For some time now, a ‘rumour’ has been circulating in Italy, according which using Google Analytics is ‘illegal’. In the silence of the judiciary – the only one entitled to definitively establish such a fact – and of the Data Protection Authority, more or less organised initiatives are multiplying, ‘warning’ public administrations not to use Big G’s platform. Many ‘DPOs’ – data protection officers – to err on the side of precaution, advise their clients to get rid of the inconvenient tool. In reality, however, things are not as simple as that, so these FAQs may be helpful for a better understanding of the matter by Andrea Monti – Initially published in Italian on Strategikon – an Italian Tech Blog
Which authority has definitely declared that the use of Google Analytics is illegal?
In Italy, no one has yet.
But then how come they say it is outlawed?
Because that is the position of the French and Austrian Data Protection Authorities.
Do these decisions apply to the whole EU?
No. Each national data protection authority is autonomous.
And couldn’t they agree to avoid differences between one country and another?
Yes. They could and they should have, but it has not happened yet.
But what value do the decisions of the data protection authorities have?
They are valid until a judicial ruling confirms or disproves them. In Italy, only the Court of Cassation has the power to establish law principles. In the meantime, however, they must be complied with.
I still don’t understand: why should Google Analytics be outlawed?
Because, according to the two Data Protection Authorities, when a site forwards a visitor’s IP to Google and Google has other information on the user, it can associate the old with the new and increase the detail of the profiling of the individual person. Since this happens in the US, there would be no adequate protection for citizens of EU states. There would also be other aspects to consider, but that would be enough.
Is IP on its own personal data? Really?
No, and the EU Court of Justice has ruled as much. To be personal data, the IP must be associated with other elements (e.g. registration to overcome a paywall or accessing one’s account on an e-commerce site).
So, can a site that can be accessed without registration use Google Analytics?
In general, yes, because data protection legislation applies to those who process personal data directly (in the sense that they have all the information to identify an individual), not to those who collect anonymous data (the IP alone) and then forward it to someone else who can recombine it.
So why am I being advised to get rid of Analytics?
Who knows? The answer would require a case-by-case analysis of how the platform has been implemented. Without this prior and detailed verification, ‘dumping’ Google Analytics only results in additional consultancy and operational costs.
And couldn’t my consultants have warned me beforehand?
The answer is complex. Some consultants have a theoretical knowledge of the regulations. So they can only provide guidance if there is a previous case to refer to. They act, in other words, as archaeologists without ever having seen a site. It is no coincidence that Google Analytics became a case, but only after some authority had spoken out.
On the other hand, consultants who, over time, pointed out the problems of using US-made services were considered Cassandras and their advice was not taken into account. Moreover, many (public and private) actors are reluctant to adopt alternative solutions. If that is business as usual, why should we do anything differently? Finally, those who develop web platforms find it more convenient to use Google Analytics (if only because it works) and do not question the existence of alternative tools.
But why is all this happening?
Because for some time now, the US and the EU have been fighting each other in the Analytics War.