In a provision aimed at a specific Italian company, the privacy authority ordered to remove Google Analytics from their site. The reason is that “a website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, a country without adequate data protection.”
This provision follows similar ones in Austria and France, ruling against any PII transfers to the United States. Everything started in 2020 when the European Court of Justice ruled that Privacy Shield is invalid. Since then, companies working with personal data across the Atlantic refer to another data transfer mechanism, Standards Contractual Clauses. In the same ruling above, the European Court of Justice declared that SSCs remain valid.
Although the Italian ruling is aimed at a single organisation, the authority “wishes to draw the attention of all the Italian website operators, both public and private, to the unlawfulness of the data transfers to the USA as resulting from the use of GA – partly on account of the many alerts and queries received so far.”
Read the full provision on the privacy authority website: https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9782874
Contact our team if you are concerned about handling analytics on your website. Our headless CMS can support any analytic tools you might choose, and our consultants will be happy to recommend the best privacy-friendly options.