The Privacy Guarantor has established that the website that uses the Google Analytics service, without the guarantees provided for by the EU Regulation, violates the data protection legislation because it transfers to the United States, without adequate guarantees
Unlawful transfer of data via Google Analytics. To establish it is the Italian Privacy Guarantor. The Italian Data Protection Authority found that the use of the analysis tool for google website results by a local web publisher does not comply with EU data protection rules [Gdpr] due to the transfer of user data to the United States. The latter country "lacks an adequate level of protection", underlines the Guarantor in the press note. Google Analytics is the web analytics tool provided by Google to website operators that allows the latter to analyze detailed statistics on users in order to optimize the services rendered and to monitor their marketing campaigns. As a result of these investigations, the authority chaired by Pasquale Stanzione "adopted the first of a series of measures with which it admonished Caffeina Media S.r.l. which manages a website, ordering it to comply with the European Regulation within ninety days". But the measure does not exclusively concern Caffeine. The authority has in fact extended the call to all Italian website operators. The measures applied by the Mountain View giant have therefore been rejected. The Guarantor highlighted, in particular, that "the measures that integrate the transfer tools adopted by Google do not guarantee, at present, an adequate level of protection of users' personal data". The Italian authority therefore aligns itself with the conclusion of many other Privacy Guarantors in the EU who have already found that the use of Google Analytics violates the data protection rules of the block on the issue of data export, highlights TechCrunch. All the details. WHAT THE ITALIAN PRIVACY GUARANTOR HAS ESTABLISHED REGARDING GOOGLE ANALYTICS From the investigation of the Guarantor "it emerged that the managers of the websites that use Google Analytics collect, through cookies, information on the interactions of users with the aforementioned sites, the individual pages visited and the services offered. Among the many data collected, the IP address of the user's device and information relating to the browser, operating system, screen resolution, selected language, as well as date and time of the visit to the website. This information was transferred to the United States. In declaring the unlawfulness of the processing, it was reiterated that the IP address constitutes personal data and even if it were truncated it would not become anonymous data, given Google's ability to enrich it with other data in its possession". WHAT CAFFEINA MEDIA SRL WILL HAVE TO DO Therefore, Caffeina Media S.r.l. which manages a website, now has ninety days to comply with the European Regulation according to the diktat of the Privacy Guarantor. "At the end of the 90-day period assigned to the company receiving the measure, the Guarantor will proceed, also on the basis of specific inspection activities, to verify the compliance with the EU Regulation of the data transfers made by the owners" indicates the note. SIMILAR ACTIONS BY AUTHORITIES IN FRANCE AND AUSTRIA For Google's analytics tool, this is yet another slash by a European regulator. Earlier this month, French Privacy Guarantor (CNIL) published an updated guidance notice on the illegal use of Google Analytics. Since then, all PAs in France have discontinued Google Analytics from their sites. The Data Protection Authority in Austria has also required Austrian websites to remove Google Analytics "in accordance with the GDPR", THE ISSUE OF DATA TRANSFER BETWEEN THE EU AND THE US The crackdown on Google Analytics comes following a series of complaints filed in August 2020 by the European privacy campaign group noyb, which targeted 101 websites with regional operators that it had identified as sending data to the U.S. via Google Analytics integrations and/or Facebook Connect always reports TechCrunch. The complaints follow the historic ruling of the EU Court of Justice in July 2020, which invalidated the agreement on the transfer of data between the EU and the United States known as the Privacy Shield. THE REPLACEMENT FOR THE PRIVACY SHIELD IS COMING SOON Since then, both sides of the Atlantic have been negotiating a replacement for the Privacy Shield. On March 25, Presidents Joe Biden and Ursula Von Der Leyen signed a preliminary agreement between the US and the EU on the transfer and processing of personal data. However, the legal details of the envisaged framework for data transfer have yet to be finalised before it comes into force. This means that the use of US-based cloud services remains shrouded in legal risk for EU customers. Therefore, pending the new agreement, the Italian Privacy Guarantor "invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data".