Italian SA bans use of Google Analytics: no adequate safeguards for data transfers from Caffeina Media S.r.l. to the U.S.

30 June 2022

Background information

  • Date of final decision: 9 June 2022
  • Cross-border case or national case: national case
  • Controller: Caffeina Media S.r.l.
  • Legal Reference: lawfulness and accountability (Articles 5 and 24); transparency (Article 13); transfers of personal data to third countries (Articles 44 and 46).
  • Decision: infringement of the GDPR; order to comply; order to suspend data flows to U.S.; reprimand to the controller  
  • Key words: transfers of personal data to third countries; suspension of data flow; accountability; information notice;          

 

Summary of the Decision

 
Origin of the case:

On 17 August 2020, a complaint was lodged with the Italian Supervisory Authority (SA) regarding data transfers to the U.S. It was one of the 101 complaints received from NOYB by several European supervisory authorities participating in a taskforce to ensure a consistent approach vis-à-vis those complaints. 

The complaint against Caffeina Media S.r.l. concerns the following situation: the complainant visited the controller’s website, while being logged in to the Google account associated with the complainant’s email address. On the website, the controller has embedded the HTML code for Google Analytics tools. In the course of the visit, personal data relating to the complainant were transferred to the U.S. The complaint was brought against Caffeina Media S.r.l. and Google LLC (in the U.S.), for continuing to accept these data transfers despite their being in violation of the GDPR.

 
Key Findings:

The Italian SA found that Caffeina Media S.r.l. using Google Analytics on its website collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing.

The Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds. Users’ personal data was found to be transferred to the U.S. in violation of Chapter V of the GDPR, since the measures adopted by Google to supplement the data transfer instruments (Standard data protection contractual clauses) did not ensure an adequate level of protection in the light of the guidance provided by the EDPB through its Recommendations No 1/2020 of 18 June 2021. US-based governmental and intelligence agencies may indeed access the personal data being transferred without the required safeguards. It was also found that the controller did not provide on its website the information required under Article 13.1 (f) GDPR and transferred personal data in violation of the accountability principle.

 
Decision:

The Italian SA adopted a decision ordering Caffeina Media S.r.l. to bring the processing into compliance with the GDPR by ninety days. If this is found not to be the case, suspension of the Google Analytics -related data flows to the USA will be ordered. The Italian SA also issued a reprimand to Caffeina Media S.r.l. since the processing operations were found to have infringed Articles 5.1 (a), 5.2, 13.1 (f), 24, 44 and 46 GDPR.

As the controller updated its information notice in pursuance of the GDPR, the Garante did not take any corrective measures in this respect.

 

For further information: decision in national language

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.