Garante per la protezione dei dati personali (Italy) - 9782890

From GDPRhub
Garante per la protezione dei dati personali - 9782890
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 13(1)(f) GDPR
Article 24 GDPR
Article 44 GDPR
Article 46 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 09.06.2022
Published: 27.06.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 9782890
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: MW

Italy's DPA reprimanded a website operator for failing to provide appropriate safeguards for the transfer of personal data to the US through Google Analytics, ordering it to comply with Article 46 GDPR or suspend data transfers to Google LLC.

English Summary

Facts

Following the Schrems II decision, the data subject, represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR.

The transfers took place through the use of the Google Analytics web service. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture.

Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons.

Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingly low. This attenuated risk, they argued, meant that less stringent safeguards were sufficient to protect data subjects' rights under the GDPR (the so-called "risk-based approach"). Google claimed that in over 15 years of providing its Google Analytics service, it had never received an access request like the one contemplated in the data subject's complaint.

For its part, the controller deemed the technical measures implemented by Google sufficient. However, the controller also lacked the technical means to verify the implementation of these measures, nor did it have any authority to decide what measures were appropriate or to dictate to Google choices regarding data transfers to third countries.

Holding

The DPA declared unlawful any processing carried out by the controller through the use of Google Analytics. It also clarified that, regardless of any asymmetry in bargaining power or technical resources, the controller is responsible for ensuring that processing is lawful per Articles 5(2) and 24 GDPR (the accountability principle). The controller must decide independently on the methods, guarantees, and limits of processing.

Regarding data transfers to a third country, the DPA rejected the risk-based approach, finding the controller in violation of Articles 44 and 46 GDPR. The low probability of an access request from US authorities did not relieve the controller of its responsibility to guarantee on a case-by-case basis that transfers of personal data to a third country had adequate safeguards. Encryption was an insufficient technical safeguard because Google LLC remained in possession of the relevant encryption key. US authorities could simply compel Google LLC to turn over this key along with the encrypted data.

The DPA also found the controller in violation of Article 13(f) GDPR because its privacy policy did not disclose the intention to transfer personal data to a third country, the lack of an adequacy decision or what safegaurds were in place per Article 46(2) GDPR.

For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 90 days or suspend the transfer of data through Google Analytics.

Comment

  • From the 23 June 2022 GPDP press release: "The Italian SA wishes to draw the attention of all the Italian website operators, both public and private, to the unlawfulness of the data transfers to the USA as resulting from the use of GA – partly on account of the many alerts and queries received so far. The Italian SA calls upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Measure of 9 June 2022

Register of Measures
No. 224 of 9 June 2022

THE PERSONAL DATA PROTECTION SUPERVISOR

AT TODAY'S MEETING, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation")

HAVING REGARD TO the Personal Data Protection Code, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree No. 196 of 30 June 2003, as amended by Legislative Decree No. 101 of 10 August 2018, hereinafter, the "Code");

HAVING REGARD to the complaint dated 17 August 2020 filed pursuant to Article 77 of the Regulation by Mr XX against Caffeina Media S.r.l.;

HAVING EXAMINED the documentation on file

HAVING CONSIDERED the observations made by the Secretary General pursuant to Article 15 of the Rules of the Garante No. 1/2000;

BE IT RESOLVED by Prof. Pasquale Stanzione;

WHEREAS

1. The complaint against the company and the preliminary investigation.

In a complaint lodged on 17 August 2020, Mr XX complained that Caffeina Media S.r.l. (hereinafter 'the Company') had transferred to Google LLC, based in the United States, the personal data concerning him processed through the website www.caffeinamagazine.it; this in the absence of the guarantees provided for by Chapter V of the Regulation. 

Within the framework of the preliminary investigation activity launched by the Garante, the Office, by means of notes dated 30 July and 7 December 2021, asked the Company to provide information and clarifications on the facts which were the subject of the complaint.

In its communications of 15 October, 3 November and 22 December 2021, in response to the Office's requests, Caffeina Media S.r.l. stated the following

the ownership of the processing operations carried out through the website www.caffeinamagazine.it is in the hands of the Company; this is in contrast with what was at the time indicated in the model of the information notice, provided on the aforementioned website pursuant to Article 13 of the Regulation, which contained the erroneous reference - now corrected - to Caffeina Media Ltd;

the processing of personal data of users of the www.caffeinamagazine.it website is carried out by the Company by means of the Google Analytics tool (hereinafter also 'GA') in its 'free version' (see note of 15 October 2021, p. 3 and note of 22 December 2021, p. 2)

the Company "has neither visibility of the details of the data collected, nor can it precisely describe the types of data collected" and "has chosen to use [Google Analytics] also because Google claims to process only pseudonymous and cookie-based data"; these are in detail: "(i) cookies, (ii) device/browser data (iii) IP address and (iv) activity on the site" (see note of 15 October 2021, pp. 2 and 3);

Caffeina Media S.r.l. "is bound to the contractual text ["Google Analytics Terms of Service"] approved on the platform (standard text imposed by Google's supplier)" and "as it emerges from the contractual documentation imposed by Google, Google acts as data controller of the data collected through Google Analytics" (see note of 15 October 2021, p. 3)

more specifically, "the contractual counterparty [of the Google Analytics Terms of Service in the version of 31 March 2021] is Google Ireland Limited"; unlike the previous version of the aforementioned "Google Analytics Terms of Service" -dated 17 June 2019- which was signed with Google LLC (see note of 22 December 2021, p. 2). Therefore, "Caffeina Media S.r.l. acts as data controller and, (..) [from May 2021], Google Ireland Limited acts as data processor of the data collected through Google Analytics" (see note of 15 October 2021, p. 7 and note of 22 December 2021, p. 3);

Caffeina Media S.r.l. "does not possess any level of autonomy with regard to the choices relating to the transfer of data to third countries, including the identification of the types of data subject to the aforesaid transfer" (see note of 15 October 2021, p. 7 and note of 22 December 2021, pp. 2 and 4); in particular, this specific processing operation is governed by Article 10 of the 'Google Ads Data Processing Terms', according to which 'Caffeina as data exporter, through Google Ireland Limited, may have carried out data transfer activities to the United States, with Google LLC as data importer'. Moreover, according to the same provision, 'the owner of the website agrees that Google may be supported in its processing activities by other companies in its group and, among the companies mentioned, Google LLC is present, which would act as sub-processor' (see memorandum of 15 October 2021, p. 6 and 7 and memorandum of 22 December 2021, p. 3);

the transfer of the data to Google LLC is carried out by means of the Standard Contractual Clauses that correspond to the model scheme adopted on 5 February 2010 by the European Commission by decision no. 2010/87/EU, as per Google's communication to the Company dated 3 August 2020 (see note of 15 October 2021, p. 7, in particular Annex B "Google Communication 3.08.2020")

such clauses have been supplemented by the additional measures adopted by Google, with respect to which the Company has "no possibility to verify the implementation at a technical level (...), or to give specific instructions on the actual implementation of [the same]" (see note of 22 December 2021, p. 4)

in the context of the services offered through Google Analytics, Caffeina Media S.r.l. has not subscribed to the so-called data sharing option (note of 15 October 2021, p. 5);

with regard to the contested transfer to Google LLC of the data relating to the complainant, Caffeina Media S.r.l. "has no particular autonomy in the use of the tool [Google Analytics], including the possibility of knowing whether the complainant's data have actually been transferred to third countries" (see note of 15 October 2021, p. 6)

with regard to the fulfilments put in place pursuant to Article 13 of the Regulation, Caffeina Media S.r.l. "makes use of the automated service of the company Iubenda s.r.l. for the management of the privacy policy and the cookie policy" (with reference to the model of the policy updated to 5 October 2021, see note of 15 October 2021, p. 9; and with regard to the policy provided to the complainant on 12 August 2020, see communication of 3 November 2021).

On 11 January 2022, the Office notified, pursuant to Article 166(5) of the Code, the alleged violations of the Regulation found with reference to Article 5(1)(a) and (2), Article 13, Article 24 as well as Articles 44 and 46(2)(c) of the Regulation.

On 10 February 2022, the Company sent its defence submissions in which it represented that:

a) the US legislation considered by the Court of Justice of the European Union, in ruling No. C-311/18, of 16 July 2020 (so-called 'Schrems II'), must be subject to a new adequacy assessment by the Data Protection Authorities in view of the regulatory developments that have taken place since the adoption of the Privacy Shield and punctually outlined by the US Government in the White Paper of September 2020 called “Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. data Transfers after Schrems II” (see note of 10 February 2022, para. 1, pp. 3-9);

b) with specific reference to the scope of application of Article 702 of the Foreign Intelligence Surveillance Act "it is practically impossible that intelligence agencies can only use an IP address or a cookie -the only data possibly transferred by Caffeina-"; this considering that, taking into account the procedures (so-called targeting procedures) aimed at identifying the data that can be accessed by the US Authorities, the data relating to the e-mail address and telephone number of the users are of main interest for intelligence activities (see note of 10 February 2022, p. 6-7);

c) with regard to the alleged unsuitability of the additional technical measures implemented by Google, the latter had adopted "high standards of (...) security" and "internal procedures (...) subject to various certifications. (...) Moreover, the (...) assessments as to the adequacy of the security measures to be adopted were carried out by the supplier itself, who, after having carried out such analysis, then notified Caffeina itself of the updating of the security measures and of the contractual documentation, precisely following the Schrems II ruling (...). And this in any case in line with the requirements of Article 14 of the new SCC". In any case, with respect to such measures, "Caffeina has neither the means nor the operational or technical possibilities to impose changes to the [aforementioned] security measures on the supplier", as it does not have "any contractual power to enter into commercial dialogues with its counterparty [nor] (...) to interact with the same" (see note of 10 February 2022, p. 10 and 12);

d) "with regard to the contested transfer to Google LLC of the data relating to the complainant, Caffeina Media S.r.l. has no particular autonomy in the use of the tool [Google Analytics]" not having "at a technical level the possibility of knowing whether Mr. XX's personal data have actually been transferred" (see note of 10 February 2022, p. 13)

e) as regards the adequacy of the additional technical measures implemented by Google, Caffeina considered them 'relevant and effective in relation to the nature of the data and the context in which they were collected' as well as the level of risk of the transfer. All this in consideration of the fact that: i) the data processing connected with the transfer in question is part of the context of a daily information site with a 'light slant, focused on entertainment areas'; ii) 'the Company uses the tool only in aggregate and statistical form, never seeing the raw data' and limiting itself to processing pseudonymised data; iii) the level of risk must also be assessed on the basis of the degree of likelihood of the actual occurrence of access by the US public authorities to the data collected through Google Analytics on the site www.caffeinamagazine.it. In this regard, the Company has reported what Google stated in a recent blog post of 19 January 2022 (available at the following address: https://blog.google/around-the-globe/google-europe/its-time-for-a-new-eu-us-data-transfer-framework/), with respect to the circumstance that 'the provider has offered the Google Analytics service for more than 15 years globally and has never received a request such as the one complained of by the complainant' (note of 10 February 2022, p. 10, 17, 18, 26 and 29; see also note of 4 April 2022, p. 5).

On 25 March 2022, during the hearing requested by the Company, the latter, in recalling the above-mentioned memoranda in their entirety, also represented that it had adopted a series of measures of a technical-legal nature relating to: the updating of the text of the information on the Company's website (see, in particular, the "Cookie Policy" available at , in particular, the "Cookie Policy" available at https://www.caffeinamagazine.it/cookie-policy/); the implementation of a new technical structure of the site, achieved by updating to the most recent version of the content management system used by the Company and the migration of the aforesaid site to a new infrastructure that guarantees a higher level of security; the adherence to the so-called "IP-Anonymization" option; the adoption of a new technical structure of the site, which is based on the "Cookie Policy" available at https://www.caffeinamagazine.it/cookie-policy/. d. "IP-Anonymization" option provided by the Google Analytics tool; the start of the implementation of a new web analytics tool, based, inter alia, on the non-use of cookies and the absence of IP tracking (see minutes of 25 March 2022 and explanatory note of 4 April 2022, p. 2).

2. Observations on the data protection legislation relevant to the present case and violations established.

First of all, it should be noted that, unless the act constitutes a more serious offence, anyone who, in proceedings before the Garante, falsely declares or certifies information or circumstances or produces false deeds or documents shall be held liable pursuant to Article 168 of the Code 'False statements to the Garante and interruption of the performance of the Garante's duties or exercise of its powers'.

Having said that, at the outcome of the preliminary investigation and of the examination of the documentation acquired in the course of the same, it was ascertained that the transfers made by Caffeina Media S.r.l. to Google LLC (based in the United States), by means of the Google Analytics tool, were carried out in breach of Articles 44 and 46 of the Regulation. 44 and 46 of the Regulation; it was also found that there had been breaches of Article 5(1)(a) and (2), Article 13(1)(f) and Article 24 of the Regulation, as explained below.

2.1 Transfers of personal data to the United States made through Google Analytics.

Google Analytics is a web analytics tool provided by Google to website operators that enables the latter to analyse detailed statistics on users with a view to optimising the services rendered and monitoring their marketing campaigns.

Caffeina Media S.r.l. uses GA in its free version for the pursuit of purely statistical purposes, i.e. to obtain aggregate information on users' activity within its website. The same acts as data controller and designates Google as data processor, pursuant to Article 28 of the Regulation, on the basis of the 'Google Analytics Terms of Service' and the 'Google Ads Data Processing Terms'.

More specifically, in the case at hand, Google LLC acted as data controller of the data collected through Google Analytics until 30 April 2021 on the basis of the 'Google Analytics Terms of Service' (see note of 22 December 2021, p. 2).

As from 1 May 2021, Google Ireland Limited took over the role of contractual counterparty to the same "Google Analytics Terms of Service" and, pursuant to the aforesaid Terms of Service, it may avail itself of other entities as sub-processors, including Google LLC (see note of 15 October 2021, p. 7 and note of 22 December 2021, p. 3).

With regard to the processing carried out through Google Analytics, it has been noted that Caffeina Media S.r.l. collects, by means of cookies transmitted to the users' browsers, information on how the latter interact with the website, as well as with the individual pages and services offered. More in detail, the data collected consist of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the website operator itself (through the Google Account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, operating system, screen resolution, selected language, and date and time of the website visit.

In this respect, it is worth pointing out that the IP address constitutes personal data insofar as it makes it possible to identify an electronic communication device, thus indirectly making the data subject identifiable as a user (see Article 29 Working Party, WP 136 - Opinion No 4/2007 on the concept of personal data, of 20 June 2007, p. 16). This is especially so where, as in the present case, the IP is associated with other information relating to the browser used and the date and time of browsing (see recital 30 of the Regulation).

In addition to this, if the website visitor accesses his Google account - which is the case here - the above-mentioned data may be associated with other information in the relevant account, such as the email address (which constitutes the account's user ID), the telephone number and any other personal data, such as gender, date of birth or profile picture.
In this regard, it should be noted that Google, as part of its Google Analytics service, has made available to website operators the option known as 'IP-Anonymization', which entails sending Google Analytics the user's IP address after obscuring the least significant octet (on the basis of this operation, for example, the addresses 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the case at hand, the Company declared that the aforesaid option had not been activated at the date of the filing of the complaint and also represented that it had adhered to the same only afterwards, as part of the adoption of a series of technical-legal measures implemented following the initiation of the proceedings by the Garante, pursuant to Article 166, paragraph 5 of the Code.
On this point, it is worth pointing out, however, that the 'IP-Anonymization' actually consists in a pseudonymisation of the data relating to the user's network address, since the truncation of the last octet does not prevent Google LLC from re-identifying the user, taking into account the overall information held by the same on web users. Moreover, Google LLC itself has the possibility - if the interested party has accessed his Google profile - of associating the IP address with other additional information already in its possession (such as the information contained in the user account). This operation, therefore, despite the activation of 'IP-Anonymisation', still allows for the possible re-identification of the user.
In the light of the above, we therefore point out that the use of GA, by the managers of the websites -such as Caffeina Media S.r.l.- entails the transfer of the personal data of the visitors of the aforesaid sites to Google LLC, based in the United States. Such transfers, insofar as they are made to a third country that does not ensure an adequate level of protection under data protection law (i.e. the United States), must be carried out in compliance with Chapter V of the Regulation.

2.2 The unlawfulness of the transfers following ruling C-311/18, of 16 July 2020, so-called Schrems II.

It is recalled that the Court of Justice of the European Union, in ruling C-311/18, 16 July 2020 (so-called Schrems II), in declaring the invalidity of EU Commission Decision No. 2016/1250 of 12 July 2016 on the adequacy of the protection offered by the EU-US Privacy Shield regime (so-called. Privacy Shield), found that US domestic law (in particular Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act - hereinafter 'FISA 702') contains exemptions to data protection law that exceed the restrictions deemed necessary in a democratic society. This is with particular reference to the provisions allowing public authorities, within the framework of certain national security programmes, to have access without appropriate limitations to the personal data subject to transfer, and to the failure to provide the data subjects with rights that can be enforced before the courts.

In the same judgment, the Court also upheld the validity of Commission Decision 2010/87/EC of 5 February 2010 concerning standard contractual clauses for the transfer of personal data to data controllers established in third countries - clauses adopted by Caffeina in the present case (see paragraph 1 above). At the same time, it pointed out that, in accordance with the principle of accountability, data controllers, in their capacity as data exporters, are in any case required to verify, on a case-by-case basis and, where necessary, in cooperation with the data importer in the third country, whether the latter's law or practice affects the effectiveness of the appropriate safeguards contained in the aforementioned clauses; this is to determine whether the safeguards provided for in the standard contractual clauses can be complied with in practice (Art. 5(2) and Art. 24; see also Recommendation No 1/2020 on measures supplementing the means of transfer to ensure compliance with the EU level of protection of personal data of 18 June 2021, paragraphs 1-5).

In general terms, it is therefore necessary to assess, in concreto, i.e. on the basis of the circumstances of the transfer, whether the instrument chosen by the exporter, among those identified in Article 46 of the Regulation, is effective in the specific case.

Such an examination, as pointed out by the European Data Protection Board - hereinafter 'EDPB' (see Recommendation No 1/2020, cit., p. 4), must 'focus first of all on the third country legislation [and applicable practices] relevant to the transfer [as well as] on the transfer instrument [identified] pursuant to Article 46 of the GDPR]' in order to verify that the aforesaid legislation and practices do not de facto prevent the importer from complying with the obligations laid down by the instrument used. More specifically, the above assessment 'entails the need to determine whether or not the transfer in question falls within the scope of the [above-mentioned legislation]'. It must 'be based on objective factors, irrespective of the likelihood of access to personal data' (see EDPB and EDPS Joint Opinion 2/2021 on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted on 14 January 2021, para. 86).

Relevant for this purpose are the characteristics of the specific transfer carried out, such as: the purposes, the nature of the entities involved, the sector in which the transfer takes place, the categories of personal data transferred, whether the data are stored in the third country or accessed remotely, the format of the data to be transferred, and any subsequent transfers (see Recommendation No 1/2020, cit., para. 33).

The assessment required from the data exporter must therefore focus on the legislation and practices applicable in the third country to the specifically transferred data and involve verification of 'whether or not the public authorities in the third country (...) can attempt to access the data' as well as 'whether or not the public authorities in the third country (...) can access the data through the importer itself or through telecommunication providers or communication channels' (see Recommendation No 1/2020, cit., para. 31).

As regards the aforementioned possibility of access by the US Authorities, it must be borne in mind that it is confirmed by the "Transparency report on United States national security requests for user information" made available by Google on its website (available at the following link https://transparencyreport.google.com/user-data/us-national-security?hl=en); this report contains the numerical data relating to the access requests (which, as expressly indicated therein, may also concern "non-content metadata" such as IP addresses) received by Google, pursuant to FISA 702, at the request of the US national Authorities.

Having said this, with reference to what has been argued by the Company in its defence briefs, it is worth pointing out that

with regard to the inadequacy of the US legislation (see paragraph 1(a) above), the Court of Justice did not limit itself to an examination of the legal framework in force at the time of the adoption of the Privacy Shield. Rather, it took into account the regulatory provisions relating to surveillance programmes (see, in particular, FISA 702) in force at the time the ruling was handed down, ruling that they did not guarantee a level of protection substantially equivalent to that of Article 52(1) of the Charter of Fundamental Rights of the European Union (see above, paras. 168-202);

as to the identification of the data that can be accessed by the US authorities pursuant to FISA 702 (see above, par. 1, point b), the White Paper of September 2020 contains general indications as to the object of the access requests that can be made by intelligence agencies, so as not to exclude a priori that, besides the e-mail address and the telephone number of the users, they can also refer to IP addresses (see in this respect White Paper of September 2020, cited above, p. 7). To confirm this, it should also be noted that in the 'Transparency report on United States national security requests for user information' (see above) made available by Google on its website, IP addresses appear among the information that can be the subject of access requests under FISA 702 together with other metadata (see in particular the description contained in the section called 'non-content requests under FISA');

lastly, with respect to the assessment of the suitability of the additional measures adopted in the present case (see above, par. 1, point e), the Company, -in taking into consideration elements other than those contemplated by the EDPB such as: the "economic availability" of Caffeina Media S.r.l, "the costs of implementation" of the technical and organisational measures to be put in place, "the content of the articles and topics (...) of a light-hearted nature and focused on entertainment areas" conveyed by the website www.caffeinamagazine.it (see note of 10 February 2022, p. 10, 15, 16, 17 and 8), substantially based the aforesaid assessment on the "likelihood of the risk of data access by third parties" and on the "seriousness of the possible occurrence of [the aforesaid] risk" (see note of 10 February 2022, p. 24). In this respect, on the other hand, it is reiterated that the Court, in the above-mentioned ruling, did not refer to 'any subjective factor, such as, for example, the likelihood of access' to the personal data transferred (see EDPB and EDPS Joint Opinion 2/2021, cited above, para. 87).

2.3. Unsuitability of additional measures taken by the controller.

Where it is found as a result of the above assessment that the legislation and practices of the third country prevent the data importer from complying with the obligations laid down in the chosen transfer instrument, as found in the present case, exporters must adopt additional measures ensuring a level of protection of personal data substantially equivalent to that provided for by the Regulation (see Recommendation No 1/2020, cited above, paras. 50-57, which sets out the criteria for identifying the measures to be adopted).

In this regard, with regard to the additional measures of a technical, but also contractual and organisational, nature adopted in the present case, the following should be noted.

The measures of a technical nature consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when stored in the systems (at rest).
Encryption in transit is adopted when data are transferred between different systems, services or data centres through networks or infrastructures not controlled by the Company (e.g. geographical networks).

Encryption at rest, on the other hand, concerns user data that are stored on disk drives or in backup drives and is based on the encryption of data using standard algorithms (usually using AES256) and encryption at different levels, starting with encryption at the hardware level, depending on the type of application and specific risks. Access to Google LLC's data centres is protected by 6 levels of physical security measures.
In this regard, it should be noted that, taking into account the indications provided by the EDPB in Recommendation No. 1/2020, the above-mentioned technical measures are not adequate.

With regard to the data encryption mechanisms highlighted above, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, since the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC, which holds it, as importer, by virtue of the need to have the data in plain text in order to carry out processing and provide services. It should also be pointed out that the obligation to allow access, on the part of the US authorities, falls on Google LLC not only with regard to the imported personal data, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1/2020, cit., par. 81).
It follows from this that, as long as the encryption key remains at the importer's disposal, the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., para. 95).

This also takes into account certain contractual and organisational measures consisting specifically of the undertaking to:

verify, in accordance with US law, the legitimacy of each individual request for access to the user data being transferred by the Public Authorities, assessing its proportionality; not grant the same if, after careful evaluation, it is concluded that the conditions under the relevant legislation are not met

promptly notify the person concerned of access requests from the US Public Authorities, unless such disclosure is prohibited by the relevant legislation, informing the person concerned in any case if the above prohibition is lifted

publish a "Transparency Report" containing a summary of requests for access to data received from the US Public Authorities, insofar as such publication is permitted by the relevant legislation;

publish the policy for handling requests for access to user data transferred by US public authorities.

In this regard, in fact, it should be noted that, as considered by the EDPB, in the absence of appropriate technical measures - a circumstance ascertained in the present case - the contractual and organisational measures indicated above, per se, cannot reduce or prevent the possibilities of access to the data subject to transfer by the US Authorities (see Recommendation 1/2020, cit., par. 53).

In the light of the foregoing, therefore, the additional measures adopted in the present case cannot be regarded as adequate with the consequent unlawfulness, pursuant to Articles 44 and 46 of the Regulation, of the relevant transfers of personal data to the United States.

2.4 Accountability of the data controller

The data controller is required to implement "appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing is carried out in compliance with the [Regulation]" (so-called accountability principle; see Art. 5(2) and Art. 24(1) of the Regulation).

It is therefore up to the data controller to decide autonomously on the modalities, guarantees and limits of the processing of personal data in compliance with the relevant legislation on the subject. The Regulation, in fact, strongly emphasises the 'accountability' of the data controller, i.e., the adoption of proactive behaviour such as to demonstrate the concrete adoption of measures aimed at ensuring the application of personal data protection rules (see, in particular, Article 24 of the Regulation).

The implementation of the accountability principle with reference to transfers of data to third countries places the responsibility on the data controller, as exporter, to verify, on a case-by-case basis and, where necessary, in cooperation with the importer in the third country, whether the latter's law or practice affects the effectiveness of the adequate safeguards contained in the transfer instruments referred to in Article 46 of the Regulation.

In such cases, the exporter is obliged to adopt, in application of this principle, additional measures enabling the importer to comply with the obligations laid down in the instrument adopted pursuant to Article 46 of the Regulation; all this in order to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined (see Article 44 of the Regulation; see in this regard, Recommendation 1/2020, cit., paragraphs 1-5).

For all the reasons set out above, without prejudice to the unsuitability of the additional measures adopted in the present case, Caffeina Media S.r.l.'s argument as to its lack of autonomy with regard to the decisions to be taken on the transfer of data to third countries cannot be accepted (see above, par. 1, points c) and d) above); this considering that the Company, by reason of its role under the data protection rules, is required, as already clarified, to implement, even in the context of cross-border transfers, adequate and effective measures to protect the rights and freedoms of the data subjects and to be able to demonstrate their compliance with the Regulation.

In the light of the above considerations, in engaging in the conduct described above, Caffeina Media S.r.l. has therefore breached Articles 5(2) and 24 of the Regulation.

2.5. Inadequacy of the information provided pursuant to Article 13 of the Regulation.

With reference to the information to be provided to the data subject, pursuant to Article 13 of the Regulation, it should be noted that, in the information notice provided to the complainant on the website www.caffeinamagazine.it, at the time of the collection of the data concerning him (see communication of 3 November 2021), some of the elements referred to in Article 13(1)(f) of the Regulation were not indicated.

Indeed, in view of the fact that personal data must be 'processed lawfully, fairly and transparently vis-à-vis the data subject' (Art. 5(1)(a) of the Regulation), the data subject's personal data must be 'processed in a lawful, fair and transparent manner'. (a) of the Regulation), the data controller, where a transfer of personal data takes place, is obliged, in compliance with the principle of transparency, to inform the data subject also of 'the intention to transfer personal data to a third country' as well as of 'the existence or absence of a Commission adequacy decision or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), the reference to appropriate or adequate safeguards and the means of obtaining a copy of those safeguards or the place where they have been made available' (Art. 13(1) of the Regulation).

In this regard, in any case, while taking note of the updating on 23 March 2022 of the information to be rendered to users on the website www.caffeinamagazine.it (see note of 10 February 2022, p. 30; see "Cookies Policy" available at https://www.caffeinamagazine.it/cookie-policy/), it should be noted that the model provided at the time by Caffeina Media S.r.l. to the complainant in this case (see communication of 3 November 2021), did not clearly define the elements referred to in Article 13(1)(f) of the Regulation concerning the transfer.

It follows, therefore, with reference to that model, that Article 5(1)(a) and Article 13(1)(f) of the Regulation have been infringed.

3. Conclusions: declaration of unlawfulness of the processing. Corrective measures under Article 58(2) of the Regulation.

For the above-mentioned reasons, the Authority considers that the statements, the documentation and the reconstructions provided by the data controller in the course of the preliminary investigation do not allow to overcome the findings notified by the Office with the opening act of the proceeding and are therefore unsuitable to order the dismissal of the present proceeding, as none of the cases provided for by Article 11 of the Regulation of the Garante no. 1/2019 apply.

The processing of personal data carried out by the Company is therefore unlawful, in the terms set out above, in relation to Article 5(1)(a) and (2), Article 13(1)(f), Article 24 and Articles 44 and 46 of the Regulation.

Infringement of the above provisions entails the application of the administrative sanctions provided for in Article 83(5)(a), (b) and (c) of the Regulation.

In this respect, with reference to the elements to be taken into consideration in order to assess whether to impose an administrative fine (Article 83(2) of the Regulation), it should be noted first of all that, in relation to the nature and seriousness of the breach, the processing operations object of the complaint did not concern special categories of personal data. 

As regards the subjective element of the infringer, it must be considered that Caffeina Media S.r.l. - in view of the asymmetry of contractual power resulting from the primary market position assumed by Google in the web analytics services sector - mistakenly assumed as appropriate, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power over them.

With regard to the measures adopted by the Company to mitigate the damage suffered by the data subjects, note is also taken of the initiatives taken by the data controller, following the notification pursuant to art. 166, paragraph 5 of the Code, concerning: updating the text of the information on the Company's website; adhering to the "IP-Anonymization" option made available by Google; improving the infrastructure in terms of security; updating the content management system used for the creation and management of the site; analysing the feasibility of implementing an alternative web analytics tool that "will no longer rely exclusively on tracking via cookies and (...) will no longer store the IP addresses of the data subjects" (see minutes of 25 March 2022 and supplementary note of 4 April 2022, p. 2).

Finally, for the purposes of the Authority's assessments, the absence of previous infringements and the loyal cooperation with the Garante during the proceedings are also relevant.

The nature and gravity of the infringement, the culpable nature of the infringement, as well as the further elements referred to above, therefore lead to classify the case under consideration as a 'minor infringement' (see Article 83(2) and recital 148 of the Regulation).

It is therefore considered that, in the present case, the data controller must be admonished, pursuant to Article 143 of the Code and Article 58(2)(b) of the Regulation, for having carried out processing in breach of Article 5(1)(a) and (2), Article 13(1)(f), Article 24 and Articles 44 and 46 of the Regulation.

Lastly, it is noted that the conditions set out in Article 17 of the Garante's Regulation No 1/2019, concerning internal procedures with external relevance, aimed at the performance of the tasks and exercise of the powers entrusted to the Garante, are met.

ALL THE FOREGOING THE GUARANTOR:

a) pursuant to Article 57(1)(f) of the Regulation, declares the unlawfulness of the processing of personal data of users of the website www.caffeinamagazine.it carried out, through Google Analytics, by Caffeina Media S. r.l. with registered office in Rosignano Marittimo (LI), P. I. 13524951004, in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation;

b) pursuant to Article 58(2)(d) of the Regulation, orders Caffeina Media S.r.l. to comply with Chapter V of the Regulation within a period of ninety days from the notification of this measure, the processing of personal data of users of the website www.caffeinamagazine.it carried out by means of Google Analytics, adopting additional appropriate measures

c) pursuant to Article 58(2)(j) of the Regulation, orders the suspension of the flow of the personal data identified above to Google LLC, based in the United States, if Caffeina Media S.r.l. does not comply with the provisions of point b) of this provision within the period laid down therein

d) pursuant to recital 148 and Article 58(2)(b) of the Regulation warns Caffeina Media S.r.l. for having processed personal data in breach of Articles 5(1)(a) and (2), 13(1)(f), 24, 44 and 46 of the Regulation

(e) considers that the prerequisites set out in Article 17 of Regulation No 1/2019, concerning internal procedures with external relevance, aimed at the performance of the tasks and the exercise of the powers entrusted to the Supervisor, are met.

Pursuant to Article 157 of the Code, it requests Caffeina Media S.r.l. to communicate which initiatives have been undertaken in order to implement the provisions of this provision and to provide in any case adequately documented feedback, within the term of ninety days from the date of notification of this decision; failure to do so may result in the application of the administrative pecuniary sanction provided for by Article 83, paragraph 5, letter e) of the Regulation.

Pursuant to Article 78 of the Regulation, Article 152 of the Code and Article 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this measure may be lodged with the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the measure itself, or within sixty days if the appellant resides abroad.

Rome, 9 June 2022

THE CHAIRMAN
Stanzione

THE RAPPORTEUR
Stanzione

THE SECRETARY GENERAL
Mattei