Abstract:Six years after the entry into force of the GDPR, European companies and organizations still have difficulties complying with it: the amount of fines issued by the European data protection authorities is continuously increasing. Personal data transfers are no exception. In this work we analyse the personal data transfers from more than 20000 Italian Public Administration (PA) entities to third countries. We developed "Minos", a user-friendly application which allows to navigate the web while recording HTTP requests. Then, we used the back-end of Minos to automate the analysis. We found that about 14% of the PAs websites transferred data out of the European Economic Area (EEA). This number is an underestimation because only visits to the home pages were object of the analysis. The top 3 destinations of the data transfers are Amazon, Google and Fonticons, accounting for about the 70% of the bad requests. The most recurrent services which are the object of the requests are cloud computing services and content delivery networks (CDNs). Our results highlight that, in Italy, a relevant portion of public administrations websites transfers personal data to non EEA countries. In terms of technology policy, these results stress the need for further incentives to improve the PA digital infrastructures. Finally, while working on refinements of Minos, the version here described is openly available on Zenodo: it can be helpful to a variety of actors (citizens, researchers, activists, policy makers) to increase awareness and enlarge the investigation.

What problem does this paper attempt to address?

### Problems the Paper Aims to Solve This paper aims to address the issue of Italian Public Administration (PA) websites transmitting personal data to countries outside the European Economic Area (EEA). Specifically, the paper analyzes data transmission from over 20,000 Italian PA websites and finds that approximately 14% of these websites transmit data to countries outside the EEA. By developing a user-friendly application called "Minos" that records HTTP requests and utilizes backend automation for analysis, the paper reveals this phenomenon. ### Main Research Questions 1. **RQ1**: Which sources within Italian Public Administration transmit personal data to non-EEA countries? 2. **RQ2**: What are the most common destinations for data transmission to non-EEA countries? 3. **RQ3**: What are the most common types of services in the context of data transmission to non-EEA countries? ### Research Methods - **Data Source**: The list and other information of Italian Public Administration entities were obtained from the publicly available OpenData IPA database. - **Tools**: A software application named "Minos" was developed, allowing users to record HTTP requests while browsing web pages. A command-line version of Minos (Minos-cli) was also created for automated data analysis. - **Data Collection**: The Minos-cli script was used to read the URL list of entities, load pages through the Chromium browser, and record HTTP requests. If the requested URL matched a domain in the blacklist, it was recorded as a "bad request." ### Research Results - **RQ1**: 15% of PA websites transmit data to countries outside the EEA. The most common categories of bad entities are municipal authorities, followed by national-level educational institutions. - **RQ2**: The most common destinations for data transmission are Amazon, Google, and Fonticons. Amazon accounts for over 40% of the requests, with the top three destinations making up more than 70% of the total requests. - **RQ3**: The most common types of services are cloud computing services and content delivery networks (CDN), with requests for these two types of services accounting for nearly 70% of the total requests. ### Conclusion and Future Work - **Conclusion**: There are significant issues with data transmission in Italian Public Administration, particularly among municipal authorities and schools. Although there are some alternatives within the EU, self-hosted solutions are not popular due to the need for advanced knowledge and significant initial investment. - **Future Work**: Introducing browser automation tools to improve the accuracy of data collection, checking the compliance of cookies and website policies, and updating the list of non-EEA domains. Additionally, the usability of the Minos tool can facilitate further investigation by citizens, activists, policymakers, and researchers, raising awareness and transparency regarding personal data transmission. ### Threats to Validity - **Underestimation of the Issue**: Some requests generated by navigation were not recorded due to the session being closed immediately after the page load, potentially underestimating the number of bad requests. - **Focus on US Destinations**: The study mainly focuses on requests to US companies (83% of the companies are from the US), reflecting the reliance of Italian Public Administration on large tech companies and foreign domains. Through this research, the paper emphasizes the need for technical policies that incentivize Public Administration to use IT services within the EEA to protect the security and privacy of personal data.

Personal Data Transfers to Non-EEA Domains: A Tool for Citizens and An Analysis on Italian Public Administration Websites

IoT to monitor people flow in areas of public interest

An Innovative, Open, Interoperable Citizen Engagement Cloud Platform for Smart Government and Users' Interaction

Exploring social media usage in the public sector: Public employees' perceptions of ICT's usefulness in delivering value added

Cross-border flow of health information: is 'privacy by design' enough? Privacy performance assessment in EUBIROD

Measuring Corporate Digital Divide with web scraping: Evidence from Italy

A Visualization Interface to Improve the Transparency of Collected Personal Data on the Internet

Unlocking personal data from online services: user studies on data export experiences and data transfer scenarios

Privacy Risks from Public Data Sources

Implementing open government: a qualitative comparative analysis of digital platforms in France, Italy and United Kingdom

Governing personal data and trade in digital services

A State-of-the-Art Analysis of the Current Public Data Landscape from a Functional, Semantic and Technical Perspective

Enhancing privacy awareness through a novel BPMN based methodology

The use of personal data in French public services: e-mails, websites, apps

An Empirical Study on Compliance with Ranking Transparency in the Software Documentation of EU Online Platforms

Human-GDPR Interaction: Practical Experiences of Accessing Personal Data

Earth Observation Data and Geospatial Deep Learning AI to Assign Contributions to European Municipalities Sen4MUN: An Empirical Application in Aosta Valley (NW Italy)

Needle in the Haystack: Analyzing the Right of Access According to GDPR Article 15 Five Years after the Implementation

Robust Privacy Assessment in Transnational Healthcare Systems

Data Management for Platform-Mediated Public Services: Challenges and Best Practices

DESIGN AND IMPLEMENTATION OF AN OPEN-SOURCE WEB-GIS TO MANAGE THE PUBLIC WORKS OF ABRUZZO REGION: AN EXAMPLE TOWARDS THE DIGITALIZATION OF THE MANAGEMENT PROCESS OF PUBLIC ADMINISTRATIONS