The Italian Supervisory Authority Weighs in on Website Analytics
Following the positions expressed by the Austrian, German, and French supervisory authorities (see our previous alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali)(Garante) published on 9 June 2022 a specific measure, according to which website analytics solutions used to measure online audiences (Analytics Service Solutions) infringe on the EU General Data Protection Regulation no. 2016/679 (GDPR) when such use implies a transfer of personal data to a third country without an adequate level of personal data protection, such as the United States. Generally speaking, the Garante aligned its position on the matter with its counterparts.
In the case at hand, following an investigation initiated in August 2020, based on a data subject complaint, the Garante admonished (without issuing a fine) an online newspaper (the Company) for transferring, through Analytics Service Solutions, the personal data of users to the United States without adopting the necessary safeguards. In particular, the Garante pointed out that the Company had no autonomy in making choices regarding data transfers to third countries and “no possibility to verify the implementation at technical level” of any additional measures Analytics Service Solutions would dictate.
In particular, the Garante took a position on a controversial topic relating to the characterization of an internet protocol (IP) address: According to the Garante, the IP address should be deemed as personal data in as much as it allows the identification of an electronic communication terminal and, therefore, indirectly, the identification of a user behind that terminal. The above occurs, for instance, when users access a website while at the same time being logged to the Analytics Service Solutions’ own service (such as webmail), since the data transmitted by the website’s cookies may be reconciled with such service and account.
Furthermore, Garante disregarded the use of an “IP anonymization” functionality selected by the Company, considering that it would not be sufficient to prevent the identification of the user and, therefore, the transfer of actual personal data. According to the Garante, the partial IP address truncation was deemed to be mere pseudonymization, unable to prevent further re-identification of the user when using Analytics Service Solutions’ services.
In light of the above, the Garante reiterated the principle already established by the Court of Justice of the European Union: Under GDPR’s accountability framework, EU-based data exporters are required to assess whether the data importer’s applicable regulatory framework or best practices affect the effectiveness of the standard contractual clauses’ safeguards. In particular, the exporter must verify whether the public authorities in the third country have access to the exported personal data through the exporter itself. Generally speaking, data exporters subject to GDPR must ensure, on a case-by-case assessment, that the safeguards set out under Article 46 GDPR et seq. are effective. Therefore, in the event that it is not possible to ensure compliance with GDPR safeguards, additional measures must be implemented to ensure a level of personal data protection that complies with the GDPR. In addition, the Garante pointed out that, in the case at hand, the encryption key remained in Analytics Service Solutions’ provider and, reiterating what the European Data Protection Board had already stated in its Recommendation 1/2020, such loss of control over the encryption key prevented any organization or technical measures from being considered adequate.
As a result of all the investigations conducted, deeming that the Company’s breach fell within the scope of Article 83 GDPR, paragraph 2 (“minor violation”), the Garante ordered to the Company to comply with Chapter V GDPR within 90 days and, failing this, to prohibit any international data flow to Analytics Service Solutions.
In addition to the above, Mr. Guido Scorza, one of the Garante’s members, highlighted in a press release that this matter affected each and every website operator in Italy, which now all have a 90-day deadline to comply with the issued measure.
What Is Next?
All website stakeholders in Italy must now review their Analytics Service Solutions and whether they would fall within the scope of the Garante’s requirements.
- Where such international data transfers would effectively occur, the stakeholder should assess the best way forward. If their Analytics Service Solutions do not offer the sufficient safeguards, and following the similar recent decision by the French Supervisory Authority, the Italian stakeholders may notably consider the implementation of IT solutions such as encryption and proxy servers.
The K&L Gates Global Data Protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at a global level.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.