Garante per la protezione dei dati personali (Italy) - 9782890
|Garante per la protezione dei dati personali - 9782890|
|Authority:||Garante per la protezione dei dati personali (Italy)|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(2) GDPR
Article 13(1)(f) GDPR
Article 24 GDPR
Article 44 GDPR
Article 46 GDPR
|National Case Number/Name:||9782890|
|European Case Law Identifier:||n/a|
|Original Source:||GPDP (in IT)|
Italy's DPA reprimanded a website operator for failing to provide appropriate safeguards for the transfer of personal data to the US through Google Analytics, ordering it to comply with Article 46 GDPR or suspend data transfers to Google LLC.
English Summary[edit | edit source]
Facts[edit | edit source]
Following the Schrems II decision, the data subject, represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR.
The transfers took place through the use of the Google Analytics web service. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture.
Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons.
Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingly low. This attenuated risk, they argued, meant that less stringent safeguards were sufficient to protect data subjects' rights under the GDPR (the so-called "risk-based approach"). Google claimed that in over 15 years of providing its Google Analytics service, it had never received an access request like the one contemplated in the data subject's complaint.
For its part, the controller deemed the technical measures implemented by Google sufficient. However, the controller also lacked the technical means to verify the implementation of these measures, nor did it have any authority to decide what measures were appropriate or to dictate to Google choices regarding data transfers to third countries.
Holding[edit | edit source]
The DPA declared unlawful any processing carried out by the controller through the use of Google Analytics. It also clarified that, regardless of any asymmetry in bargaining power or technical resources, the controller is responsible for ensuring that processing is lawful per Articles 5(2) and 24 GDPR (the accountability principle). The controller must decide independently on the methods, guarantees, and limits of processing.
Regarding data transfers to a third country, the DPA rejected the risk-based approach, finding the controller in violation of Articles 44 and 46 GDPR. The low probability of an access request from US authorities did not relieve the controller of its responsibility to guarantee on a case-by-case basis that transfers of personal data to a third country had adequate safeguards. Encryption was an insufficient technical safeguard because Google LLC remained in possession of the relevant encryption key. US authorities could simply compel Google LLC to turn over this key along with the encrypted data.
For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 90 days or suspend the transfer of data through Google Analytics.
Comment[edit | edit source]
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.