Following the positions expressed by the Austrian, German and French Supervisory Authorities (see our previous Alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali, Garante-) published on 9 June 2022 a specific measure, according to which website analytics solutions used to measure online audience (Analytics Service Solutions) infringe on the EU General Data Protection Regulation no. 2016/679 (GDPR) when such use implies a transfer of personal data to a third country without an adequate level of personal data protection, such as the United States. Generally speaking, the Garante, aligned its position on the matter with its counterparts.
In the case at hand, following an investigation initiated in August 2020, based on a data subject complaint, the Garante admonished (without issuing a fine) an online newspaper (the “Company“) for transferring, through an Analytics Service Solution the personal data of users to the U.S. without adopting the necessary safeguards. In particular, the Garante pointed out that the Company had no autonomy in making choices regarding data transfers to third countries, and “no possibility to verify the implementation at technical level” of any additional measures the Analytics Service Solution would dictate.
In particular, the Garante took position on a controversial topic relating to the characterization of an internet protocol (IP) address: according to the Garante the IP address should be deemed a personal data in as much as it allows the identification of an electronic communication terminal and, therefore, indirectly, the identification of a user behind that terminal. The above occurs, for instance, when users access a website while at the same time being logged to the Analytics Service Solutions’ own service (such as webmail), since the data transmitted by the website’s cookies may be reconciled with such service and account.
Furthermore, Garante disregarded the use of an “IP anonymization” functionality selected by the Company, considering that it, would not be sufficient to prevent the identification of the user and, therefore, the transfers of actual personal data. According to the Garante, the partial IP address truncation was deemed to be mere pseudonymization, unable to prevent further re-identification of the user, when using the Analytics Service Solution’s services.
In light of the above, the Garante reiterated the principle already established by the Court of Justice of the European Union (CJEU): under GDPR’s accountability framework, EU-based data exporters are required to assess whether the data importer’s applicable regulatory framework or best practices affect the effectiveness of the standard contractual clauses safeguards. In particular, the exporter must verify whether the public authorities in the third country have access to the exported personal data through the exporter itself. Generally speaking, data exporters subject to GDPR must ensure, on a case by case assessment, that the safeguards set out under Article 46 GDPR et seq. are effective. Therefore, in the event that it is not possible to ensure compliance with GDPR safeguards, additional measures must be implemented to ensure a level of personal data protection that complies with the GDPR. In addition, the Garante pointed out that, in the case at hand, the encryption key remained in the Analytics Service Solution provider and, reiterating what the European Data Protection Board had already stated in its Recommendation 1/2020, such loss of control over the encryption key prevented any organization or technical measures from being considered adequate.
As a result of all the investigations conducted, deeming that the Company’s breach fell within the scope of Article 83 GDPR, par 2 (“minor violation“), the Garante ordered to the Company to comply with Chapter V GDPR within 90 days and failing this, to prohibit any international data flow to the Analytics Service Solution .
In addition to the above, Mr. Guido Scorza, one of the Garante’s members, highlighted in a press release that this matter affected each and all website operators in Italy, which that now all have a 90-days deadline to comply with the issued measure.
All Italy website stakeholders must now review their Analytics Service Solutions and whether they would fall within the scope of the Garante’s requirements.
- Where such international data transfers would effectively occur, the stakeholder should assess the best way forward. If their Analytics Service Solution does not offer the sufficient safeguards, and following the similar recent decision by the French Supervisory Authority, the Italian stakeholders may notably consider the implementation of IT solutions such as encryption and proxy servers.