In recent weeks, the decision of the Italian Privacy Authority ("Garante") in which the use of Google Analytics (LINK), a tool widely used by many websites, was declared illegitimate, because the data transferred to the US are not anonymous and there are no adequate safeguards within the meaning of Chapter V of the GDPR, has caused much discussion.
This decision, however, concerns the version of Google Analytics ('GA3') and not the one currently released ('GA4'), and therefore many are questioning whether this new version, which is supposed to guarantee total anonymity of the data, as well as data retention in the EU, is compliant.
The Garante recently stated (through Guido Scorza, a member of the Authority) that "...the Garante's offices had not the opportunity to examine version 4 of Google Analytics simply because the data controller subject to the measure did not use it, nor has this version come to the fore in other similar proceedings to date. It is therefore impossible under these conditions to say whether or not it is able to solve the problem and allow the use of Google Analytics in accordance with the European rules on the transfer of personal data to the USA."
The main problem with GA4, as with any service provided by a US entity, is its subjection to US security regulations, which require it to provide information to security authorities (NSA, CIA), regardless of where the data is stored.
Similarly, it is useful to remember that the GA script does not collect the entirety of the user's data if it is set up to comply with GDPR regulations: if the user does not wish to be tracked, a simple configuration makes it possible to ensure that the GA script is neither loaded nor executed.
It is important to point out that GA4 has additional privacy features compared to the previous version. The French privacy authority ('CNIL') also gave a favourable opinion on GA4, subject to certain conditions, in particular server-side tracking. In short, the CNIL pointed out that by using a proprietary proxy server upstream of the native proxy server in GA4, it is possible to use this tool in compliance with the GDPR; in other words, to interpose a server located in Europe, to avoid users' personal data arriving directly on Google's servers (regardless of where they are located).
It should be recalled once again that the measure only mentions GA3; that being said, it is a fact that the operating principles of all American platforms are not particularly dissimilar to those of Google Analytics.
One solution would be the desired political and legal agreement between the EU and the US to replace the Privacy Shield, declared invalid by the well-known Schrems II ruling. In the meantime, companies that have always used GA should start thinking about possible alternative tools or solutions such as those envisaged by the CNIL or similar, which would guarantee the anonymity of data before they reach Google.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.