Italian Garante Bans Google Analytics for GDPR Violations

Background

On June 23, 2022, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, or Garante) published a decision declaring that the use of Google Analytics violates the General Data Protection Regulation (GDPR). This ruling followed similar decisions by the Austrian and French data protection authorities, and was based on complaints filed by noyb (None Of Your Business), the European privacy advocacy group founded by Max Schrems.

The Case and Investigation

The case involved Caffeina Media S.r.l., which operated the website www.caffeinamagazine.it. The initial complaint, filed in August 2020, alleged that the website transferred personal data to Google LLC in the United States through Google Analytics without providing adequate safeguards as required by Chapter V of the GDPR. The Garante's investigation found that:

1. Data Collection Scope: When users visited the website, Google Analytics collected various personal data including:

   • IP addresses (even with anonymization enabled)
   • Browser information
   • Operating system details
   • Screen resolution
   • Language settings
   • Date and time of page visits

2. Timing and Context: The data collection occurred when users visited the website while logged into their Google accounts, creating additional risks of data combination and identification.

Key Technical Findings

The Garante's technical assessment revealed several critical issues with the implementation of Google Analytics:

1. Pseudonymization vs. Anonymization: The Garante explicitly determined that Google's "IP anonymization" feature only performs pseudonymization, not true anonymization. The authority noted that:

   • The masked IP addresses still constituted personal data under the GDPR
   • Google retained the capability to re-identify users by combining this data with other information it possesses
   • This is particularly concerning when users are logged into Google accounts during website visits

2. Inadequate Encryption Measures: The encryption mechanisms implemented by Google (cryptography at rest and in transit) were deemed insufficient because:

   • Google LLC, as the data importer, retained access to the encryption keys
   • This meant Google could access the data in plain text for system maintenance and service provision
   • US authorities could potentially compel Google to disclose both the data and encryption keys

3. Supplementary Measures: The Garante emphasized that contractual and organizational measures alone are insufficient to prevent access to transferred data by US authorities, pointing to the need for robust technical measures as outlined in the European Data Protection Board's recommendations.

The Decision and Compliance Requirements

The Garante's ruling imposed several requirements on the website operator:

1. 90-Day Compliance Window: Caffeina Media was given 90 days to bring its processing operations into compliance with GDPR.

2. Potential Google Analytics Ban: If compliance could not be achieved, the company would need to suspend data flows to the US related to Google Analytics.

3. Formal Reprimand: The website received a formal reprimand for violating multiple GDPR articles (5.1(a), 5.2, 13.1(f), 24, 44, and 46).

4. Broader Warning: The Garante extended this warning to all Italian website operators, both public and private, emphasizing the need to verify that their use of cookies and tracking tools complies with data protection law, particularly for services like Google Analytics.

Server-Side Tracking Solutions for EU Compliance

In response to the Garante's decision, organizations need robust, compliant alternatives to traditional analytics implementation. Server-side tracking with specific EU-focused safeguards offers a viable path forward:

1. EU-Exclusive Processing Framework:

   • Implement server-side tracking infrastructure entirely within the EU jurisdiction
   • Create multi-layered technical boundaries preventing any data from leaving the European Economic Area
   • Deploy strict access controls that limit who can interact with the raw data even within the EU

2. True Data Anonymization Protocol:

   • Implement cryptographic hashing of IP addresses at the edge, before any collection or processing
   • Use specialized techniques like random salt rotation to prevent reconstruction of original values
   • Remove or severely restrict any data elements that could enable re-identification when combined
   • Apply statistical noise and aggregation techniques to prevent individual user identification

3. Encryption with Organizational Separation:

   • Implement end-to-end encryption where encryption keys are managed by a separate EU entity
   • Create a technical and organizational separation between data collection and key management
   • Ensure that no single entity has access to both encrypted data and decryption capabilities

4. Auditable Security Controls:

   • Implement continuous monitoring with immutable audit logs of all data access and transfers
   • Create technical safeguards that can be verified by independent security professionals
   • Establish regular third-party assessments of data protection measures

Technical Implementation Strategies

To practically implement these solutions, organizations should consider:

1. EU-Based Server-Side Containers:

   • Deploy server-side tracking containers on dedicated EU infrastructure
   • Configure these containers to transform and filter data before forwarding to analytics platforms
   • Implement network-level controls to prevent data transmission outside approved EU jurisdictions

2. Comprehensive Anonymization Pipeline:

   • Create a multi-stage anonymization process that begins at the point of collection
   • Implement immediate hashing of identifiers using cryptographically secure algorithms
   • Apply data minimization principles at every stage of processing
   • Remove unnecessary identifiers and reduce precision of potentially identifying information

3. Data Residency Verification:

   • Implement technical controls verifying that all data remains within EU jurisdiction
   • Create automated alerts for any attempted cross-border data transfers
   • Conduct regular audits of data flows to ensure compliance with geo-restrictions

Conclusion

The Garante's decision represents another significant milestone in the evolving European approach to data transfers following the Schrems II judgment. By joining the Austrian and French authorities in ruling against Google Analytics, the Italian authority has reinforced the growing consensus that US-based analytics services require substantial technical safeguards to be GDPR-compliant.

For organizations operating in Italy and across the EU, the implications are clear: implementing server-side tracking with EU-hosted infrastructure and robust anonymization techniques is increasingly becoming a necessity rather than an option. The Garante's specific focus on the inadequacy of pseudonymization measures like IP masking highlights the need for more comprehensive technical approaches.

By adopting server-side tracking solutions with true anonymization capabilities, EU-exclusive processing, and verifiable security controls, organizations can maintain effective analytics capabilities while aligning with the emerging European regulatory framework for data protection and transfers. This approach not only addresses immediate compliance concerns but also positions organizations for sustainable, privacy-respecting analytics practices in the future.