The provision of the Personal Data Guarantor just made known with which the use of Google Analytics by a company was declared illegal highlights the “holes” of the GDPR, the attempt to plug them at all costs and the inability ( or the lack of will) to pursue the political choice of protecting European digital sovereignty to the end.
The investigation
For the Guarantor, the use of Google Analytics violates the privacy regulations
The provision is effective, at least formally, only for the company that has been subject to verification. In reality, however, it is applicable in more general terms and therefore constitutes a sort of Faq to understand whether or not you can continue to use Google Analytics on your site.
Without going around it, the position of the Italian Guarantor is explicit: Google Analytics cannot be used because the way the service is designed allows the American authorities to also access the personal data of European users and there are no “security measures” that Google’s customer may use or think of contractually imposing on the US multinational.
Break free from the slavery of analytics (of all analytics)
by Andrea Monti
That the overwhelming power of Google – and Big Tech – over our data is a very serious problem is evident. That the massive accumulation of citizen data, pardon, European users is a distorting element of the market is equally clear. Just as there is no question that American national security policy also rests on the private technology industry. However, the nobility of the end – stemming the transfer of personal data to the US – hardly justifies the use of an improper means, namely the forcing of the GDPR.
Is Google Analytics illegal? The answer in ten questions (plus one)
by Andrea Monti
The reasoning of the Authority, in fact, is based on an interpretation of the Regulation which is made to say what, in reality, is not written anywhere, and that is that personal data would also be completely anonymous for the operator of a site. but what can be de-anonymized in total autonomy by Google. Therefore, “personal data” would be the unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the site manager himself (through the Google account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website “. However, it is enough to do a very simple experiment to understand the weakness of the Guarantor’s interpretation. By logging into any Wordpress-based blog without registering, and then observing what data can be obtained using Matomo, the “data protection friendly” competitor of Google Analytics, we would discover two very clear things: the first is that there is no way to know who is behind the terminal used for the connection. So, we are not talking about personal data and the GDPR does not apply. The second is that Matomo basically collects the same data as Google Analytics, with the difference that the first non crosses the data anonymous with other information, the second, almost certainly yes.
All this highlights the limitations of the GDPR.
In fact, to want to grant everything to apply the rule to those who use Google Analytics without identifying users it would be necessary to demonstrate the awareness that every single IP sent to Google is effectively de-anonymized, because the GDPR applies to single individuals and not to generic categories of subjects. Furthermore, it should be overcome the fact that the GDPR applies to those who process personal data and not to those who collect anonymous data and forwards them, as such, to a third party who instead could de-anonymize them. Instead, it should be the latter to be subjected to checks and controls because the hypothesis is that it is the one that re-aggregates the information and therefore performs the treatments regulated by the European standard.
But if this is the point, then in assessing the position of the Italian company, the Authority should also have opened a proceeding against Google to verify, for example, if, like Matomo, it planned to use the analytics platform without crossing the anonymous data received with those he already owns and if it allows the user of the service to independently protect the data in question in order to avoid cross-referencing with other information. If so, in fact, the data anonymous sent by the various webs around Europe would certainly remain so and the problem would be solved.
Otherwise, Google would have to comply with the obligations and prescriptions issued by the national protection authorities by interacting directly con each individual of which it processes the data.
The issue of who is directly subject to the GDPR, however, does not only concern Google but also involves the Big Tech companies that participate in strategies for the digitization of public services such as Cloud PA.
It would therefore be legitimate to expect – indeed, to require – that the Authority continue the courageous path it has just begun with this provision and open an overall investigation on all the data collection and analysis tools used by Big Tech and which provide clear indications to institutions and companies instead of leaving them prey to fear, uncertainty and doubt. If, on the other hand, the Guarantor remained inert, the temptation to think of a downside game would be too strong, that all in all things are fine and that, as they say in Rome, as for him, he does not cringe.