Following others, also the Italian DPA (Garante per la protezione dei dati personali) came to the conclusion that Google Analytics do not offer the safeguards set out in the GDPR and the transfer of data to the US is illegit as the US legislation does not currently offer adequate data protection. In its release, the Garante underlines that it came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU DPAs. The Garante found that website operators using Google Analytics collected, via cookies, information on user interactions with the respective websites and various features including visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian DPA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds. Continue reading the Garante press release here.
