In recent days, we have been hearing a lot about the Google Analytics and GDPR case.
But where did the issue originate, and which services does it affect?
Does the case relate only to Google services, or can it be extended to all those in the US?
To shed light on possible solutions and to understand what the possible consequences could be, we have examined several possible scenarios and answered these and other doubts with Frida Del Din of legaledigitale.com.
Table of Contents
Google Analytics and GDPR: what's going on?
Ivan Messina of SupportHost.
Frida Del Din of legaledigitale.com.
Below, you can see the video interview in which Frida answered in a clear and simple way to all the doubts on the GDPR and Google Analytics issue.
How the GDPR and Google Analytics case broke out and how to move
Let's see where the Google Analytics problem that is causing so much discussion came from.
What was the case that sparked the whole situation?
Could adopting Google Analytics 4 really solve it? Or are the solutions to be found elsewhere?
Let's start with the first question. What exactly happened with Google Analytics in the last few days?
It all started because of a measure issued by the Supervisory Authority in the first days of June. Let me specify that this is a measure that concerns a specific company that has been the subject of an audit.
The Supervisory Authority has established that the use of Google Analytics presents some criticalities. These are related to the fact that the data that is transmitted to Google Analytics is transferred to the United States. And, since 2020 the Court of Justice of the European Union has invalidated what was the protective umbrella that allowed us to safely transfer data to the United States.
I am talking about a protective umbrella not so much from the point of view of IT security as for the fact that, pursuant to the GDPR, the transfer of data to countries outside the European Union is free only to the extent that the legislation and practice of these countries offer guarantees similar to those offered by the GDPR to data subjects and data protection.
Since there is no such alignment, in fact the transfer becomes substantially prohibited, or rather it is prohibited, it could be carried out using additional tools, but even these in the end are considered as not adequate, not sufficient to protect the rights of the interested parties.
The provision was published on 9th June, since that moment the news has had a great resonance and has put all those who use Google Analytics for site analytics in crisis.
I heard someone say that with Google Analytics 4, the GDPR problem could be solved because IPs are anonymized and eventually this should be the only personal data, if I'm not mistaken. How does that work?
Even Google Analytics 3 allows you to anonymize IPs as an optional option and the Supervisory Authority, in fact, had found that at the time the company (from which the whole case started) did not have anonymized IPs. During the investigation, the company anonymized the IP addresses.
Unfortunately, however, the Supervisory Authority has found that the anonymization of IP addresses is not sufficient. This is because, especially if the user is logged in with their Google account, even if the data is anonymized and some of the characters of the IP address are obscured (3 out of 8), in some way Google still manages to identify the subject through the crossing of other data.
This is what emerges from the provision, even if it should be deepened. So it would seem that anonymization alone is not enough.
To return to the question, as regards Google Analytics 4, if the technical implementations are limited only to anonymization and to make it mandatory, we should then go and see specifically if there is any more measure.
So, switching to Google Analytics 4 does not solve the situation
It remains to be seen if Google is rolling out other features as well. Considering that GA4 will become mandatory from 1 July 2023, it is plausible that they are still implementing the product. So you can then see if, in its final version, other functions will also be included.
In the same way, the Trans-Atlantic act is expected to arrive and that it should be an adequacy decision that should solve this problem upstream. Let us remember, that the issue does not only concern Google Analytics, but also all the other tools that are provided by US companies.
We will return to this later with specific questions. In this case, however, who needs to find a solution? Google or the act you referred to?
In reality, according to the principle of accountability, the one who has to find a solution is the data controller, therefore the one who manages the site. Then surely Google will take note of the situation, as it has already happened in the past, and will find a solution.
Certainly, if the Trans-Atlantic Act arrives, the problem of the unequal treatment of laws at European and US level will be solved. At that point, therefore, there will be no further problems because the underlying problem is actually this: a US company can receive a request and have to exhibit the data even without having to comply with a series of guarantees. At least this was the conclusion of the Court of Justice after analyzing the issue.
This situation is also linked to the issue of social surveillance and to the law and practice that took place after the well-known events of 2001 and subsequent ones. The ideal solution, and the best of all, would therefore be the arrival of the Trans-Atlantic act.
To date, it is the data controller who must make his assessments. This is because the Supervisory Authority will also be able to take action against Google (as has already happened in the past), but when he opens an investigation on a company that manages a site, then the owner of the company will be responsible for it.
For now, the solution for those who have a site is to delete Google Analytics and then hope for the Trans-Atlantic act or hope that Google can fix it and you can continue to use the service. Do I have that right?
Yes, certainly the best solution, especially for those sites that use Google Analytics because of common use, but do not make a fundamental use of it in their strategy, is to search for similar tools that do not involve the transfer of data outside the European Union.
A popular alternative is Matomo
Yes, in fact it is one of the alternatives to Google Analytics that are proposed as possible.
It could be a solution. As we said before, in fact, there are exceptions by virtue of which it is possible to make the transfer. One of these exceptions, dictated by article 49 letter A of the GDPR, is the explicit consent of the interested party, provided that he is adequately informed of the risks of the transfer.
This might seem like a solution, in reality the doctrine requires you to be careful. In fact, since it is a derogation, and therefore an exception to a prohibition, it must be applied in extraordinary, exceptional and not repeated cases.
It is clear that, if we apply to all visitors who may arrive on our site, this exceptional nature that the derogation must have could be disputed that it does not exist. And, therefore, such a solution could be considered insufficient.
So, let's say it's not a real solution
It is a solution that involves risks. The processing of personal data, as trivial as it may seem, under civil law is equivalent to "carrying out dangerous activities", in the sense that the data are important.
It follows that it is necessary to have a proactive attitude and seek solutions that comply as much as possible with the law.
It may be, in some cases, that by balancing the various interests in the field, the data controller may also decide to assume the risk.
In this case it could decide to implement the solution, even if it is not ideal and is therefore not the maximum guarantee possible. The owner thus decides to implement the solution, in light of this premise, and to justify it, especially in the event that it should be challenged.
The most important thing is always to make an upstream assessment because all the legislation on the processing of personal data is based on accountability. So I am free to choose, but I have to give an account of the reasons for my choices.
Having made an assessment and taking risks may be, in a sense, less serious than not having assessed anything and having acted without thinking.
Exactly. Precisely for the principle of exceptionality we were talking about earlier. In some isolated or particular cases that derogation may apply.
Let's open a parenthesis by entering more into the technical to understand why evaluation is important. While it is true that data is "in danger" in the United States because it is acquired in some situations by the Intelligence, it is also true that Article 49 letter D (of the GDPR) provides for the exception of serious reasons of public interest.
This is the argument that was raised by the US government after the ruling, assuming that this type of legal basis could be used. That is to say that when the intelligence is accessed, I can invoke that kind of exception that justifies the transfer of data.
The problem is that it is not clear why the Court of Justice, on the other hand, maintains that in reality access requests are carried out without a judge's order or without well-founded suspicions. This parenthesis only serves to understand how complex the question is and, therefore, how difficult it is to find a solution.
GDPR, Google Analytics and other services of US companies: what to expect
The question that everyone is asking now is whether the situation of Google Analytics does not concern only this service but can also be extended to other US tools.
This is the case with other Google services and beyond.
Just think of the Facebook pixel and all the other services made in the USA.
But also, the very situation of hosting service providers that are offered by US companies while relying on servers in Europe. Does the server location matter in this case? Or should other factors also be taken into account?
Let's see what happens in all these situations.
At this point the question that comes to mind, and that I have also read everywhere on the various groups I frequent, is whether this situation could trigger a domino effect. If I can't use Google Analytics, can I continue to use the Facebook pixel, for example?
This is a problem because actually the issue is not just about Google Analytics. The problem must be addressed in all cases in which I go to use tools that transfer or can transfer data to a country that has not been deemed, by the European Union, adequate for the transfer and, therefore, safe.
if for now, to go back to the example above, the problem has not yet emerged explicitly regarding the Facebook pixel, do you still recommend deleting it from the site?
Here, too, assessments must always be made on a case-by-case basis. Certainly, even if the Supervisory Authority has not expressed himself in relation to that specific tool, an evaluation must be made on all the tools that are being used.
Without going into detail, regarding the Facebook pixel, we could consider that we already have users who are on the social network, and therefore their data is already out, but we must also consider how the tool works.
Furthermore, it is necessary to take into account how it is used and, above all, what the user's role is. This case, in fact, is different from that of Analytics in which the user undergoes, in a certain sense, the choice of the data controller who has the right to use the tool on his site or not.
In the case of social networks, the discussion could be broader precisely because the user has agreed to enter and create an account. Even in this case, however, it should be emphasized that it is necessary to evaluate carefully.
Suppose I use a service where European user data is uploaded that has servers in Europe, but the company is in the US. Can I continue to use it or would it be better to avoid doing it?
The measure that is causing so much discussion offers an answer to this type of situation. In this case, the US company is subject to US federal law. So, regardless of where it can have the servers, it is clear that if it is under the control of a company subject to that jurisdiction, it is easy to think that in front of a request it has no way to escape just because the servers are somewhere else.
We have all seen that in these two years Google has founded the Irish company and, recently, it also has the Italian one. However, it is also true that the US company controls these other companies. In the case that the Supervisory Authority examined, the data was transferred to the United States and encrypted, but the decryption key was in the possession of the US company, so let's go back to the same speech as before.
There is, therefore, always the risk given that the company must respond since it is a government request. In conclusion, having the servers in Europe is not a sufficient solution, because it depends on who can have access to that data.
Could the blocking of Google Analytics cause a domino effect and thus render all services in the U.S. illegal? That is my understanding, yes.
More than illegal, I would say that they present these problems we have talked about. Google, but also other companies, are aware of this situation and are trying to solve it.
For example, in June last year, the European Commission approved the new standard contractual clauses that can be included in contracts to add extra measures, precisely in cases where transfers are made to countries that have not made an adequacy decision.
These clauses and supplementary measures may be sufficient, but in reality, they are not because in the end the real solution will be there when we have an agreement between the European Union and the United States that offers guarantees in accordance with the European regulation.
Do the various Google services like Drive and Gmail suffer from the same problem? If I am using Gmail for work and I send an email to Frida, I must at least have her email address
On closer inspection yes, because there is always the concept of data and where it is stored or under the control of who is stored.
And how does it work for Adsense? Is there an exchange of personal data or not if I use banners on my site?
In this case, it is also necessary to do an in-depth analysis to understand how exactly the tool works and if there is data tracking.
What needs to be done now?
Now that we have examined the issue and understood that we must also be careful with the use of other tools, let's see what needs to be done from here on out and how much time we have to adapt to avoid risks.
Do you know if measures have already been taken towards sites that use Google Analytics or is it still early?
As for the Italian Supervisory Authority and in fact I believe also the French one, there is a provision which ends with the company's warning and the assignment of a 90 - day term to find a satisfactory and alternative solution.
At the moment there are no financial penalties, I always speak of the present case. And there have been evaluations by the Supervisory Authority that have led to consider this type of violation, I am talking about Google Analytics etc., as a minor violation.
All this refers only to the present case.
Surely the nature of the data that is processed is the same for all site owners. The fact that the Company was particularly cooperative and took steps to fix things also played a role here. This behavior is also viewed positively.
Of course, we must consider that since it is the first, this treatment may not be reserved for the next ones.
The problem affects everyone, even at the level of public bodies that perhaps use some of these tools.
What is the latest date to delete Google Analytics from all sites?
There is no single date because the only data is 90 days starting from 9 June, but only for the company that was the subject of the assessment.
We can assume that we can take some time to evaluate the situation well, deepen it and update our choices, in fact, the choices we make are never final.
So, today, in the light of this further data, it is appropriate to reflect and analyze according to your site and your business and make decisions. Furthermore, let's not forget that alternatives can also be explored.
Thanks to this valuable interview with Frida Del Din, we have clarified the Google Analytics and GDPR issue. We have seen where the problem originated and how compliance with the regulation that protects data protection is increasingly important.
We just have to follow the advice Frida offered us in conclusion: evaluate the situation and adapt our choices, perhaps even opting for alternatives.
And what do you think? Is the situation clearer to you now? But above all, are you already moving to test alternatives to the well-known Google service?