Did really any-Italian-BODY (actually, not just ANY) said UA ’s illegal?

It seemed to many that on June 23rd the advertising world collapsed and fell apart. According to our perspective, the truth is far from it, yet still, this scenario will allow for broader scope for intervention and opportunities to improve.

The Italian Data Protection Authority (DPA) issued a decision that’s ruling Google Universal Analytics 

Sounds like a big deal put it this way, yet this is a misleading and inaccurate claim. What has been released is a single provision of particular nature, which does not extend as a general law but is dedicated and sized for the specific situation and company which it has been issued for.

It’s anyway clear that conclusions subject to the warnings set out by the authority must be recognised and taken on board by all “Data Holders and Controllers” which will have to adapt, comply and conform with the requirements mentioned in the deliberation. 

Let’s get the facts straight

The case originates from a complaint lodged in 2020 against Caffeina Media for analytics data whose Data Holder was directly based in America. Also, to understand the bigger picture it must be taken into account the 2021 judgement that repealed the ruling of Privacy Shield, which led to Google US being replaced by Google Ireland. 

The serious problem which has led to the repeal of Privacy Shield is that, according to the UE, legislation in the USA does not provide sufficient guarantees for the rights of European (thus Italian) citizens. Any Data management happening in UE must follow GDPR and Member States’ legislation can provide higher but not inferior layers of data protection.

So what happens when Data is transferred and managed outside UE? GDPR requires that guarantees must be provided by Data Holders and Controllers to safeguard EU citizens’ right to data protection, even the ones of a compensatory nature. 

So, in other words?

Italian DPA resolved that standard contract terms are not sufficient anymore and is asking Data Holder to investigate further and impose additional restrictions for safeguarding Italian citizens’ rights in relation to Data acquired outside of the UE – specifically in the USA, where – they claim that – public authorities can access data without legal protection instruments.

Conclusions? DPA is not actually vetoing UA usage but is asking to take further measures to make Data transfer from UE to USA lawful. 

Let’s see the practical measures

You fell for that and bought it. You wish! Italia DPA did not provide any practical solution to the problem since “it’s not their job” and deferred it to Data Holder and Controller accountability which has to “take responsibility for their own decisions”.

Is there anything we can do?

Maybe there’s something which is not an acclaimed solution, but an extra layer of safeguarding.


Why do they say GA4 might be something doable on this matter?

Here you go with a few answers:

  • It does not handle IP addresses, or at least in a highly volatile way, without registering them into the system
  • It has a bunch of protection that can potentially anonymise personal data

Server-side Tracking

And what about Server-side Tracking? Why do they say it should be implemented?

We’ve got you covered:

  • Data is transferred to a first-party server (located in UE), then managed to be anonym, sent to another UE server and only at the end – and if needed or asked – sent outside EU

So is the combo GA4 & Server-side tracking fully compliant?

Probably yes, probably no – or to a certain extent, it’s hard to say it without a shadow of a doubt. Given that there hasn’t been any clear statement from the Italian DPA different from the one and only specific setup upon which they focused, despite having a good feeling towards it, we’ll find this out at a later stage.

The point is: a political settlement

Authorities should be persuaded to find a political framework solution at the soonest, so as to have a clear, complete, transparent picture of the scenario. Time will tell!

One thing is certain: UA will be closed and you should act towards this NOW

UA won’t be operating anymore soon, so regardless of DPA findings, one way or another, you will have to set and implement GA4. Another fact: Server-side tracking enhances data protection.

And well, it just happens that we are here to help:

  • Here you will find a deck of sources for the available “UA Illegal” information shared and released over the week
  • By clicking here you do even better, you get in touch with us and we’ll find together a way to navigate in this stormy sea

No more room for procrastination, sorry for that!