Google Analytics is a hot topic in the Italian privacy and marketing communities right now. The Italian data protection authority (GPDP) ruled against GA in June and announced investigations about the tool's use among both companies and public administrations.
But there's more going on: Hacktivist group MonitoraPA sent thousands of emails requiring administrations to drop both GA and Google Fonts.
In addition, they sent similar warnings to the websites of Italian political parties. Furthermore, they forwarded thousands of access requests to Italian schools, requiring information on the processing of student data. At the same time, Italian activist Federico Leva sent countless emails to Italian websites using GA to have his personal data erased. All these requests are backed by legal action.
It's hard to figure out what is happening and what the implications are, that's why we are here to shed some light. (Note: some of the links in the following texts are in Italian only, as there is no international coverage for some of our topics).
- What is wrong with Google Analytics?
- Monitora PA and their campaign against Google Analytics
- Final Thoughts
Let's dive in!
What is wrong with Google Analytics?
We already wrote extensively about Google Analytics' compliance issues, so here is a very short recap:
In 2020, the Schrems II ruling found that the US legal framework could not provide sufficient protection for European data because of how invasive US surveillance practices were.
Shortly after the Schrems II ruling, Austrian privacy NGO noyb filed 101 complaints about data transfers in a strategic effort to nudge DPAs towards strict enforcement of the Schrems II ruling. DPAs coordinated their approach to the complaints at a European level, and as a result, three DPAs have ruled against the use of Google Analytics so far (the Austrian DSB, the French CNIL, and the Italian GPDP).
Other DPAs are likely to adopt similar positions in the future. The CNIL and the GPDP are very respected and influential DPAs, and others are likely to follow their lead.
In more recent news, the EU Commission and the White House recently agreed on a new framework for data transfers. However, the new framework still appears problematic in some regards and will surely be challenged in the CJEU. For this reason, the future of transatlantic data transfers is still uncertain.
Monitora PA and their campaign against Google Analytics
As we said, the Austrian, French, Italian and Danish DPA are all on the same page regarding data transfers. However, the Italian situation is somewhat peculiar. Italian citizen Federico Leva and the Monitora PA group forwarded thousands of requests related to GA, threatening legal action.
Monitora PA's requests for removal
Shortly before the GPDP decided on the first GA complaint, the hacktivist group Monitora PA (monitoring the public administration) forwarded thousands of emails requesting public administrations to stop using Google Analytics and Google Fonts and threatening legal action before the GPDP.
The campaign was met with some criticism but had been working so far. Monitora PA member Fabio Pietrosanti reported that almost 8.000 administrations were contacted, and more than 3.000 stopped using GA.
Monitora PA's access requests
Monitora PA also requested thousands of schools for information related to their data processing. More precisely, it required access to several documents that schools are under an obligation to keep under the GDPR and Italian administrative law.
Monitora PA's goal is to assess compliance with data protection rules and possibly initiate legal action against violations. This initiative is not strictly about GA or data transfers. Still, they are part of the picture since Monitora PA is requesting the transfer impact assessment for each school, among other documents.
Performing a TIA is one of the obligations of the data exporter1. TIAs are also where supplementary safeguard measures for data transfers are listed, and their effectiveness is examined. Many schools rely on Google tools and software from other big-tech companies, and it's hard to imagine that all of them have implemented effective safeguards. In fact, some schools don't have a clear picture of how student data is processed, to begin with.
It is also worth mentioning that the Danish DPA recently ordered schools in the Municipality of Helsingor to dismiss Google Workplace because of the required data transfers to the US. Given this precedent, Monitora PA's access requests may spark an inquiry into using Google software and other tools in Italian schools.
Monitora PA's "election special"
In September, Monitora PA started yet another campaign. The group found that numerous websites of Italian political parties were using Google Analytics and Google Fonts and requested them to stop using the tools. Monitora PA later filed a complaint against 47 websites that kept using either GA or GF.
User tracking on websites of political associations is very problematic. The Cambridge Analytica scandal should remind us of privacy practices' potential impact on democratic countries' politics. And from a strictly legal perspective, the data collected might reveal a user's political opinions, which qualifies as sensitive data under the GDPR2- as Monitora PA pointed out in their complaint.
Federico Leva's emails
Over the summer, activist Federico Leva forwarded thousands of emails to Italian websites using GA, requiring the erasure of his personal data. He claimed that the use of GA involves unlawful data transfers and that processing his personal data for web analytics is illegal. Like Monitora Pa, Mr. Leva is threatening legal action should the controller not comply with his requests.
As we said, Monitora PA and Mr. Leva's campaigns elicited polarizing reactions in the legal and privacy communities. The criticism against these campaigns is summed up in a recent document: a notification letter to the Italian GPDP against Monitora PA and Federico Leva, signed by numerous Italian lawyers under the coordination of lawyer Andrea Lisi.
The letter complains that spamming scare e-mails are an improper way to further an otherwise legitimate agenda of activism. From a strictly legal perspective, the letter claims that these massive email campaigns may violate certain provisions of the GDPR. It also claims that Monitora PA and Mr. Leva are abusing their rights under the GDPR, as they exercise them for activism rather than to protect their privacy.
But as far as we know, Monitora PA never exercised any rights3 under the GDPR- which makes sense since they don't have any, to begin with4. As for Mr. Leva, lawyer and GPDP member Guido Scorza clarified in an interview that he is legitimately exercising his right to erasure under the GDPR and that his requests must therefore be granted. Of course, Mr. Scorza's position doesn't necessarily reflect the GPDP's, but they are a hint that any complaints from Mr. Leva will likely be taken seriously.
Monitora PA and Federico Leva's emails spread quite a bit of panic. The threat of legal action behind their requests is real, but we don't expect to see a complaint for every single violation- the GDPD couldn't possibly handle that many cases. In all likelihood, only the most severe violations will be brought to the attention of the GPDP.
Regardless of their controversial nature, the debate sparked by these campaigns is a healthy one and will hopefully draw attention to the privacy implications of day-to-day data processing operations in private and public organizations. This is a good thing.
Privacy is a human right, and European DPA's are finally showing its teeth by banning Google Analytics in its current state.
Not only does Google Analytics not operate within the law, but they're also not helping to create an independent web that is friendly to website visitors. And why should they? They are earning billions by tracking internet users.
At Simple Analytics, we believe that you don't need to track internet users or collect personal data to get the insights you need. We believe in creating an independent web that is friendly to website visitors. If this resonates with you, feel free to give us a try.
- #1 TIAs are not mentioned in the GDPR, but the CJEU stated in the Schrems II case that the data controller must verify ”whether the law of the third country of destination ensures adequate protection (...) of personal data” (par. 134).
- #2 Art. 9(1) GDPR. The processing of sensitive data is subject to stricter rules than the general rules for processing personal data under the GDPR.
- #3 The emails forwarded to public administrations can be found here and on other Italian websites, and data subject rights are never mentioned. As for Monitora PA’s requests to schools, they are a form of civic access under Italian administrative law (Art. 5(2) d. lgs. 33/2013, later amended by Art 6(1) d. lgs. 97/2016), as confirmed by the group’s own website.
- #4 Monitora PA is not a natural person and therefore doesn’t qualify as a data subject. See the definitions of “personal data” and “data subject” under Art.4(1) GDPR.