Garante per la protezione dei dati personali (Italy) - 9808698

From GDPRhub
Garante per la protezione dei dati personali - 9808698
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(2) GDPR
Article 13(1)(f) GDPR
Article 24 GDPR
Article 40 GDPR
Type: Complaint
Outcome: Upheld
Started: 18.08.2020
Decided: 21.07.2022
Published:
Fine: n/a
Parties: an unnamed data subject
Fastweb S.p.A.
National Case Number/Name: 9808698
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Carloc

The Italian DPA held that a website operator used Google Analytics without implementing adequate safeguards for U.S. data transfers as required by Article 46 GDPR. The operator was reprimanded and ordered to bring the data transfers into compliance or cease them altogether.

English Summary

Facts

An Italian company, Fastweb S.p.A. (the controller), owned the website www.fastweb.it. Following the Schrems II decision, a user of the website (the data subject), represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR.

The transfers took place through the use of the Google Analytics 360. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture.

Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons.

Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingly low. This attenuated risk, they argued, meant that less stringent safeguards were sufficient to protect data subjects' rights under the GDPR (the so-called "risk-based approach"). Google claimed that in over 15 years of providing its Google Analytics service, it had never received an access request like the one contemplated in the data subject's complaint.

For its part, the controller deemed the technical measures implemented by Google sufficient. It stated that the possibility to identify the data subject on the basis of the pseudoanonymised IP address was basically non-existent. However, the controller also lacked the technical means to verify the implementation of these measures, nor did it have any authority to decide what measures were appropriate or to dictate to Google choices regarding data transfers to third countries.

Holding

The DPA declared any processing carried out by the controller through the use of Google Analytics unlawful. It also clarified that, regardless of any asymmetry in bargaining power or technical resources, the controller was responsible for ensuring that processing is lawful pursuant to Article 5(2) (accountability) and 24 GDPR (responsibility of the controller). The controller must decide independently on the methods, guarantees, and limits of processing.

Regarding data transfers to a third country, the DPA rejected the risk-based approach, finding the controller in violation of Article 44 and 46 GDPR. The low probability of an access request from US authorities did not relieve the controller of its responsibility to guarantee on a case-by-case basis that transfers of personal data to a third country had adequate safeguards. Encryption was an insufficient technical safeguard because Google LLC remained in possession of the relevant encryption key. US authorities could simply compel Google LLC to turn over this key along with the encrypted data.

The DPA also found the controller in violation of Article 13(f) GDPR because its privacy policy did not disclose the intention to transfer personal data to a third country, the lack of an adequacy decision or what safeguards were in place per Article 46(2) GDPR.

For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 90 days or suspend the transfer of data through Google Analytics.

Comment

This is one of the 101 complaints filed in the Summer of 2020 by noyb – European Center for Digital Rights, a privacy NGO.[1] It is similar to other decisions on the 101 complaints by the Austrian[2] DSB, the French[3] CNIL and the Garante[4][5] itself. The EDPB made a task force to coordinate the response to the 101 complaints[6].

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9808698]

Provision of 21 July 2022

Record of measures
n. 254 of 21 July 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint of 18 August 2020 submitted pursuant to art. 77 of the Regulation by Mr. XX towards Fastweb S.p.A .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The complaint against the company and the preliminary investigation.

With a complaint presented on 18 August 2020, Mr. XX complained that Fastweb S.p.A. (hereinafter also "the Company"), would have transferred to Google LLC, based in the United States, the personal data concerning him processed through the website www.fastweb.it; this in the absence of the guarantees provided for by Chapter V of the Regulation.

As part of the investigation initiated by the Guarantor, the Office, with notes dated November 16, 2020 and July 20, 2021, asked the Company to provide information and clarifications on the facts of the complaint.

With the communications of January 13, 2021 and October 18, 2021, in responding to the requests of the Office, Fastweb S.p.A. stated the following:

- the processing of personal data of users of the website www.fastweb.it is carried out by the Company through Google Analytics 360, a tool which, through cookies transmitted to the user's browser, collects information on how users of the site interact with the individual pages and with the services offered. Google Analytics 360 "has the purpose of analyzing statistically and in an aggregate manner - not, therefore, for individual users - what happens while browsing the site, also in order to improve its promotional effectiveness. (..) The analyzes on the aforementioned aspects are (..) then provided to Fastweb in the form of an aggregate statistical output on the Google Analytics 360 viewing platform, which does not allow to trace the individual user and [to] the specifications underlying information "(see note dated January 13, 2021, page 2);

- the data being processed consists of the identifier of the cookie downloaded to the user's browser, the IP address and the type of device used (see note of 13 January 2021, page 17). In addition to the default variables sent to Google's servers, the Company transmits additional information of a personalized type (custom), based on reporting needs, "in addition, in fact, to the standard ones performed by Google Analytics 360" (see note of October 18, 2021, page 7). With particular reference to the IP address, starting from 23 December 2020, it was "forcibly anonymized by Fastweb", following the procedure made available by Google for this purpose. The function, called IP-Anonymization, "corresponds to the deletion of the last byte of the IPV4 address - and / or of the last 80 bits of the IPv6 address - of the user". The aforementioned operation is carried out “by Google itself in the intermediate moment between the receipt of the data and the storage of the pseudonymised data on Google's storage systems”. In addition, "the client's IP address is always and in full transmitted to Google not obscured directly by the user's browser. The information in question - as far as is known - is then server side subject to pseudonymization "as soon as it is technically possible" if the manager has set up this functionality "(see note of 13 January 2021, page 11 and note of 18 October 2021, pages 19 and 20);

- as regards the aforementioned procedure, Fastweb S.p.A. he also stated that "he does not have (..) the exact information if this activity is carried out by Google Ireland Limited or by Google LLC or if this occurs before or not the transfer of data to countries outside the EU since this detail is not disclosed by Google "(see note of 18 October 2021, page 20);

- with regard to the possibility that the pseudonymised data can be associated with additional information that allows the attribution of the same to an identified or identifiable natural person, the Company stated that "it is not possible to exclude that the pseudonymised data may be associated with further data in possession of Google LLC in order to proceed with the subsequent identification of the interested parties "(see note of 18 October 2021, page 23);

- in relation to the overall treatment outlined above, the Company, on 16 August 2020, through the reseller iProspect S.r.l., signed the "Google Analytics Terms of Service" with Google Ireland Limited and on the basis of the "Google Ads Data Processing Terms" (see Article 7 of the aforementioned contractual conditions) "has provided [as data controller] to appoint Google Ireland Limited as responsible (...), which in turn has appointed Google LLC as its sub-manager" (note of January 13, 2021, page 31 and note of October 18, 2021, pages 2-4);

- the transfer of data is governed by art. 10 of the "Google Ads Data Processing Terms" and is therefore put in place due to the adoption by Fastweb S.p.A. as an exporter, of "Model contract clauses" identified pursuant to art. 46 of the Regulation (see Google Ads Data Processing Terms, art. 2.1); based on the latter, the Company agrees that Google Ireland Limited, in its capacity as data controller, may have recourse to the affiliated companies of Google, as sub-processors, including Google LLC established in the United States (see note of 13 January 2021, page 20 and note of October 18, 2021, pages 4 and 24);

- the aforementioned clauses have been supplemented by the additional measures adopted by Google (as reported by the Company in the note dated 13 January 2021, pages 22-30). In this regard Fastweb S.p.A. stated that they are adequate since they are "substantially in line with the guidelines" contained in Recommendation no. 1/2020 relating to the measures that integrate the transfer tools in order to ensure compliance with the level of protection of personal data of the EU adopted, by the European Data Protection Board (hereinafter "EDPB"), on June 18, 2021 (see note of 18 October 2021, pages 21 and 22). The Company therefore came "to the conclusion that it is not necessary [to implement] further guarantees pursuant to Chapter V in light of the information provided by Google regarding the management of personal data and the assessment of the level of adequacy of such transfers, taking into account the circumstances of the transfer and of the technical and organizational measures adopted by Google "(see confirmation note of January 13, 2021, page 30);

- specifically, with reference to the technical measure defined “Encryption”, the Company also specified that “the encryption keys, both for the at rest and in transit part, are under the control of Google. In particular, the at rest encryption keys, given the storage management by Google LLC, are under the control of the US entity "(see acknowledgment note of 18 October 2021, page 23);

- with regard to the information that the Company has provided to Mr. XX, pursuant to art. 13 of the Regulations, they are contained in the "cookie policy shown at the time of opening the website www.fastweb.it (..), which refers in terms of heterointegration to the Google information regarding the analytics service"; while as regards the updates to be reported in the information following the ruling of the Court of Justice of the European Union, of 16 July 2020, no. C-311/18, the "changes were made directly by Google after its evaluations" (see note of 13 January 2021, page 14 and note of 18 October 2021, page 25 and Annex 8).

With regard to the matters represented by the Company, further observations were also acquired from the complainant, transmitted with a note dated 21 February 2021.

On December 22, 2021, the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, of the Regulations and art. 13 of the Regulation, as well as art. 44 and 46, of the Regulation.

On 21 February 2022 Fastweb S.p.A. sent his defense writings in which he represented that:

a) with regard to the nature of the data, the information being transferred “also as a result of the measures adopted by the owner [are] not qualifiable as personal data pursuant to art 4 c. 1 GDPR "; this is because "the IP address presumably used in a connection made by a residential user, normally, does not allow the identification of a single browsing session referable to a single user, but rather to a multitude of users" (see note of 21 February 2022, pp. 3-4);

b) regarding the IP-Anonymization function, following its activation "the IP address in its entirety is not permanently stored at any time since the truncation takes place entirely in the volatile memory of Google's servers, almost instantaneously after the connection has been initiated by the user ”. Indeed, "the time elapsing between the receipt of the IP address and its truncation can be quantified in the measure of thousandths of a second. Basically, the pseudonymisation of the IP takes place within a maximum of 500 microseconds ~ 50% of the time and within 1 millisecond 99% of the time, depending on the timely load of the server that performs the operation. " (see note of February 21, 2022, page 5);

c) in relation to the elements on the basis of which Fastweb S.p.A. has carried out its own assessment of the suitability of the chosen instrument for the purposes of the transfer and the adoption of additional measures to be adopted in the case in question, the Company has taken into account the fact that "the data transferred are of a very limited nature in terms of of quality and quantity ”thus making it“ very difficult (..) concrete identification [of the user] ”; this also considered that following the activation, in the case in question, of the IP-Anonymization "the possibility for anyone to identify the applicant on the basis of the truncated IP address is even more reduced, if at all" (see note of 21 February 2022, p. 13). It also highlighted that "data such as IP address - however pseudonymised - and unique identifier of the device" cannot be considered "useful and of interest for surveillance by US intelligence" as the "surveillance objective set by the Section 702 (..) is limited to foreign intelligence information only "(see note of February 21, 2022, page 14). In support of this, the Company has recently reported what was declared by Google in a recent blog post of last January 19, 2022 (available at the following address: https://blog.google/around-the-globe/google-europe/its -time-for-a-new-eu-us-data-transfer-framework /), compared to the circumstance that "in the 15 years of operation of the service, a request for access to Analytics data has never been made by the US intelligence "(note of February 21, 2022, page 8);

d) with reference to the supplementary measures, those implemented in the case in question must be considered adequate as they “fall within those explicitly recommended as supplementary measures in Annex 2 of Recommendation no. 1/2020 "(see note of 21 February 2021, pages 13-14);

e) as regards the level of autonomy of Fastweb S.p.A. with regard to the choices relating to data transfers to third countries, the Company reiterated that due to the monopoly position held by Google in the market, there is in fact "the impossibility for the Company to request and obtain detailed information or technical checks" with regard to the Google Analytics tool, as well as to "make changes or corrections of any kind to the product, beyond the caution already adopted to activate the IP address masking function" (see note of 21 February 2022, p. 8 -9);

f) regarding the inadequacy of the information pursuant to art. 13 of the Regulations, the same was updated by the Company according to the indications provided by the Authority in the notification of violation sent pursuant to art. 166, paragraph 5 of the Code (see note of 21 February 2022, page 10).

On March 28, 2022, during the hearing requested by the Company, the latter, in fully recalling the aforementioned briefs, also represented that:

- with regard to the additional measures of a technical nature adopted in this case, Google Analytics, as a web analytics tool, "cannot ignore the identification of the device, browser and site visited, thus making it impossible to adopt encryption at rest with encryption keys managed by the owner (measure suggested by the EDPB in Recommendation no. 1/2020), except to greatly reduce if not directly cancel the analysis functions of the platform itself "(see minutes of 28 March 2022, p. 3);

- the Company "has concretely evaluated the possibility of using alternative tools to Google Analytics, identifying possible substitutes", highlighting at the same time that "the solutions identified are in any case not able to guarantee Fastweb S.p.A. the same services and conditions of service "(see minutes of 28 March 2022, page 3).

2. Observations on the legislation on the protection of personal data and ascertained violations.

First of all, it is represented that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

Having duly stated, upon the outcome of the investigation and examination of the documentation acquired during the same, it was ascertained that the transfers made by Fastweb S.p.A. towards Google LLC (based in the United States), through the Google Analytics tool (hereinafter also "GA"), have been implemented in violation of Articles 44 and 46 of the Regulation; it is also noted that violations of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), and art. 24, of the Regulation, as explained below.

2.1 The transfers of personal data to the United States made through Google Analytics.

Google Analytics is a web analytics tool provided by Google to website managers that allows them to analyze detailed user statistics in order to optimize the services rendered and to monitor their marketing campaigns.

As part of the pursuit of statistical purposes, or aimed at obtaining aggregate information on user activity within its website, Fastweb S.p.A. uses GA in its paid version (called Google Analytics 360). The same acts as the data controller and designates Google Ireland Limited as responsible, pursuant to art. 28 of the Regulation, based on the "Google Analytics Terms of Service" and the "Google Ads Data Processing Terms". The latter, pursuant to the aforementioned terms of service, may use other subjects, as sub-processors, including Google LLC based in the United States.

With regard to the processing carried out through GA, it was found that Fastweb S.p.A. collects, by means of cookies transmitted to users' browsers, information regarding the methods of interaction of the latter with the website, as well as with the individual pages and with the services offered.

More specifically, the data collected consists of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the site manager himself (through the Google account ID); address, website name and navigation data; information relating to the so-called variables custom; IP address of the device used by the user; information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website.

In this regard, it is worth highlighting - contrary to what is represented by the Company on this point (see above paragraph 1, point a) - that the IP address constitutes personal data to the extent that it allows the identification of an electronic communication device, thus making the data subject can be indirectly identified as a user (see Group pursuant to art. 29, WP 136 - Opinion no. 4/2007 on the concept of personal data, of 20 June 2007, page 16). All this especially where, as in the present case, the IP is associated with other information relating to the browser used, the date and time of navigation (see recital 30 of the Regulation).

In addition, if the visitor to the website logs in to his Google account - a circumstance, however, which occurred in the hypothesis under examination, which can be numerically very significant - and has selected some options in this account (for example the one time to receipt of personalized advertising), the data indicated above may be associated with other information present in the relevant account, such as the email address (which constitutes the user ID of the same), the telephone number and any additional personal data including the gender , the date of birth or the user's profile picture.

However, it remains understood that, regardless of access to the Google account, the IP address can in any case allow ‒ above all, as already explained above, when associated with other information relating to the browser used and the date and time of navigation‒ to identify an electronic communication device and, therefore, indirectly the user.

As part of the GA service, Google has also made available to website operators the option called "IP-Anonymization" which involves sending the user's IP address to Google Analytics after obscuring the less significant octet ( based on this operation, for example, the addresses from 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the present case, the Company declared that the aforementioned option was activated from 23 December 2020 (see note of 13 January 2021, page 11 and note of 18 October 2021, page 19).

On this point, it emerged first of all that as a rule this operation is carried out on the servers of Google LLC, but that, with respect to the data collected in the European Union, it is carried out in the systems located there, except in exceptional cases. With reference to the latter hypotheses, however, sufficient elements have not been found regarding these cases, as well as the degree of probability that IP treatment will take place in the United States. More generally, therefore, it does not appear possible to identify with certainty where the truncation of the least significant octet actually takes place (ie whether in the Google systems located in the European Union or in the United States). It cannot therefore be excluded a priori that the IP address, in its entirety, is transmitted to the systems of Google LLC before the truncation operation, with the risk that it may be accessed by public authorities.

Secondly, with reference to the effectiveness of the "IP-Anonymization" measure, it is worth noting in any case that it actually consists of a pseudonymisation of the data relating to the user's network address, since, unlike what supported by the Company in this regard (see above paragraph 1, point b), the truncation of the last octet does not prevent Google LLC from re-identifying the user, taking into account the information held by the same as a whole relating to web users . Furthermore, Google LLC has the possibility - if the interested party has accessed his / her Google profile - to associate, as already highlighted, the IP address with other additional information already in its possession (such as information contained in the user account). Therefore, it is believed that Google - despite the activation of the "IP-Anonymization" - is still able to identify a user directly (if the latter has accessed his account), or through the IP address , received before the “IP-Anonymization” operation, or, again, through re-identification carried out on the basis of the IP address without the last octet in combination with the other information in its possession.

Considering therefore that, for all the reasons expressed above, the use of GA by the managers of the websites - such as Fastweb S.p. - involves the transfer of the personal data of the visitors of the aforementioned sites to Google LLC based in the United States; since these are transfers made to a third country that does not guarantee an adequate level of protection pursuant to data protection legislation (i.e. the United States), they must be carried out in compliance with Chapter V of the Regulation.

2.2 The unlawfulness of transfers following ruling C-311/18, of July 16, 2020, so-called Schrems II.

It is recalled that the Court of Justice of the European Union, with ruling C-311/18, of 16 July 2020 (so-called Schrems II), in declaring the decision of the EU Commission no. 2016/1250 of 12 July 2016, on the adequacy of the protection offered by the EU-US privacy shield regime (so-called Privacy Shield), found that the domestic law of the United States (in particular the Executive Order 12333 and the Article 702 of the Foreign Intelligence Surveillance Act - hereinafter "FISA 702") entails exceptions to the data protection legislation that exceed the restrictions deemed necessary in a democratic society. All this with particular reference to the provisions that allow public Authorities, within the framework of certain national security programs, to access without adequate limitations to the personal data being transferred, as well as the failure to provide for the rights of the interested parties, which can be activated on site. judicial.

The Court, with the same ruling, also reaffirmed the validity of decision no. 2010/87 / EC of the Commission of 5 February 2010 concerning the standard contractual clauses for the transfer of personal data to managers established in third countries - clauses adopted by Fastweb S.p.A. in the present case.

At the same time, he pointed out that, based on the principle of accountability, data controllers, as exporters, are in any case required to verify, on a case-by-case basis and, where necessary, in collaboration with the importer in the third country, whether the law o the practice of the latter affect the effectiveness of the adequate guarantees contained in the aforementioned clauses; this in order to determine whether the guarantees provided for by the standard contractual clauses can be respected in practice (Article 5, paragraph 2, and Article 24; see also Recommendation No. 1/2020 concerning the measures that integrate the transfer instruments in order to ensure compliance with the EU level of protection of personal data, of 18 June 2021, paragraphs 1-5).

In general terms, it is therefore necessary to evaluate, in concrete terms, ie on the basis of the circumstances of the transfer, if the instrument chosen by the exporter, among those identified by art. 46 of the Regulation, is effective in the specific case.

This examination, as noted by the European Data Protection Board - hereinafter "EDPB" (see Recommendation No. 1/2020, cit., P. 4), must "focus first of all on the legislation of the third country [and on practices applicable] relevant [i] for the transfer [as well as] on the transfer instrument [identified] pursuant to Article 46 of the RGPD "in order to verify that the aforementioned legislation and the aforementioned practices do not effectively prevent compliance, by part of the importer, of the obligations established by the instrument used.

More specifically, the above assessment "involves the need to determine whether or not the transfer in question falls within the scope of the [aforementioned legislation]". It must "be based on objective factors, regardless of the likelihood of access to personal data" (see Joint Opinion 2/2021 of the EDPB and the EDPS on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted January 14, 2021, par. 86).

For this purpose, the characteristics of the specific transfer carried out are relevant, such as: the purposes, the nature of the subjects involved, the sector in which the transfer takes place, the categories of personal data transferred, the circumstance that the data are stored in the third country or there remote access, the format of the data to be transferred and any subsequent transfers (see Recommendation No. 1/2020, cit., par. 33).

The assessment required of the exporter, therefore, must focus on the legislation and practices applicable, in the third country, to the data specifically transferred and involve the verification of "whether or not it is possible for the public authorities of the third country (...) to attempt to access to the data "as well as the" ability or not, for the public authorities of the third country (...) to access the data through the importer himself or through telecommunications providers or communication channels "(see Recommendation No. 1/2020, cit., para. 31).

With regard to the aforementioned possibility of access, by the US Authorities, however, it must be considered that it is confirmed in the "Transparency report on United States national security requests for user information" made available by Google on its website (available at the following link https : //transparencyreport.google.com/user-data/us-national-security? hl = en); report containing the numerical data relating to access requests received by Google, pursuant to FISA 702, at the request of the US Authorities.

Having duly said, with reference to the Company's claims with respect to these profiles in its defense briefs, it is worth highlighting that:

- with regard to the assessment of the suitability of the additional measures adopted in the present case (see above, paragraph 1, point c), the Company based its assessment on the limited ability to identify users due to the nature and quantity of Collected data; a circumstance which, as highlighted above (see par. 2.1), cannot be configured with respect to the processing of data implemented through GA. The same also considered that the possibility of access by the US Authority represents "a probabilistic event of realization that is completely uncertain and statistically negligible" (see note of 21 February 2022, page 8). On this point, on the other hand, it is reiterated that the Court, in the aforementioned ruling, did not refer to "any subjective factor, such as, for example, the probability of access" to the personal data transferred (see Joint Opinion 2/2021 of the EDPB and of the EDPS, cit., para. 87);

- with regard to the limitations put forward by the Company with respect to the type of data that can be accessed pursuant to FISA 702 (see above, paragraph 1, point c), the IP address is also included among the information of interest for the US authorities together with other metadata; a circumstance that emerges from the "Transparency report on United States national security requests for user information" made available by Google on its website (see in particular, the description contained in the section entitled "non-content requests under FISA", which reports expressly the reference also to "non-content metadata", such as IP addresses).

2.3. Unsuitability of the additional measures adopted by the data controller.

If, following the above assessment, it is found that the legislation and practices of the third country prevent the importer from complying with the obligations under the chosen transfer instrument, as found in the present case, the exporters must take additional measures to ensure level of protection of personal data substantially equivalent to that envisaged by the Regulation (see Recommendation No. 1/2020, cit., paragraphs 50-57, which indicates the criteria for identifying the measures to be adopted).

In this regard, with regard to the additional measures of a technical, but also contractual and organizational nature, adopted in the hypothesis in question, it is worth noting the following.

The technical measures consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when they are stored in the systems (at rest).

In-transit encryption is adopted where data is transferred between different systems, services or data centers through networks or infrastructures not controlled by the Company (eg geographic networks).

At rest encryption, on the other hand, concerns user data that are stored on disk drives or backup units and is based on data encryption using standard algorithms (generally via AES256) and on encryption, at various levels, starting from encryption at the hardware level, based on the type of application and specific risks. Access to Google LLC data centers is protected by 6 levels of physical security measures.

In this regard, it should be noted that, taking into account the indications provided by the EDPB in Recommendation no. 1/2020, the aforementioned technical measures are not adequate.

With regard to the data encryption mechanisms highlighted above, in fact, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, as the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC which holds it, as an importer, by virtue of the need to have the data in clear text to carry out processing and provide services.

It is also worth noting that the obligation to allow access by the US authorities falls on Google LLC not only with reference to the personal data imported, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1 / 2020, cit., Par. 81).

From this it follows that, contrary to what the Company maintains (see point d above); cf. also minutes of 28 March 2022, p. 3), as long as the encryption key remains available to the importer, the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., Par. 95).

This also taking into account some contractual and organizational measures consisting specifically of the commitment to:

verify, in accordance with US law, the legitimacy of each individual request for access to user data transferred by the public authorities, assessing its proportionality; not accept the same if, following a careful assessment, it is concluded that the conditions under the relevant legislation do not exist;

promptly notify the interested party of access requests from US public authorities, unless such communication is prohibited by the relevant legislation, informing the interested party in any case if the above prohibition is lifted;

publish a "Transparency Report" containing a summary of the requests for access to data received by the US public authorities, to the extent that such publication is permitted by the relevant legislation;

publish the policy for managing requests for access to user data transferred by the US public authorities.

In this regard, it is noted that, as considered by the EDPB, in the absence of suitable technical measures - circumstance ascertained in this case - the contractual and organizational measures indicated above, in themselves, cannot reduce or prevent the possibility of accessing data. subject to transfer by the US authorities (see Recommendation 1/2020, cit., par. 53).

In light of the above represented overall, therefore, the additional measures adopted in this case cannot be considered adequate with consequent illegality, pursuant to art. 44 and art. 46 of the Regulation, of the related transfers of personal data to the United States.

2.4 Accountability of the owner

The owner is required to put in place "adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the [Regulation]" (so-called accountability principle; see art. 5, par. 2 and art.24, par.1 of the Regulation).

It is therefore up to the owner to decide autonomously the methods, guarantees and limits of the processing of personal data in compliance with the relevant legislation.

The Regulation, in fact, strongly emphasizes the "empowerment" of the owner, that is, on the adoption of proactive behaviors such as to demonstrate the concrete adoption of measures aimed at ensuring the application of the personal data protection discipline (see , in particular art.24 of the Regulation).

The implementation of the accountability principle with reference to data transfers to third countries places the responsibility on the holder as an exporter to verify, case by case and, where necessary, in collaboration with the importer in the third country , if the law or the practice of the latter affect the effectiveness of the adequate guarantees contained in the transfer instruments referred to in Article 46 of the Regulation.

In such cases, the exporter is required to adopt, in application of this principle, additional measures that allow the importer to comply with the obligations under the instrument adopted pursuant to art. 46 of the Regulation; all this in order to ensure that the level of protection of individuals guaranteed by the Regulation is not jeopardized (see Article 44 of the Regulation; see in this regard, Recommendation 1/2020, cit., paragraphs 1-5).

For all the reasons set out above, without prejudice to the found unsuitability of the additional measures adopted in the present case, the arguments made by Fastweb S.p.A. cannot be accepted. in relation to the lack of autonomy of the same with respect to the decisions to be taken regarding the transfer of data to third countries (see above, paragraph 1, point e); this considering that the Company, by reason of the role covered under the personal data protection regulations, is required, as already clarified, to implement, also in the context of cross-border transfers, adequate and effective measures to protect the rights and freedom of interested parties and to be able to demonstrate their compliance with the Regulations.

In light of the above considerations, in carrying out the conduct described, Fastweb S.p.A. has therefore violated Articles 5, par. 2, and 24, of the Regulation.

2.5. Unsuitability of the information provided pursuant to art. 13 of the Regulation.

With reference to the information that must be provided to the interested party, pursuant to art. 13 of the Regulation, it should be noted that the information provided to the complainant on the website www.fastweb.it, at the time of the collection of data concerning him (see note of 13 January 2021, page 14) was not fully compliant with provisions contained in art. 13, par. 1, lett. f) of the Regulations.

Indeed, in consideration of the fact that personal data must be "processed in a lawful, correct and transparent manner towards the data subject" (Article 5, paragraph 1, letter a), of the Regulation), the data controller, if a transfer of personal data is in place, it has the obligation, in compliance with the principle of transparency, to inform the interested parties also with regard to "the intention to transfer personal data to a third country" as well as "the existence or the absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), the reference to appropriate or appropriate safeguards and the means to obtain a copy of such guarantees or the place where they were made available "(Article 13, paragraph 1, of the Regulations).

In this regard, in any case taking note of the update within the aforementioned terms of the information to be made to users on the website www.fastweb.it (see attachment "Cookie policy of the Fastweb portal" to the minutes of March 28, 2022 and see above par . 1, point f), it is noted that the model previously provided by Fastweb S.p.A. to the complainant in this case, did not clearly define all the elements referred to in art. 13, par. 1, lett. f) of the Regulations concerning the transfer.

It follows, therefore, with reference to this model, the violation of art. 5, par. 1, lett. a) and art. 13, par. 1, lett. f), of the Regulation.

3. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2 of the Regulations.

For the aforementioned reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure and that they are therefore unsuitable to order the dismissal of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company is therefore illegal, in the overall terms indicated above, in relation to art. 5, par. 1, lett. a) and par. 2, in art. 13, par. 1, lett. f), in art. 24, and art. 44 and 46, of the Regulation.

Violation of the aforementioned provisions entails the application of the administrative sanctions provided for by art. 83, par. 5, letters a), b) and c), of the Regulation.

In this regard, with reference to the elements to be taken into consideration in order to assess whether to inflict a pecuniary administrative sanction (Article 83, paragraph 2, of the Regulation), it is noted first of all that, in relation to the nature and gravity of the violation, the disputed processing operations did not have particular categories of personal data as their object.

With regard to the subjective element of the offender, it must be considered that Fastweb S.p.A. - given the asymmetry of bargaining power deriving from the primary market position assumed by Google in the sector of web analytics services - has erroneously assumed as suitable, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power on the same.

With regard to the measures adopted by the Company to mitigate the damage suffered by the data subjects, it is also noted the initiatives undertaken by the data controller, concerning the updating of the text of the information on the Company's website and the acceptance of the option of " IP-Anonymization ”made available by Google (see note of January 13, 2021, page 11 and note of October 18, 2021, pages 19, 20 and 25; see also minutes of March 28, 2022, page 3).

Furthermore, for the purposes of the Authority's assessments, the activity of loyal collaboration with the Guarantor during the procedure is relevant.

The nature and gravity of the violation, the negligent nature of the same, as well as the additional elements mentioned above therefore lead to qualify the case in question as a "minor violation" (see Article 83, paragraph 2, and cons. 148 of the Regulation ).

It is therefore believed that, in relation to the present case, it is necessary to warn the data controller, pursuant to art. 143 of the Code and 58, par. 2, lett. b) of the Regulations, for having carried out a treatment in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR:

a) pursuant to art. 57, par. 1, lett. f) of the Regulations, declares the unlawfulness of the processing of personal data of users of the website www.fastweb.it put in place, through Google Analytics, by Fastweb S.p.A. based in Milan, P.I. 12878470157, regarding the violation of articles 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

b) pursuant to art. 58, par. 2, lett. d), of the Regulation, orders Fastweb S.p.A. to comply with Chapter V of the Regulation within the term of ninety days from the notification of this provision, the processing of personal data of users of the site www.fastweb.it carried out through Google Analytics, adopting adequate additional measures;

c) pursuant to art. 58, par. 2, lett. j), of the Regulation, orders the suspension of the flows, to Google LLC based in the United States, of the personal data identified above, where Fastweb S.p.A. fails to comply with the provisions of point b) of this device within the deadline set forth therein;

d) pursuant to recital 148 and art. 58, par. 2, lett. b), of the Regulation warns Fastweb S.p.A. for having carried out a processing of personal data in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

e) believes that the conditions set out in art. 17 of Regulation no. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to 157 of the Code, it requests Fastweb S.p.A. to communicate which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, within ninety days from the date of notification of this decision; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree of 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, 21 July 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei

[doc. web n. 9808698]

Provision of 21 July 2022

Record of measures
n. 254 of 21 July 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint of 18 August 2020 submitted pursuant to art. 77 of the Regulation by Mr. XX towards Fastweb S.p.A .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Prof. Ginevra Cerrina Feroni;

WHEREAS

1. The complaint against the company and the preliminary investigation.

With a complaint presented on 18 August 2020, Mr. XX complained that Fastweb S.p.A. (hereinafter also "the Company"), would have transferred to Google LLC, based in the United States, the personal data concerning him processed through the website www.fastweb.it; this in the absence of the guarantees provided for by Chapter V of the Regulation.

As part of the investigation initiated by the Guarantor, the Office, with notes dated November 16, 2020 and July 20, 2021, asked the Company to provide information and clarifications on the facts of the complaint.

With the communications of January 13, 2021 and October 18, 2021, in responding to the requests of the Office, Fastweb S.p.A. stated the following:

- the processing of personal data of users of the website www.fastweb.it is carried out by the Company through Google Analytics 360, a tool which, through cookies transmitted to the user's browser, collects information on how users of the site interact with the individual pages and with the services offered. Google Analytics 360 "has the purpose of analyzing statistically and in an aggregate manner - not, therefore, for individual users - what happens while browsing the site, also in order to improve its promotional effectiveness. (..) The analyzes on the aforementioned aspects are (..) then provided to Fastweb in the form of an aggregate statistical output on the Google Analytics 360 viewing platform, which does not allow to trace the individual user and [to] the specifications underlying information "(see note dated January 13, 2021, page 2);

- the data being processed consists of the identifier of the cookie downloaded to the user's browser, the IP address and the type of device used (see note of 13 January 2021, page 17). In addition to the default variables sent to Google's servers, the Company transmits additional information of a personalized type (custom), based on reporting needs, "in addition, in fact, to the standard ones performed by Google Analytics 360" (see note of October 18, 2021, page 7). With particular reference to the IP address, starting from 23 December 2020, it was "forcibly anonymized by Fastweb", following the procedure made available by Google for this purpose. The function, called IP-Anonymization, "corresponds to the deletion of the last byte of the IPV4 address - and / or of the last 80 bits of the IPv6 address - of the user". The aforementioned operation is carried out “by Google itself in the intermediate moment between the receipt of the data and the storage of the pseudonymised data on Google's storage systems”. In addition, "the client's IP address is always and in full transmitted to Google not obscured directly by the user's browser. The information in question - as far as is known - is then server side subject to pseudonymization "as soon as it is technically possible" if the manager has set up this functionality "(see note of 13 January 2021, page 11 and note of 18 October 2021, pages 19 and 20);

- as regards the aforementioned procedure, Fastweb S.p.A. he also stated that "he does not have (..) the exact information if this activity is carried out by Google Ireland Limited or by Google LLC or if this occurs before or not the transfer of data to countries outside the EU since this detail is not disclosed by Google "(see note of 18 October 2021, page 20);

- with regard to the possibility that the pseudonymised data can be associated with additional information that allows the attribution of the same to an identified or identifiable natural person, the Company stated that "it is not possible to exclude that the pseudonymised data may be associated with further data in possession of Google LLC in order to proceed with the subsequent identification of the interested parties "(see note of 18 October 2021, page 23);

- in relation to the overall treatment outlined above, the Company, on 16 August 2020, through the reseller iProspect S.r.l., signed the "Google Analytics Terms of Service" with Google Ireland Limited and on the basis of the "Google Ads Data Processing Terms" (see Article 7 of the aforementioned contractual conditions) "has provided [as data controller] to appoint Google Ireland Limited as responsible (...), which in turn has appointed Google LLC as its sub-manager" (note of January 13, 2021, page 31 and note of October 18, 2021, pages 2-4);

- the transfer of data is governed by art. 10 of the "Google Ads Data Processing Terms" and is therefore put in place due to the adoption by Fastweb S.p.A. as an exporter, of "Model contract clauses" identified pursuant to art. 46 of the Regulation (see Google Ads Data Processing Terms, art. 2.1); based on the latter, the Company agrees that Google Ireland Limited, in its capacity as data controller, may have recourse to the affiliated companies of Google, as sub-processors, including Google LLC established in the United States (see note of 13 January 2021, page 20 and note of October 18, 2021, pages 4 and 24);

- the aforementioned clauses have been supplemented by the additional measures adopted by Google (as reported by the Company in the note dated 13 January 2021, pp. 22-30). In this regard Fastweb S.p.A. stated that they are adequate since they are "substantially in line with the guidelines" contained in Recommendation no. 1/2020 relating to the measures that integrate the transfer tools in order to ensure compliance with the level of protection of personal data of the EU adopted, by the European Data Protection Board (hereinafter "EDPB"), on June 18, 2021 (see note of 18 October 2021, pages 21 and 22). The Company therefore came "to the conclusion that it is not necessary [to implement] further guarantees pursuant to Chapter V in light of the information provided by Google regarding the management of personal data and the assessment of the level of adequacy of such transfers, taking into account the circumstances of the transfer and of the technical and organizational measures adopted by Google "(see confirmation note of January 13, 2021, page 30);

- specifically, with reference to the technical measure defined “Encryption”, the Company also specified that “the encryption keys, both for the at rest and in transit part, are under the control of Google. In particular, the at rest encryption keys, given the storage management by Google LLC, are under the control of the US entity "(see acknowledgment note of 18 October 2021, page 23);

- with regard to the information that the Company has provided to Mr. XX, pursuant to art. 13 of the Regulations, they are contained in the "cookie policy shown at the time of opening the website www.fastweb.it (..), which refers in terms of heterointegration to the Google information regarding the analytics service"; while as regards the updates to be reported in the information following the ruling of the Court of Justice of the European Union, of 16 July 2020, no. C-311/18, the "changes were made directly by Google after its evaluations" (see note of 13 January 2021, page 14 and note of 18 October 2021, page 25 and Annex 8).

With regard to the matters represented by the Company, further observations were also acquired from the complainant, transmitted with a note dated 21 February 2021.

On December 22, 2021, the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, of the Regulations and art. 13 of the Regulation, as well as art. 44 and 46, of the Regulation.

On 21 February 2022 Fastweb S.p.A. sent his defense writings in which he represented that:

a) with regard to the nature of the data, the information being transferred “also as a result of the measures adopted by the owner [are] not qualifiable as personal data pursuant to art 4 c. 1 GDPR "; this is because "the IP address presumably used in a connection made by a residential user, normally, does not allow the identification of a single browsing session referable to a single user, but rather to a multitude of users" (see note of 21 February 2022, pp. 3-4);

b) regarding the IP-Anonymization function, following its activation "the IP address in its entirety is not permanently stored at any time since the truncation takes place entirely in the volatile memory of Google's servers, almost instantaneously after the connection has been initiated by the user ”. Indeed, "the time elapsing between the receipt of the IP address and its truncation can be quantified in the measure of thousandths of a second. Basically, the pseudonymisation of the IP takes place within a maximum of 500 microseconds ~ 50% of the time and within 1 millisecond 99% of the time, depending on the timely load of the server that performs the operation. " (see note of February 21, 2022, page 5);

c) in relation to the elements on the basis of which Fastweb S.p.A. has carried out its own assessment of the suitability of the chosen instrument for the purposes of the transfer and the adoption of additional measures to be adopted in the case in question, the Company has taken into account the fact that "the data transferred are of a very limited nature in terms of of quality and quantity ”thus making it“ very difficult (..) concrete identification [of the user] ”; this also considered that following the activation, in the case in question, of the IP-Anonymization "the possibility for anyone to identify the applicant on the basis of the truncated IP address is even more reduced, if at all" (see note of 21 February 2022, p. 13). It also highlighted that "data such as IP address - however pseudonymised - and unique identifier of the device" cannot be considered "useful and of interest for surveillance by US intelligence" as the "surveillance objective set by the Section 702 (..) is limited to foreign intelligence information only "(see note of February 21, 2022, page 14). In support of this, the Company has recently reported what was declared by Google in a recent blog post of last January 19, 2022 (available at the following address: https://blog.google/around-the-globe/google-europe/its -time-for-a-new-eu-us-data-transfer-framework /), compared to the circumstance that "in the 15 years of operation of the service, a request for access to Analytics data has never been made by the US intelligence "(note of February 21, 2022, page 8);

d) with reference to the supplementary measures, those implemented in the case in question must be considered adequate as they “fall within those explicitly recommended as supplementary measures in Annex 2 of Recommendation no. 1/2020 "(see note of 21 February 2021, pages 13-14);

e) as regards the level of autonomy of Fastweb S.p.A. with regard to the choices relating to data transfers to third countries, the Company reiterated that due to the monopoly position held by Google in the market, there is in fact "the impossibility for the Company to request and obtain detailed information or technical checks" with regard to the Google Analytics tool, as well as to "make changes or corrections of any kind to the product, beyond the caution already adopted to activate the IP address masking function" (see note of 21 February 2022, p. 8 -9);

f) regarding the inadequacy of the information pursuant to art. 13 of the Regulations, the same was updated by the Company according to the indications provided by the Authority in the notification of violation sent pursuant to art. 166, paragraph 5 of the Code (see note of 21 February 2022, page 10).

On March 28, 2022, during the hearing requested by the Company, the latter, in fully recalling the aforementioned briefs, also represented that:

- with regard to the additional measures of a technical nature adopted in this case, Google Analytics, as a web analytics tool, "cannot ignore the identification of the device, browser and site visited, thus making it impossible to adopt encryption at rest with encryption keys managed by the owner (measure suggested by the EDPB in Recommendation no. 1/2020), except to greatly reduce if not directly cancel the analysis functions of the platform itself "(see minutes of 28 March 2022, p. 3);

- the Company "has concretely evaluated the possibility of using alternative tools to Google Analytics, identifying possible substitutes", highlighting at the same time that "the solutions identified are in any case not able to guarantee Fastweb S.p.A. the same services and conditions of service "(see minutes of 28 March 2022, page 3).

2. Observations on the legislation on the protection of personal data and ascertained violations.

First of all, it is represented that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

Having duly stated, upon the outcome of the investigation and examination of the documentation acquired during the same, it was ascertained that the transfers made by Fastweb S.p.A. towards Google LLC (based in the United States), through the Google Analytics tool (hereinafter also "GA"), have been implemented in violation of Articles 44 and 46 of the Regulation; it is also noted that violations of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), and art. 24, of the Regulation, as explained below.

2.1 The transfers of personal data to the United States made through Google Analytics.

Google Analytics is a web analytics tool provided by Google to website managers that allows them to analyze detailed user statistics in order to optimize the services rendered and to monitor their marketing campaigns.

As part of the pursuit of statistical purposes, or aimed at obtaining aggregate information on user activity within its website, Fastweb S.p.A. uses GA in its paid version (called Google Analytics 360). The same acts as the data controller and designates Google Ireland Limited as responsible, pursuant to art. 28 of the Regulation, based on the "Google Analytics Terms of Service" and the "Google Ads Data Processing Terms". The latter, pursuant to the aforementioned terms of service, may use other subjects, as sub-processors, including Google LLC based in the United States.

With regard to the processing carried out through GA, it was found that Fastweb S.p.A. collects, by means of cookies transmitted to users' browsers, information regarding the methods of interaction of the latter with the website, as well as with the individual pages and with the services offered.

More specifically, the data collected consists of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the site manager himself (through the Google account ID); address, website name and navigation data; information relating to the so-called variables custom; IP address of the device used by the user; information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website.

In this regard, it is worth highlighting - contrary to what is represented by the Company on this point (see above paragraph 1, point a) - that the IP address constitutes personal data to the extent that it allows the identification of an electronic communication device, thus making the data subject can be indirectly identified as a user (see Group pursuant to art. 29, WP 136 - Opinion no. 4/2007 on the concept of personal data, of 20 June 2007, page 16). All this especially where, as in the present case, the IP is associated with other information relating to the browser used, the date and time of navigation (see recital 30 of the Regulation).

In addition, if the visitor to the website logs in to his Google account - a circumstance, however, which occurred in the hypothesis under examination, which can be numerically very significant - and has selected some options in this account (for example the one time to receipt of personalized advertising), the data indicated above may be associated with other information present in the relevant account, such as the email address (which constitutes the user ID of the same), the telephone number and any additional personal data including the gender , the date of birth or the user's profile picture.

However, it remains understood that, regardless of access to the Google account, the IP address can in any case allow ‒ above all, as already explained above, when associated with other information relating to the browser used and the date and time of navigation‒ to identify an electronic communication device and, therefore, indirectly the user.

As part of the GA service, Google has also made available to website operators the option called "IP-Anonymization" which involves sending the user's IP address to Google Analytics after obscuring the less significant octet ( based on this operation, for example, the addresses from 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the present case, the Company declared that the aforementioned option was activated from 23 December 2020 (see note of 13 January 2021, page 11 and note of 18 October 2021, page 19).

On this point, it emerged first of all that as a rule this operation is carried out on the servers of Google LLC, but that, with respect to the data collected in the European Union, it is implemented in the systems located there, except in exceptional cases. With reference to the latter hypotheses, however, sufficient elements have not been found regarding these cases, as well as the degree of probability that IP treatment will take place in the United States. More generally, therefore, it does not appear possible to identify with certainty where the truncation of the least significant octet actually takes place (ie whether in the Google systems located in the European Union or in the United States). Therefore, it cannot be excluded a priori that the IP address, in its entirety, is transmitted to the systems of Google LLC before the truncation operation, with the risk that it may be accessed by public authorities.

Secondly, with reference to the effectiveness of the "IP-Anonymization" measure, it is worth noting in any case that it actually consists of a pseudonymisation of the data relating to the user's network address, since, unlike what supported by the Company in this regard (see above paragraph 1, point b), the truncation of the last octet does not prevent Google LLC from re-identifying the user, taking into account the information held by the same as a whole relating to web users . Furthermore, Google LLC has the possibility - if the interested party has accessed his / her Google profile - to associate, as already highlighted, the IP address with other additional information already in its possession (such as information contained in the user account). Therefore, it is believed that Google - despite the activation of the "IP-Anonymization" - is still able to identify a user directly (if the latter has accessed his account), or through the IP address , received before the “IP-Anonymization” operation, or, again, through re-identification carried out on the basis of the IP address without the last octet in combination with the other information in its possession.

Considering therefore that, for all the reasons expressed above, the use of GA by the managers of the websites - such as Fastweb S.p. - involves the transfer of the personal data of the visitors of the aforementioned sites to Google LLC based in the United States; since these are transfers made to a third country that does not guarantee an adequate level of protection pursuant to data protection legislation (i.e. the United States), they must be carried out in compliance with Chapter V of the Regulation.

2.2 The unlawfulness of transfers following ruling C-311/18, of July 16, 2020, so-called Schrems II.

It is recalled that the Court of Justice of the European Union, with ruling C-311/18, of 16 July 2020 (so-called Schrems II), in declaring the decision of the EU Commission no. 2016/1250 of 12 July 2016, on the adequacy of the protection offered by the EU-US privacy shield regime (so-called Privacy Shield), found that the domestic law of the United States (in particular the Executive Order 12333 and the Article 702 of the Foreign Intelligence Surveillance Act - hereinafter "FISA 702") entails exceptions to the data protection legislation that exceed the restrictions deemed necessary in a democratic society. All this with particular reference to the provisions that allow public Authorities, within the framework of certain national security programs, to access without adequate limitations to the personal data being transferred, as well as the failure to provide for the rights of the interested parties, which can be activated on site. judicial.

The Court, with the same ruling, also reaffirmed the validity of decision no. 2010/87 / EC of the Commission of 5 February 2010 concerning the standard contractual clauses for the transfer of personal data to managers established in third countries - clauses adopted by Fastweb S.p.A. in the present case.

At the same time, he pointed out that, based on the principle of accountability, data controllers, as exporters, are in any case required to verify, on a case-by-case basis and, where necessary, in collaboration with the importer in the third country, whether the law o the practice of the latter affect the effectiveness of the adequate guarantees contained in the aforementioned clauses; this in order to determine whether the guarantees provided for by the standard contractual clauses can be respected in practice (Article 5, paragraph 2, and Article 24; see also Recommendation No. 1/2020 concerning the measures that integrate the transfer instruments in order to ensure compliance with the EU level of protection of personal data, of 18 June 2021, paragraphs 1-5).

In general terms, it is therefore necessary to evaluate, in concrete terms, ie on the basis of the circumstances of the transfer, if the instrument chosen by the exporter, among those identified by art. 46 of the Regulation, is effective in the specific case.

This examination, as noted by the European Data Protection Board - hereinafter "EDPB" (see Recommendation No. 1/2020, cit., P. 4), must "focus first of all on the legislation of the third country [and on practices applicable] relevant [i] for the transfer [as well as] on the transfer instrument [identified] pursuant to Article 46 of the RGPD "in order to verify that the aforementioned legislation and the aforementioned practices do not actually prevent compliance with part of the importer, of the obligations established by the instrument used.

More specifically, the above assessment "involves the need to determine whether or not the transfer in question falls within the scope of the [aforementioned legislation]". It must "be based on objective factors, regardless of the likelihood of access to personal data" (see Joint Opinion 2/2021 of the EDPB and the EDPS on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted January 14, 2021, par. 86).

For this purpose, the characteristics of the specific transfer carried out are relevant such as: the purposes, the nature of the subjects involved, the sector in which the transfer takes place, the categories of personal data transferred, the fact that the data are stored in the third country or there remote access, the format of the data to be transferred and any subsequent transfers (see Recommendation No. 1/2020, cit., par. 33).

The assessment required of the exporter, therefore, must focus on the legislation and practices applicable, in the third country, to the data specifically transferred and involve the verification of the "possibility or not, for the public authorities of the third country (...) to attempt to access to the data "as well as the" ability or not, for the public authorities of the third country (...) to access the data through the importer himself or through telecommunications providers or communication channels "(see Recommendation No. 1/2020, cit., para. 31).

With regard to the aforementioned possibility of access, by the US Authorities, however, it must be considered that it is confirmed in the "Transparency report on United States national security requests for user information" made available by Google on its website (available at the following link https : //transparencyreport.google.com/user-data/us-national-security? hl = en); report containing the numerical data relating to access requests received by Google, pursuant to FISA 702, at the request of the US Authorities.

Having duly said, with reference to the Company's claims with respect to these profiles in its defense briefs, it is worth highlighting that:

- with regard to the assessment of the suitability of the additional measures adopted in the present case (see above, paragraph 1, point c), the Company based its assessment on the limited ability to identify users due to the nature and quantity of Collected data; a circumstance which, as highlighted above (see par. 2.1), cannot be configured with respect to the processing of data implemented through GA. The same also considered that the possibility of access by the US Authority represents "a probabilistic event of realization that is completely uncertain and statistically negligible" (see note of 21 February 2022, page 8). On this point, on the other hand, it is reiterated that the Court, in the aforementioned ruling, did not refer to "any subjective factor, such as, for example, the probability of access" to the personal data transferred (see Joint Opinion 2/2021 of the EDPB and of the EDPS, cit., para. 87);

- with regard to the limitations put forward by the Company with respect to the type of data that can be accessed pursuant to FISA 702 (see above, paragraph 1, point c), the IP address is also included among the information of interest for the US authorities together with other metadata; a circumstance that emerges from the "Transparency report on United States national security requests for user information" made available by Google on its website (see in particular, the description contained in the section entitled "non-content requests under FISA", which reports expressly the reference also to "non-content metadata", such as IP addresses).

2.3. Unsuitability of the additional measures adopted by the data controller.

If, following the above assessment, it is found that the legislation and practices of the third country prevent the importer from complying with the obligations under the chosen transfer instrument, as found in the present case, the exporters must take additional measures to ensure level of protection of personal data substantially equivalent to that envisaged by the Regulation (see Recommendation No. 1/2020, cit., paragraphs 50-57, which indicates the criteria for identifying the measures to be adopted).

In this regard, with regard to the additional measures of a technical, but also contractual and organizational nature, adopted in the hypothesis in question, it is worth noting the following.

The technical measures consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when they are stored in the systems (at rest).

In-transit encryption is adopted where data is transferred between different systems, services or data centers through networks or infrastructures not controlled by the Company (eg geographic networks).

At rest encryption, on the other hand, concerns user data that are stored on disk drives or backup units and is based on data encryption using standard algorithms (generally via AES256) and on encryption, at various levels, starting from encryption at the hardware level, based on the type of application and specific risks. Access to Google LLC data centers is protected by 6 levels of physical security measures.

In this regard, it should be noted that, taking into account the indications provided by the EDPB in Recommendation no. 1/2020, the aforementioned technical measures are not adequate.

With regard to the data encryption mechanisms highlighted above, in fact, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, as the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC which holds it, as an importer, by virtue of the need to have the data in clear text to carry out processing and provide services.

It is also worth noting that the obligation to allow access by the US authorities falls on Google LLC not only with reference to the personal data imported, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1 / 2020, cit., Par. 81).

From this it follows that, contrary to what the Company maintains (see point d above); cf. also minutes of 28 March 2022, p. 3), as long as the encryption key remains available to the importer, the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., Par. 95).

This also taking into account some contractual and organizational measures consisting specifically of the commitment to:

verify, in accordance with US law, the legitimacy of each individual request for access to user data transferred by the public authorities, assessing its proportionality; not accept the same if, following a careful assessment, it is concluded that the conditions under the relevant legislation do not exist;

promptly notify the interested party of access requests from US public authorities, unless such communication is prohibited by the relevant legislation, informing the interested party in any case if the above prohibition is lifted;

publish a "Transparency Report" containing a summary of the requests for access to data received by the US public authorities, to the extent that such publication is permitted by the relevant legislation;

publish the policy for managing requests for access to user data transferred by the US public authorities.

In this regard, it is noted that, as considered by the EDPB, in the absence of suitable technical measures - circumstance ascertained in this case - the contractual and organizational measures indicated above, in themselves, cannot reduce or prevent the possibility of accessing data. subject to transfer by the US authorities (see Recommendation 1/2020, cit., par. 53).

In light of the above represented overall, therefore, the additional measures adopted in this case cannot be considered adequate with consequent illegality, pursuant to art. 44 and art. 46 of the Regulation, of the related transfers of personal data to the United States.

2.4 Accountability of the owner

The owner is required to put in place "adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the [Regulation]" (so-called accountability principle; see art. 5, par. 2 and art.24, par.1 of the Regulation).

It is therefore up to the owner to decide autonomously the methods, guarantees and limits of the processing of personal data in compliance with the relevant legislation.

The Regulation, in fact, strongly emphasizes the "empowerment" of the owner, that is, on the adoption of proactive behaviors such as to demonstrate the concrete adoption of measures aimed at ensuring the application of the personal data protection discipline (see , in particular art.24 of the Regulation).

The implementation of the accountability principle with reference to data transfers to third countries places the responsibility on the holder as an exporter to verify, case by case and, where necessary, in collaboration with the importer in the third country , if the law or the practice of the latter affect the effectiveness of the adequate guarantees contained in the transfer instruments referred to in Article 46 of the Regulation.

In such cases, the exporter is required to adopt, in application of this principle, additional measures that allow the importer to comply with the obligations under the instrument adopted pursuant to art. 46 of the Regulation; all this in order to ensure that the level of protection of individuals guaranteed by the Regulation is not jeopardized (see Article 44 of the Regulation; see in this regard, Recommendation 1/2020, cit., paragraphs 1-5).

For all the reasons set out above, without prejudice to the found unsuitability of the additional measures adopted in the present case, the arguments made by Fastweb S.p.A. cannot be accepted. in relation to the lack of autonomy of the same with respect to the decisions to be taken regarding the transfer of data to third countries (see above, paragraph 1, point e); this considering that the Company, by reason of the role covered under the personal data protection regulations, is required, as already clarified, to implement, also in the context of cross-border transfers, adequate and effective measures to protect the rights and freedom of interested parties and to be able to demonstrate their compliance with the Regulations.

In light of the above considerations, in carrying out the conduct described, Fastweb S.p.A. has therefore violated Articles 5, par. 2, and 24, of the Regulation.

2.5. Unsuitability of the information provided pursuant to art. 13 of the Regulation.

With reference to the information that must be provided to the interested party, pursuant to art. 13 of the Regulation, it should be noted that the information provided to the complainant on the website www.fastweb.it, at the time of the collection of data concerning him (see note of 13 January 2021, page 14) was not fully compliant with provisions contained in art. 13, par. 1, lett. f) of the Regulations.

Indeed, in consideration of the fact that personal data must be "processed in a lawful, correct and transparent manner towards the data subject" (Article 5, paragraph 1, letter a), of the Regulation), the data controller, if a transfer of personal data is in place, it has the obligation, in compliance with the principle of transparency, to inform the interested parties also with regard to "the intention to transfer personal data to a third country" as well as "the existence or the absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), the reference to appropriate or appropriate safeguards and the means to obtain a copy of such guarantees or the place where they were made available "(Article 13, paragraph 1, of the Regulations).

In this regard, in any case taking note of the update within the aforementioned terms of the information to be made to users on the website www.fastweb.it (see attachment "Cookie policy of the Fastweb portal" to the minutes of March 28, 2022 and see above par . 1, point f), it is noted that the model previously provided by Fastweb S.p.A. to the complainant in this case, did not clearly define all the elements referred to in art. 13, par. 1, lett. f) of the Regulations concerning the transfer.

It follows, therefore, with reference to this model, the violation of art. 5, par. 1, lett. a) and art. 13, par. 1, lett. f), of the Regulation.

3. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2 of the Regulations.

For the aforementioned reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure and that they are therefore unsuitable to order the dismissal of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company is therefore illegal, in the overall terms indicated above, in relation to art. 5, par. 1, lett. a) and par. 2, in art. 13, par. 1, lett. f), in art. 24, and art. 44 and 46, of the Regulation.

Violation of the aforementioned provisions entails the application of the administrative sanctions provided for by art. 83, par. 5, letters a), b) and c), of the Regulation.

In this regard, with reference to the elements to be taken into consideration in order to assess whether to inflict a pecuniary administrative sanction (Article 83, paragraph 2, of the Regulation), it is noted first of all that, in relation to the nature and gravity of the violation, the disputed processing operations did not have as their object particular categories of personal data.

With regard to the subjective element of the offender, it must be considered that Fastweb S.p.A. - given the asymmetry of bargaining power deriving from the primary market position assumed by Google in the sector of web analytics services - has erroneously assumed as suitable, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power on the same.

With regard to the measures adopted by the Company to mitigate the damage suffered by the data subjects, it is also noted the initiatives undertaken by the data controller, concerning the updating of the text of the information on the Company's website and the acceptance of the option of " IP-Anonymization ”made available by Google (see note of January 13, 2021, page 11 and note of October 18, 2021, pages 19, 20 and 25; see also minutes of March 28, 2022, page 3).

Furthermore, for the purposes of the Authority's assessments, the activity of loyal collaboration with the Guarantor during the procedure is relevant.

The nature and gravity of the violation, the negligent nature of the same, as well as the additional elements mentioned above therefore lead to qualify the case in question as a "minor violation" (see Article 83, paragraph 2, and cons. 148 of the Regulation ).

It is therefore believed that, in relation to the present case, it is necessary to warn the data controller, pursuant to art. 143 of the Code and 58, par. 2, lett. b) of the Regulations, for having carried out a treatment in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR:

a) pursuant to art. 57, par. 1, lett. f) of the Regulations, declares the unlawfulness of the processing of personal data of users of the website www.fastweb.it put in place, through Google Analytics, by Fastweb S.p.A. based in Milan, P.I. 12878470157, regarding the violation of articles 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

b) pursuant to art. 58, par. 2, lett. d), of the Regulation, orders Fastweb S.p.A. to comply with Chapter V of the Regulation within the term of ninety days from the notification of this provision, the processing of personal data of users of the site www.fastweb.it carried out through Google Analytics, adopting adequate additional measures;

c) pursuant to art. 58, par. 2, lett. j), of the Regulation, orders the suspension of the flows, to Google LLC based in the United States, of the personal data identified above, where Fastweb S.p.A. fails to comply with the provisions of point b) of this device within the deadline set forth therein;

d) pursuant to recital 148 and art. 58, par. 2, lett. b), of the Regulation warns Fastweb S.p.A. for having carried out a processing of personal data in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

e) believes that the conditions set out in art. 17 of Regulation no. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to 157 of the Code, it requests Fastweb S.p.A. to communicate which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, within ninety days from the date of notification of this decision; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree of 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, 21 July 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Cerrina Feroni

THE SECRETARY GENERAL
Mattei