Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante finds US data transfers through the use of Google Analytics unlawful

The Italian data protection authority ('Garante') announced, on 23 June 2022, that it had published its Decision No. 224, as issued on 9 June 2022, in which it issued a reprimand to Caffeina Media s.r.l., for violations of Articles 5(1)(a), 5(2), 13(1)(f), 24, 44, and 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the Garante reported that, according to the complaint, Caffeina Media, as operator of the website www.caffeinamagazine.it, had transferred the complainant's personal data to Google LLC, based in the US, through the use of Google Analytics, in the absence of the guarantees provided for by Chapter V of the GDPR. Subsequently, the Garante noted that it had started an investigation, in close coordination with other EU data protection authorities.

Findings of the Garante

Further to the above, as a result of the investigation carried out, the Garante outlined that it had ascertained that the transfers made by Caffeina Media to Google, by means of Google Analytics, breached Articles 44 and 46 of the GDPR.

Specifically, the Garante determined that Caffeina Media had used Google Analytics, in its free version, for the pursuit of purely statistical purposes and had not implemented the 'IP-Anonymization' feature offered by Google Analytics. As regards the processing carried out, the Garante determined that Caffeina Media collected, by means of cookies transmitted to the user's browser, information on how the latter interacts with the website, as well as with the individual pages and services offered. More in detail, the Garante outlined that the data collected and transferred to the US included the user device IP address, along with information on browser, operating system, screen resolution, selected language, and date and time of page viewing. Notably, the Garante highlighted that an IP address is personal data and took the view that the 'IP-Anonymization' featured offered by Google is a pseudonymisation, rather than anonymisation, technique, considering Google's capabilities to enrich the personal data in question through additional information it holds.

In the light of the above, the Garante outlined that the use of Google Analytics by website operators, such as Caffeina Media, entails a transfer of personal data to Google; such transfers, insofar as they are made to a third country that does not ensure an adequate level of protection under the GDPR (i.e. the US), must be carried out in compliance with Chapter V of the GDPR. Further to this, the Garante explained that, in light of the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') and the European Data Protection Board's ('EDPB') Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, data controllers, as exporters, are obliged to verify, on a case-by-case basis and, where necessary, in cooperation with the importer in the third country, whether the law or practice in force in the third country affects the effectiveness of the appropriate safeguards contained in the Standard Contractual Clauses ('SCCs'), to determine whether the safeguards provided therein can be complied with in practice.

Further to this, the Garante outlined that, if as a result of the above-mentioned assessment, it is found that the legislation and practices of the third country prevent the importer from complying with the obligations under the chosen transfer instrument, as found in the present case, exporters must adopt additional measures ensuring a level of protection of personal data substantially equivalent to that provided for in the GDPR. More in detail, the Garante determined that the encryption mechanisms implemented in the case in question (i.e. cryptography at rest and in transit) were not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the EU by US public authorities, since such encryption techniques provide that the encryption key rests in the hands of Google, which holds it, as importer, by virtue of the need to have the data in plain text in order to carry out processing and provide services. Importanly, the Garante highlighted that the obligation to allow access, on the part of the US authorities, falls on Google, not only with regard to the imported personal data, but also with regard to any cryptographic keys necessary to make them intelligible. As such, the Garante concluded that, as long as the encryption key remains at the importer's disposal, the measures taken cannot be considered adequate. Moreover, the Garante noted that, in the absence of appropriate technical measures, the additional contractual and organisational measures adopted could not reduce or prevent the possibility of access to the personal data subject to transfer by US authorities.

In the light of the foregoing, the Garante took the view that the additional safeguards adopted in the present case could not be regarded as adequate, with the consequent unlawfulness, within the meaning of Articles 44 and 46 of the GDPR, of the relevant transfers of personal data to the US.

Separately, the Garante also found Caffeina Media in breach of:

  • Articles 5(2) and 24 of the GDPR, thus rejecting Caffeina Media's argument as to its lack of autonomy with regard to the decisions to be taken on the transfer of data to third countries; and
  • Articles 5(1)(a) and 13(1)(f) of the GDPR, for the lack of information on data transfers on the website's privacy policy, which was generated using the automatic service offered by iubenda s.r.l. for the management of privacy policies and cookie policies.

Outcomes

Given the established facts, the Garante issued a reprimand against Caffeina Media and ordered the same to bring its processing into compliance with the GDPR within 90 days. On this aspect, the Garante considered the imposed deadline appropriate in order to allow Caffeina Media to implement adequate measures in connection with the data transfers; should the deadline not be met, the Garante pointed out that it would order the suspension of all Google Analytics-related data flows to the US. In addition, the Garante noted that Caffeina Media may, within 30 days, lodge an appeal before the ordinary judicial authority.

Notably, the Garante urged all Italian website operators, both public and private, to take into account the unlawfulness of the data transfers to the US resulting from the use of Google Analytics, calling upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with the GDPR.

You can read the press release here and the decision, only available in Italian, here.

Update (6 July 2022)

EDPB publishes English summary of Garante's decision to ban use of Google Analytics

The European Data Protection Board ('EDPB') published, on 30 June 2022, the English summary of the decision issued by the Garante against Caffeina Media to ban the use of Google Analytics due to the lack of adequate safeguards for data transfers.

You can read the summary here