Following the positions expressed by the Austrian, German and French Supervisory Authorities (see our previous Alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali, Garante-) published on 9 June 2022 a specific measure, according to which website analytics solutions used to measure online audience (Analytics Service Solutions) infringe on the EU General Data Protection Regulation no. 2016/679 (GDPR) when such use implies a transfer of personal data to a third country without an adequate level of personal data protection, such as the United States. Generally speaking, the Garante, aligned its position on the matter with its counterparts.

In the case at hand, following an investigation initiated in August 2020, based on a data subject complaint, the Garante admonished (without issuing a fine) an online newspaper (the “Company“) for transferring, through an Analytics Service Solution the personal data of users to the U.S. without adopting the necessary safeguards. In particular, the Garante pointed out that the Company had no autonomy in making choices regarding data transfers to third countries, and “no possibility to verify the implementation at technical level” of any additional measures the Analytics Service Solution would dictate.

In particular, the Garante took position on a controversial topic relating to the characterization of an internet protocol (IP) address: according to the Garante the IP address should be deemed a personal data in as much as it allows the identification of an electronic communication terminal and, therefore, indirectly, the identification of a user behind that terminal. The above occurs, for instance, when users access a website while at the same time being logged to the Analytics Service Solutions’ own service (such as webmail), since the data transmitted by the website’s cookies may be reconciled with such service and account.

Furthermore, Garante disregarded the use of an “IP anonymization” functionality selected by the Company, considering that it, would not be sufficient to prevent the identification of the user and, therefore, the transfers of actual personal data. According to the Garante, the partial IP address truncation was deemed to be mere pseudonymization, unable to prevent further re-identification of the user, when using the Analytics Service Solution’s services.

In light of the above, the Garante reiterated the principle already established by the Court of Justice of the European Union (CJEU): under GDPR’s accountability framework, EU-based data exporters are required to assess  whether the data importer’s applicable regulatory framework or best practices affect the effectiveness of the standard contractual clauses safeguards. In particular, the exporter must verify whether the public authorities in the third country have access to the exported personal data through the exporter itself. Generally speaking, data exporters subject to GDPR must ensure, on a case by case assessment, that the safeguards set out under Article 46 GDPR et seq. are effective. Therefore, in the event that it is not possible to ensure compliance with GDPR safeguards, additional measures must be implemented to ensure a level of personal data protection that complies with the GDPR. In addition, the Garante pointed out that, in the case at hand, the encryption key remained in the Analytics Service Solution provider and, reiterating what the European Data Protection Board had already stated in its Recommendation 1/2020, such loss of control over the encryption key prevented any organization or technical measures from being considered adequate.

As a result of all the investigations conducted, deeming that the Company’s breach fell within the scope of Article 83 GDPR, par 2 (“minor violation“), the Garante ordered to the Company to comply with Chapter V GDPR within 90 days and failing this, to prohibit any international data flow to the Analytics Service Solution .

In addition to the above, Mr. Guido Scorza, one of the Garante’s members, highlighted in a press release that this matter affected each and all website operators in Italy, which that now all have a 90-days deadline to comply with the issued measure.

WHAT’S NEXT?

All Italy website stakeholders must now review their Analytics Service Solutions and whether they would fall within the scope of the Garante’s requirements.

  • Where such international data transfers would effectively occur, the stakeholder should assess the best way forward. If their Analytics Service Solution does not offer the sufficient safeguards, and following the similar recent decision by the French Supervisory Authority, the Italian stakeholders may notably consider the implementation of IT solutions such as encryption and proxy servers.

K&L Gates Global Data Protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global level.

First Publication: K&L Gates Hub in collaboration with Eleonora Curreri

European regulators unofficially announced the major theme of this new year, through the release of several decisions pertaining to cookies and other tracking technologies in the first 10 days of 2022.

As the General Data Protection Regulation (GDPR) is approaching the fourth anniversary of its entry into force, the ePrivacy Regulation—a companion piece to address online communication and that was supposed to be adopted at the same time—remains in the limbo of the European legislative process.

In the meantime, the effects of the Schrems II decision of 16 July 2020 (see our alert here), which canceled the Privacy Shield and placed stricter requirements on the use of standard contractual clauses, continues to ripple through data protection compliance efforts of companies worldwide.

(more…)

The French Supervisory Authority has set 31 March 2021 as the end of the “reasonable period” to bring websites and mobile applications into compliance.

Following the adoption and publication of its updated guidelines along with practical recommendations on the use of cookies on 1 October 2020 (see our alert on the subject here), the French Supervisory Authority (CNIL) reaffirmed on 4 February 2021 the need for private and public players to comply with the new obligations regarding cookies and other tracers (together, Cookies – See the CNIL press release of 4 February 2021 (in French)).

To make its action plan on online advertising effective and in view targeting of the deficiencies witnessed in both the public and private sectors, the CNIL set a specific deadline for the implementation of its recommendation: 31 March 2021.

(more…)

On 4 July 2019, the French Data Protection (CNIL) published its Guidelines on Cookies and Other Tracking Technologies (the Guidelines, available in French here). The Guidelines further detailed the nature of the interplay between the General Data Protection Regulation (GDPR) which reinforced expectations towards obtaining consent to data processing operations when such consent is required), and the ePrivacy Directive which more specifically addresses the privacy requirements on cookies and other tracking technologies. Indeed, while the ePrivacy Directive was expected to be updated through an ePrivacy Regulation (latest draft proposal available here), on or before GDPR entered into force, it remains under discussion at the European level to this day, and subject to intense lobbying by all stakeholders.

Further to the publication of the Guidelines, several French professional associations in the online marketing, distance selling and online media activities initiated legal action against the CNIL, before the French Administrative Supreme Court (the Conseil d’État), on the grounds that the CNIL acted above and beyond its authority in adopting the Guidelines, notably by (i) generally prohibiting “cookie walls”, (ii) recognizing a right of data subjects to refuse cookies, (iii) requiring the identification of the data controller for the cookies, (iv) mandating an exhaustive and up-to-date information of the data subjects on the cookies, regardless of their involvement in data processing operations, (v) requiring that the users’ agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment, and (vi) imposing maximum data retention periods for cookies.

(more…)

France’s top administrative court has overruled the country’s data authority regarding “cookie walls”, stating that as an agency that only offers guidelines – so-called flexible laws – the authority cannot prohibit their use.

Cookie walls prevent internet users from accessing websites unless they consent to the use of tracking cookies, which often gather data used by advertisers.

(more…)

Approaching its second anniversary this month, the European General Data Protection Regulation (GDPR) has never been as relevant as in these unprecedented COVID-19 times. While several countries are considering the implementation of contact tracing apps, a consensus has seemed to surface on subjecting their use to a voluntary basis. The notion of “consent” remains therefore the cornerstone (albeit not the only one) of the European data protection framework.

In that regard, the European Data Protection Board (EDPB) issued a revised take on one of the first guidelines published by its predecessor, the WP29, in April 2018 (available here, which itself built upon the WP29 pre-GDPR interpretation of consent under Opinion 15/2011, dated 13 July 2011), taking into consideration the difficulties encountered by the stakeholders in the operational implementation of GDPR compliance. These clarifications come at a time where discrepancies in interpreting what constitutes valid “consent” emerge between various Member States’ Supervisory Authorities, especially as applicable to the use of cookies and other tracking technologies (together, “cookies”).

(more…)