Last week I was presenting at Marketing Analytics Summit, where I spent some time discussing the decisions of France and Austria. Little did I know at the time that on my way home, Italy would reach its own decision in regard to the use of Google Analytics which, upon examination, was fully in line with the previous decisions issued by France and Austria.
Note: I am not a lawyer and this is not legal advice. You should consult with your legal team if you have concerns with the below.
The violations in question
While the decision was against Google’s Universal Analytics specifically, I strongly believe that based on the findings, a similar decision would likely apply to Google Analytics 4 as well. The Italian supervisory authority in their investigation cited the Italian website for failing to adhere to Europe’s General Data Protection Regulation (GDPR).
On 11 January 2022 the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, in art. 13, art. 24 as well as art. 44 and 46, par. 2, lett. c), of the Regulation.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9782890
What data does Google actually obtain?
The Italian DPA talks at length about what data Google obtains via the transmission of data to Google Analytics. As you can see here:
More specifically, the data collected consist of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the site manager himself (through the Google account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9782890
Further, it flags that if the user was logged into their Google Account (as was the case in question) then the following data is also accessible:
In addition, if the visitor to the website logs into his / her Google account – a circumstance which occurred in the hypothesis in question -, the data indicated above may be associated with other information present in the relevant account, such as the email address (which constitutes the user ID of the account), the telephone number and any other personal data including gender, date of birth or profile picture.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9782890
Now, a great deal of the discussion online centers around the use if IP Address being provided to Google. As we can see above, this is only a single data point of many that the DPA is concerned with. In regard to the IP Address, the DPA did have something to say here as well.
On this point, however, it is worth highlighting right now that “IP-Anonymization” actually consists of a pseudonymisation of the data relating to the user’s network address, as the truncation of the last octet does not prevent Google LLC to re-identify the user himself, taking into account the overall information held by the same relating to web users. Furthermore, Google LLC has the possibility – if the interested party has accessed his / her Google profile – to associate the IP address with other additional information already in its possession (such as the information contained in the user account ). This operation, therefore, despite the activation of the “IP-Anonymization”, still allows the possible re-identification of the user.
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9782890
Thus it is the viewpoint that transmission of data to Google LLC. does contain personal data, and that data is transferred to the United States. Since the transfers are to a third country that does not have an adequate level of data protection per GDPR, such a transfer may only be carried out with compliance with Chapter V of the GDPR.
What of Encryption?
Google claims that additional measures are in place to assure compliance such as in transit and at rest encryption. However, citing a decision from the European Data Protection Board, they find that Google’s claims can not change the transfer to having adequate data protection as Google retains the encryption keys, and so could be forced to decrypt the data for the United States government.
With regard to the data encryption mechanisms highlighted above, in fact, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, as the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC which holds it, as an importer, by virtue of the need to have the data in clear text to carry out processing and provide services. It is also worth noting that the obligation to allow access by the US authorities falls on Google LLC not only with reference to the personal data imported, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1 / 2020, cit., Par. 81).
https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9782890
From this it follows that, as long as the encryption key remains available to the importer, the measures adopted cannot be considered adequate (see Recommendation 1/2020, cit., Par. 95).
Impact to the Website
The website, which had undertaken multiple efforts to move into compliance during the investigation, was ultimately found liable for the data transfers. The DPA gave the website 90 days to either cease the data transfer, or ensure it becomes compliant. Once the time period has elapsed, the DPA will revisit the case to ensure compliance.
Further, the DPA mentioned in their notice they wish for all Italian website owners and managers to review the existing data flows to ensure compliance, particularly in regard to Google Analytics.
On this occasion, the Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through GA, also in consideration of the numerous reports and questions that are being received by the Office. And invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data. .
https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9782874
Why I don’t believe GA4 solves the issue
After the French and Austrian decisions, Google released a set of features for Google Analytics 4, that would allow websites within the EU additional privacy controls to be leveraged when collecting data from the European Union.
If a site was to turn on all of these features, they would be effective in removing the majority of the personal data ultimately sent to Google in the United States, but not all of it (such as the client ID). Even if the features are enabled (they are not by default) some data which the DPA has classified as personal data is still sent to the USA for storage and processing. As this is the case the website owner would still be required to ensure compliance.
Even if you were compliant with Google’s EU user consent policy, I suspect that on its own, this would not be a sufficient level of consent under GDPR given the United States present data adequacy status. The French DPA says that no consent is valid (link in French) for systematic data transfers to the United States. If this belief is also held by the Italian DPA (presently unclear) then no consent would be enough to enable the use of Google Analytics as it works out of the box.
But didn’t France leave the door open to using a Proxy Server?
The Proxy Problem
France did in fact leave the door open for considering a Proxy Server for data transfer prior to shipping the data to Google Analytics and even wrote a helpful page about it. However it should be noted that the data which clears the proxy server is heavily restricted.
France says for the proxy data transfer to be valid, it must transform the data in the following ways:
The absence of transfer of the IP address to the servers of the measurement tool. If a location is transmitted to the servers of the measurement tool, it must be operated by the proxy server and the level of precision must make it possible to ensure that this information does not allow a re-identification of the person (for example by using a geographical network ensuring a minimum number of Internet users per cell);
The replacement of the user identifier by the proxy server. To ensure effective pseudonymization, the algorithm performing the replacement should ensure a sufficient level of collision (i.e. a sufficient probability that two different identifiers give an identical result after hashing ) and include a variable time component (add to the hashed data a value that evolves over time so that the result of the hash is not always the same for the same identifier);
The deletion of the referring site information (or “referer “) external to the site;
The deletion of any parameter contained in the URLs collected (for example the UTMs, but also the URL parameters allowing the internal routing of the site);
The reprocessing of information that can participate in the generation of a fingerprint , such as “ user-agents ”, to remove the rarest configurations that can lead to re-identification;
The absence of any collection of identifiers between sites ( cross-site ) or deterministic (CRM, unique ID );
Deletion of any other data that may lead to re-identification
https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/google-analytics-et-transferts-de-donnees-comment-mettre-son-outil-de-mesure-daudience-en-conformite
Further, there are hosting requirements to the location of the proxy server to ensure that by sending data to the proxy server you are not violating GDPR. So for example, you can potentially use a proxy server, but the proxy server can’t be located in, say, the United States or any other country that doesn’t have adequacy status.
I talk about server side analytics, and some of the issues related to the hosting concerns which you can review here. My viewpoint is – you can potentially make it work, with excessive effort and dramatic reduction in what data you get for reporting. I remain skeptical however, if it’s worth the effort when compared with data analytics platforms that keep data with-in the European Union which allows a company to avoid all of the complexity outlined above.