Another blow against the use of Google Analytics in Europe: The Italian data protection authority found the use of the popular analytics tool by a local web publisher that fails to comply with EU data protection rules by transferring user data to the US – a country that lacks an equivalent legal framework to protect the information from being accessed by US spies.
That warranty determined that the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device IP address, browser information, operating system, screen resolution, language selection, and the date and time of the website visit, which was transmitted to the United States , without appropriate additional measures being taken to raise the level of protection to the required EU legal standard.
The protections applied by Google were not sufficient to address the risk, it added, echoing the conclusion of several other EU data protection authorities, who have also found that the use of Google Analytics violates the block’s privacy rules on the data export issue .
The Italian data protection authority has given the publisher in question (a company called Caffeina Media Srl) 90 days to remedy the compliance violation. However, the decision has greater significance as it has also warned other local websites using Google Analytics to take note and check their own compliance, according to a press release [translated from Italian with machine translation]:
Earlier this monthThe French data protection authority has issued updated guidance warning against the illegal use of Google Analytics – after a similar error was discovered when using the software on a local website February.
The CNIL’s guidelines propose only very limited possibilities for EU-based website owners to use Google’s analytics tool legally – either by applying additional encryption if keys are under the exclusive control of the data exporter itself or other entities established in an area with a reasonable level of protection; or by using a proxy server to avoid direct contact between the user’s device and Google’s servers.
The Austrian data protection authority also confirmed a similar complaint about the use of Google Analytics on a website in January.
While the European Parliament found itself in hot water over the same core issue at the beginning of the year.
All of these strikes against Google Analytics stem from a series of strategic complaints that have been filed Aug 2020 by European privacy campaigning group noyb – which targeted 101 regional operator websites that it found were sending data to the US via Google Analytics and/or Facebook Connect integrations.
The complaints followed a landmark ruling by the block’s top court in July 2020 – which invalidated an EU-US data transfer agreement called Privacy Shield and clarified that data protection authorities have an obligation to intervene and suspend data flows to third countries if they suspect that EU citizens’ information is at risk.
The so-called “Schrems II” ruling is named after noyb founder and longtime European privacy activist Max Schrems, who filed a complaint against Facebook’s EU-US data transfers, citing surveillance practices uncovered by NSA whistleblower Edward Snowden, which ended – by court submission – before the ECJ. (A previous challenge by Schrems also resulted in the former EU-US data transfer agreement being struck down by the court in 2015.)
In a more recent development, a replacement for Privacy Shield is on the way: In March the EU and the USA announced they had agreed on it politically.
However, the legal details of the planned data transmission framework still have to be finalized and the proposed mechanism has to be checked and approved by the EU institutions before it can even be used. This means that the use of US-based cloud services for EU customers remains subject to legal risks.
The bloc lawmakers have recommended The replacement deal could be in place by the end of this year – but there’s no easy legal patch EU users of Google Analytics can achieve in the meantime.
Also TThe gulf between US surveillance law and EU data protection law continues to widen in some respects – and it is by no means certain that the negotiated replacement will be robust enough to weather the inevitable legal challenges.
A simple legal patch for such a fundamental clash of rights and priorities looks like a high bar – without substantive reform of existing laws (which neither side seems inclined to offer).
So we’ve started to see software-level reactions from certain US cloud giants — too offer European customers more control over data flow — to find a way to circumvent the legal risk of data transfer.
Italy’s data watchdog latest to warn over use of Google Analytics – TechCrunch Source link Italy’s data watchdog latest to warn over use of Google Analytics – TechCrunch