIL’s opinion and the decision of the Italian data protection authority are another piece of the unfolding picture that data transfers – especially to the US – present many business models with practically insurmountable challenges from a data protection perspective. Even if the CNIL specifically tries to offer a way out: Not every business will be able to implement these requirements. The focus is therefore likely to shift increasingly to the use of European online service providers.