Garante statement: use of Google Analytics violates GDPR

On June, 23, 2022, the Italian Data Protection Authority (Garante) released a statement on the use of Google Analytics (GA) holding the view that the use of GA by Italian websites without otherwise applicable safeguards violates the GDPR.

Garante comes out as the third data protection authority within the EU that declares the transfer of personal data through GA illegal. Earlier this year, CNIL and the Austrian data protection authority delivered a decision each, both coming to the same conclusion, namely that the use of GA violates the GDPR.

What lead to this statement is that Garante had received a number of complaints. However, it is also the product of coordination with other European privacy authorities.

In its reasoning, Garante assigns a special role to cookies that help GA to collect personal data, such as the IP address, visited pages, type of browser, and the kind of operating system. Garante considers it as proven that personal data is being transferred to the US when using GA. Garante reiterates that IP addresses qualify as personal data and that the pseudoanonymisation undertaken by GA is not sufficient to protect personal data from being accessed from US governmental agencies.

Garante called on all controllers and processors involved in Italian website operations for compliance and ordered a period of 90 days to comply with their obligations under the GDPR. The statement further states: “The Italian SA calls upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services.”