Italian Supervisory Authority Investigates Website Analytics | K&L Gates LLP
Following the positions expressed by the Austrian, German and French supervisory authorities (see our previous alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali)(Garante) published on June 9, 2022 a specific measure, according to which site analytics solutions used to measure online audiences (Analytics Service Solutions) violate the European General Data Protection Regulation n. 2016/679 (GDPR) when such use involves a transfer of personal data to a third country without an adequate level of protection of personal data, such as the United States. In general, the Garante has aligned its position on this matter with that of its counterparts.
In the present case, following an investigation opened in August 2020, on the basis of a complaint from a data subject, the Garante reprimanded (without imposing a fine) an online newspaper (the Company) for having transferred, via Analytics Service Solutions, the personal data of users to the United States without adopting the necessary safeguards. In particular, the Garante pointed out that the Company had no autonomy in its choices regarding data transfers to third countries and “no possibility of verifying the implementation at the technical level” of any additional measures that Analytics Service would impose. Solutions.
In particular, the Garante has taken a position on a controversial subject relating to the qualification of an Internet Protocol (IP) address: According to the Garante, the IP address must be considered as personal data insofar as it allows the identification of a communication terminal and, consequently, indirectly, the identification of a user behind this terminal. The above occurs, for example, when users access a website while at the same time being logged into Analytics Service Solutions’ own service (such as webmail), as the data transmitted by the website’s cookies may be reconciled with this service and this account.
Furthermore, Garante disregarded the use of an “IP anonymization” feature chosen by the Company, considering that it would not be sufficient to prevent the identification of the user and, consequently, the transfer of actual personal data. According to the Garante, the partial truncation of the IP address was considered a simple pseudonymization, unable to prevent a new identification of the user when using the services of Analytics Service Solutions.
In light of the above, Garante reiterated the principle already established by the Court of Justice of the European Union: under the GDPR liability framework, EU-based data exporters are required to assess whether the applicable regulatory framework or the best practices of the data importer affect the effectiveness of the guarantees of the standard contractual clauses. In particular, the exporter must verify whether the public authorities of the third country have access to the personal data exported via the exporter himself. In general, data exporters subject to the GDPR must ensure, on a case-by-case basis, that the guarantees provided for in Article 46 GDPR et seq. are effective. Therefore, in the event that it is not possible to ensure compliance with the safeguards of the GDPR, additional measures must be implemented to ensure a level of protection of personal data in accordance with the GDPR. In addition, the Garante pointed out that in this case the encryption key remained with the provider of Analytics Service Solutions and, recalling what the European Data Protection Board had already indicated in its recommendation 1/2020, such a loss of control over the encryption key prevented any organization or technical measure from being considered adequate.
Following all the investigations carried out, considering that the breach of the Company fell within the scope of Article 83 GDPR, paragraph 2 (“minor breach”), the Guarantor ordered the Company to comply with chapter V of the GDPR within 90 days and, failing this, to prohibit any international data flow to Analytics Service Solutions.
In addition to the above, Mr. Guido Scorza, one of the members of the Garante, pointed out in a press release that this case concerns all website operators in Italy, who now all have a deadline of 90 days to comply with the measure issued.
What is the next?
All website stakeholders in Italy must now review their analytics service solutions and determine if they fall within the scope of the Garante requirements.
- Where such international data transfers would actually take place, the stakeholder should assess the best way forward. If their analysis service solutions do not offer sufficient guarantees, and following the recent similar decision of the French Supervisory Authority, Italian players can in particular consider the implementation of IT solutions such as encryption and proxy servers.