ROME: June 23, 2022:
The website that uses the Google Analytics (GA) service, without the guarantees provided by the EU Regulation, violates the data protection legislation because it transfers user data to the United States, a country without an adequate level of protection.
This was stated by the Privacy Guarantor at the conclusion of a complex investigation launched on the basis of a series of complaints and in coordination with other European privacy authorities. From the investigation of the Guarantor it emerged that the managers of the websites that use GA collect, through cookies, information on the interactions of users with the aforementioned sites, the individual pages visited and the services offered. Among the many data collected, the IP address of the user's device and information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website. This information was found to have been transferred to the United States. In declaring the unlawfulness of the treatment it was reiterated that the IP address is personal data and even if it were truncated it would not become anonymous, given the ability of Google to enrich it with other data in its possession.
Following these investigations, the Guarantor adopted the first of a series of measures with which he cautioned Caffeina Media Srl which manages a website, ordering it to comply with the European Regulation within ninety days. The time indicated was deemed appropriate to allow the manager to adopt adequate measures for the transfer, under penalty of suspension of the data flows carried out, through GA, to the United States.
The Guarantor highlighted, in particular, the possibility for US government authorities and intelligence agencies to access personal data transferred without due guarantees, noting in this regard that, in the light of the information provided by the EDPB (Recommendation no. 1/2020 of 18 June 2021), the measures that integrate the transfer tools adopted by Google do not currently guarantee an adequate level of protection of users' personal data.
Upon expiry of the 90-day term assigned to the company to which the provision is addressed, the Guarantor will proceed, also on the basis of specific inspection activities, to verify compliance with the EU Regulation of data transfers carried out by the owners.