Following the footsteps of Austria[1]
and France[2], the Italian Data
Protection Authority has become the latest regulator to find the
use of Google Analytics to be non-compliant with E.U. data
protection regulations.
The Garante per la Protezione dei Dati Personali, in a press
release published[3]
last week, called out a local web publisher for using the widely
used analytics tool in a manner that allowed key bits of users’
personal data to be illegally transferred to the U.S. without
necessary safeguards.
This includes interactions of users with the websites, the
individual pages visited, IP addresses of the devices used to
access the websites, browser specifics, details related to the
device’s operating system, screen resolution, and the selected
language, as well as the date and time of the visits.
The Italian supervisory authority (SA) said that it arrived at
this conclusion following a “complex fact-finding exercise” it
commenced in collaboration with other E.U. data protection
authorities.
The agency said the transfer of personal information violates
the data protection legislation because the U.S. is a “country
without an adequate level of protection,” while highlighting the
“possibility for U.S. government authorities and intelligence
agencies to access personal data transferred without due
guarantees.”
The website in question, Caffeina Media SRL, has been given a
period of 90 days to move away from Google Analytics to ensure
compliance with GDPR. In addition, the Garante drew webmasters’
attention to the unlawfulness of data transfers to the U.S.
stemming from the use of Google Analytics, recommending that site
owners switch to alternative audience measurement tools that meet
GDPR requirements.
“Upon expiry of the 90-day deadline set out in its decision, the
Italian SA will check that the data transfers at issue are
compliant with the E.U. GDPR, including by way of ad-hoc
inspections,” it stated.
Earlier this month, the French data protection watchdog, the
CNIL, issued updated[4]
guidance[5]
over the use of Google Analytics, reiterating the practice as
illegal under the General Data Protection Regulation (GDPR[6]) laws and giving
affected organizations a period of one month to comply.
“The implementation of data encryption by Google has proven to
be an insufficient technical measure because Google LLC encrypts
the data itself and has the obligation to grant access or provide
the imported data which is in its possession, including the
encryption keys necessary to make the data intelligible,” the
regulator said.
Google told[7]
TechCrunch that it’s reviewing the latest decision. In January
2022, the tech giant stressed[8]
that Google Analytics “does not track people or profile people
across the internet” and that organizations can control the data
gathered through the service.
The Mountain View-based firm, which hosts all the data collected
through the analytics platform in the U.S., also said it offers an
IP address masking function[9] that, when enabled,
anonymizes the information in local servers before it’s transferred
to any servers outside the E.U. It’s worth noting that this feature
is enabled by default[10] with Google Analytics
4.
References
Read more https://thehackernews.com/2022/06/italy-data-protection-authority-warns.html