Garante per la protezione dei dati personali (Italy) - 9806053

From GDPRhub
Garante per la protezione dei dati personali - 9806053
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 13(1)(f) GDPR
Article 24 GDPR
Article 40 GDPR
Article 46 GDPR
Type: Complaint
Outcome: Upheld
Started: 07.07.2022
Decided:
Published:
Fine: n/a
Parties: an unnamed data subject
IlMeteo S.r.l.
National Case Number/Name: 9806053
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: Carloc

The Italian DPA held that a website operator used Google Analytics without implementing adequate safeguards for transferring data to the U.S. as required by Article 46 GDPR. The operator was reprimanded and ordered to implement adequate safeguards or seize the data transfers altogether.

English Summary

Facts

An Italian company, IlMeteo S.p.l. (the controller), owned the website www.ilmeteo.it. Following the Schrems II decision, a user of the website (the data subject), represented by noyb – European Center for Digital Rights, complained to the Italian DPA that the controller was sending his personal data to the US without appropriate safeguards required by Article 46 GDPR.

The transfers took place through the use of the Google Analytics 360. The controller operated a news website that used Google Analytics to collect statistcal data on the use of its services. Google Analytics cookies collected data on users' IP address, browser or device, operating system, screen resolution, selected language, date and time of access, and interaction with the website. For users who logged in with their Google account, this information could be associated with other identifiers like email adress, telephone number, gender, date of birth, and profile picture.

Google LLC (based in the US), and later Google Ireland, were responsible for processing the collected information; even after the Google Analytics terms of service were changed to list Google Ireland as processor, Google LLC was still designated as a sub-processor. In response to the DPA's investigation, Google claimed it had adopted technical measures sufficient to safeguard data subjects' rights under the GDPR. These measures consisted of encryption (for which Google LLC held a copy of the encryption key) and a service called "IP-Anonymisation," wherein Google truncated users' IP addresses to hamper identification. This process, however, was actually a form of pseudoanonymisation, because the truncated IP address could be used in combination with the other collected data to re-identify natural persons.

Both Google and the controller also offered that, taking into account the nature of the data and the context in which it was collected, the likelihood of actually being forced to disclose this data to the US government was exceedingly low. This attenuated risk, they argued, meant that less stringent safeguards were sufficient to protect data subjects' rights under the GDPR (the so-called "risk-based approach"). Google claimed that in over 15 years of providing its Google Analytics service, it had never received an access request like the one contemplated in the data subject's complaint.

For its part, the controller deemed the technical measures implemented by Google sufficient. However, the controller also lacked the technical means to verify the implementation of these measures, nor did it have any authority to decide what measures were appropriate or to dictate to Google choices regarding data transfers to third countries.

Holding

The DPA declared any processing carried out by the controller through the use of Google Analytics unlawful. It also clarified that, regardless of any asymmetry in bargaining power or technical resources, the controller was responsible for ensuring that processing is lawful pursuant to Article 5(2) (accountability) and 24 GDPR (responsibility of the controller). The controller must decide independently on the methods, guarantees, and limits of processing.

Regarding data transfers to a third country, the DPA rejected the risk-based approach, finding the controller in violation of Article 44 and 46 GDPR. The low probability of an access request from US authorities did not relieve the controller of its responsibility to guarantee on a case-by-case basis that transfers of personal data to a third country had adequate safeguards. Encryption was an insufficient technical safeguard because Google LLC remained in possession of the relevant encryption key. US authorities could simply compel Google LLC to turn over this key along with the encrypted data.

The DPA also found the controller in violation of Article 13(f) GDPR because its privacy policy did not disclose the intention to transfer personal data to a third country, the lack of an adequacy decision or what safeguards were in place per Article 46(2) GDPR.

For these violations, the DPA reprimanded the controller and ordered it to comply with the GDPR (specifically Article 46 GDPR) within 90 days or suspend the transfer of data through Google Analytics.

Comment

This is one of the 101 complaints filed in the Summer of 2020 by noyb – European Center for Digital Rights, a privacy NGO[1]. It is similar to other decisions on the 101 complaints by the Austrian[2] and French DPAs[3] and to another case by the Italian DPA itself[4]. The EDPB made a task force to coordinate the response to the 101 complaints[5].

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web n. 9806053]

Provision of 7 July 2022

Record of measures
n. 243 of 7 July 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint of 18 August 2020 submitted pursuant to art. 77 of the Regulations by Mr. XX towards IlMeteo S.r.l .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint presented on 18 August 2020, Mr. XX complained that IlMeteo S.r.l. (hereinafter also "the Company"), would have transferred to Google LLC, based in the United States, the personal data concerning him processed through the website www.ilmeteo.it; this in the absence of the guarantees provided for by Chapter V of the Regulation.

As part of the investigation initiated by the Guarantor, the Office, with notes dated November 16, 2020 and July 20, 2021, asked the Company to provide information and clarifications on the facts of the complaint.

With the communications of 15 December 2020 and 15 September 2021, in responding to the requests of the Office, IlMeteo S.r.l. stated the following:

the processing of personal data of users of the website www.ilmeteo.it, object of dispute by the complainant, is carried out by the Company through the Google Analytics tool "in its basic / free version" (see note of 15 December 2020, page 2) which, by means of cookies transmitted to the user's browser, "collects information on how the users of the site interact with the individual pages and with the services offered" (see note of 15 December 2020, page . 3);

the data being processed consists of the identifier of the cookie downloaded to the user's browser, the IP address and the type of device used (see note of 15 December 2020, page 3);

the Company has also activated the Google Signals tool, which “is based on the intersection of the data of users logged in to Google who have activated the“ Ads Personalization ”system with the data collected from navigation. This process allows Google Analytics to collect and cross traffic data in addition to those collected through a standard implementation and to provide additional features by providing, for example, holistic information on the cross-device behavior of users, enriching their demographic and interest characteristics. when they interact with the ilMeteo.it site from multiple browsers and devices "(see note of 15 September 2021, page 4);

in relation to the processing carried out through Google Analytics, on May 26, 2018, the Company pursuant to art. 7 of the "Google Analytics Terms of Service", has signed a contract with Google LLC pursuant to art. 28 of the Regulation called "Google Ads Data Processing Terms", "according to which ilMeteo s.r.l. is the data controller and Google LLC is responsible "for the same (see note of 15 December 2020, page 5 and attachment 5). As of April 30, 2021, following the entry into force of the "new Google Analytics Terms of Service" for all customers in the EMEA area, "the contractual relationships [above] are no longer in place between the and Google LLC, but between ilMeteo and Google Ireland Limited "(see note of September 15, 2021, page 1 and attachment 2), therefore appointed as data processor pursuant to art. 28 of the Regulation;

the transfer of data is governed by art. 10 of the "Google Ads Data Processing Terms" pursuant to which IlMeteo S.r.l. agrees that Google Ireland Limited, as data processor “may use Google's affiliates as sub-processors; [as well as] store or process personal data in other countries where Google or its sub-processors have offices. For the transfer of data to countries for which an adequacy decision has not been taken, the Weather, pursuant to these Processing Terms, operates as an exporter and enters into the Standard Contractual Clauses (...) with Google LLC (as an importer). According to these clauses, Google LLC acts as Data Processor "(see note of 15 December 2020, page 5 and note of 15 September 2021, page 2);

the transfers referred to above are "subject to the Standard Clauses" (referred to in attachment 5 of the note of 15 December 2020), which correspond to the standard scheme, adopted on 5 February 2010, by the European Commission with decision no. 2010/87 / EU (see note of 15 December 2020, pages 5 and 7 and note of 15 September 2021, page 2); these clauses were integrated "by the additional measures adopted by Google and described in the pages of the latter's site", measures which the Company took note of following the communication made by Google, as reported in Annex 2 of the note dated 15 December 2020 (see note of 15 December 2020, page 7 and note of 15 September 2021, page 10);

the Company, as a further supplementary measure with respect to those prepared by Google, "has proceeded to obscure the last digits of the IP address, in order to exclude the possibility of user identification (so-called IP-Anonymization)", following the procedure provided available from Google for this purpose. This function was definitively activated at the end of November 2020 (see note of 15 September 2021, pages 1, 9 and 11 and annex 9). In this regard, the Company specified that "with the anonymization of IP addresses, the data made available to Google (...) are not personal data [as] they do not allow (...) to identify the user of the site"; therefore there is no “transfer of personal data outside the Union” and it is not necessary to adopt “any encryption technique to protect” such information (see note of 15 September 2021, page 10);

IlMeteo S.r.l. "It has no autonomy with respect to the choices related to the possible transfer of data to third countries by Google. With respect to the service in question, there is no way to opt for solutions that avoid the transfer of data outside the European Union, neither in the free version used by IlMeteo s.r.l., nor in the paid business version "(see note of 15 December 202 , page 5). Furthermore, given the difficulty in finding "on the market similar services comparable to those provided by Google Analytics in its basic / free version", it is "extremely complex, for small companies [such as IlMeteo S.r.l.], to evaluate alternative options that can offer similar characteristics of economy, usefulness and compliance "(see note of 15 December 2020, page 2);

the Company has made Mr. XX, pursuant to art. 13 of the Regulation, the information referred to in the disclosure template attached to the note dated 15 September 2021 (see attachment 10); this model "was recently updated referring to the transfer of data that legitimizes it" (see note of 15 December 2020, page 8 and attachment 3).

With regard to the matters represented by the Company, further observations were also acquired from the complainant, transmitted with a note dated 21 February 2021.

On November 30, 2021, the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, of the Regulations and art. 13 of the Regulations, as well as art. 44 and 46, of the Regulation.

On January 28, 2022, the Company sent its defense papers in which it represented that:

a) in relation to the elements on the basis of which IlMeteo S.r.l. carried out its own assessment of the suitability of the chosen instrument for the purposes of the transfer and the adoption of additional measures to be adopted in the case in question, the Company - in recognizing "a more than negligible risk" - took into account the "fact that [the website] can be used free of charge without any user registration. In particular, the following factual and legal circumstances were appreciated (...): a) the adoption of the new standard contractual clauses (...) and a set of additional technical, contractual and organizational measures; b) the nature of the data (anonymised); c) the purposes of the processing (analytical); d) the conservation, as a matter of practice, of the data on the servers closest to the users; (...) e) the fact that several million sites around the world use Google Analytics, as proof of the reliability of the tool; (...) f) that, from the launch of the service to date, Google has never received requests from US public authorities for access to data processed through Google Analytics (...); g) that the scope of applicability of the obligations imposed on Google LLC for access to data transferred by US public authorities is limited (see Section 702 Foreign Intelligence Surveillance Act - "FISA", which provides that the objective of 'access is limited to the collection of "foreign intelligence information") "(see note of January 28, 2022, pages 3-8);

b) with regard to the IP-Anonymization function, "the anonymization through the truncation of the last octet is effective, since it implies that 256 possible addresses can be traced to the anonymized address, (...) takes place within an infinitely short time (thousandths of second) and is generally performed on proximity servers [or servers located in the EU]; only in exceptional cases - which, according to Google's statements, have never occurred in the last 5 years - can the data be transferred [unencrypted] and anonymised outside the EU. In addition, the data processed through Google Analytics are and remain, by design and by default, distinct and separate from the data of registered users collected by Google and the intersection of data that the Guarantor assumes is possible, does not actually happen ". Based on these considerations, the Company therefore considered that the "IP-Anonymization" function allowed "to eliminate the identification capacity of the data, thus solving the problem of transferring personal data outside the European Union upstream" (see note of January 28, 2022, pages 4, 7-12);

c) as regards the additional technical measures implemented, these "must be considered adequate" given that, with particular reference to the encryption mechanisms adopted in the present case, "the inadequacy of [this] single additional measure (...) does not it is sufficient (…) to invalidate the effectiveness of the whole set of additional measures adopted, which, taken together, guarantee a negligible level of risk "(see note of 28 January 2022, pages 12-13); moreover, the Company pointed out that "the measure of encryption with the storage of the key at IlMeteo, suggested by the EDPB Recommendation 1/2020, was not at all practicable considering the type of service in question" (see note of 28 January 2022, p. . 8);

d) with regard to the level of autonomy of the Company regarding the choices relating to data transfers to third countries, IlMeteo S.r.l. reiterated that due to the position held by Google in the market, "the assessment of the adequacy of the measures remained within the scope of the service provided by Google and the functions made available by the latter for the protection of personal data" (see note of January 28, 2022, page 6);

e) regarding the unsuitability of the information provided pursuant to art. 13 of the Regulations, the same was updated by the Company according to the indications provided by the Authority in the notification of violation sent pursuant to art. 166, paragraph 5 of the Code (see note of January 28, 2022, page 16).

2. Observations on the legislation on the protection of personal data relevant in the present case and violations ascertained.

First of all, it is represented that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

Having duly stated, upon the outcome of the investigation and examination of the documentation acquired during the same, it was ascertained that the transfers made by IlMeteo S.r.l. towards Google LLC (based in the United States), through the Google Analytics tool (hereinafter also "GA"), have been implemented in violation of Articles 44 and 46 of the Regulation; it is also noted that violations of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), and art. 24, of the Regulation, as explained below.

2.1 The transfers of personal data to the United States made through Google Analytics.

Google Analytics is a web analytics tool provided by Google to website managers that allows them to analyze detailed user statistics in order to optimize the services rendered and to monitor their marketing campaigns.

IlMeteo S.r.l. uses GA in its free version for the pursuit of purely statistical purposes, or aimed at obtaining aggregate information on user activity within its website. The same acts as data controller and designates Google responsible, pursuant to art. 28 of the Regulation, based on the "Google Analytics Terms of Service" and the "Google Ads Data Processing Terms".

More specifically, in the case in question, Google LLC held, until April 30, 2021, the role of responsible for the processing of data collected through Google Analytics following the signing of the "Google Analytics Terms of Service".

Starting from 1 May 2021, Google Ireland Limited took over as contractual counterpart of the same "Google Analytics Terms of Service" which, pursuant to the aforementioned terms of service, may use other subjects, as sub-processors , including Google LLC.

As regards the processing carried out through GA, it was found that IlMeteo S.r.l. collects, by means of cookies transmitted to users' browsers, information regarding the methods of interaction of the latter with the website, as well as with the individual pages and with the services offered. More specifically, the data collected consists of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the site manager himself (through the Google account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website.

In this regard, it is worth highlighting that the IP address constitutes personal data to the extent that it allows the identification of an electronic communication device, thus making the data subject indirectly identifiable as a user (see Group pursuant to Article 29, WP 136 - Opinion no. 4/2007 on the concept of personal data, of 20 June 2007, page 16). All this especially where, as in the present case, the IP is associated with other information relating to the browser used, the date and time of navigation (see recital 30 of the Regulation).

In addition, if the visitor to the website logs in to his Google account - a circumstance, however, which occurred in the hypothesis under examination, which can be numerically very significant - and has selected some options in this account (for example the one time to receipt of personalized advertising), the data indicated above may be associated with other information present in the relevant account, such as the email address (which constitutes the user ID of the same), the telephone number and any additional personal data including the gender , the date of birth or the user's profile picture. In addition, the Company's adhesion to the Google Signals service allows for more accurate analyzes of logged in users, examining their behavior in cross-device mode if they interact with the www.ilmeteo.it site from multiple browsers and devices.

However, it remains understood that, regardless of access to the Google account, the IP address can in any case allow ‒ above all, as already explained above, when associated with other information relating to the browser used and the date and time of navigation‒ to identify an electronic communication device and, therefore, indirectly the user.

As part of the GA service, Google has also made available to website operators the option called "IP-Anonymization" which involves sending the user's IP address to Google Analytics after obscuring the less significant octet ( based on this operation, for example, the addresses from 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the present case, the Company stated that the aforementioned option was definitively activated at the end of November 2020, and that, at the date of submission of the complaint, some tests were in progress aimed at verifying the impact of the anonymization function of the 'IP address on GA reporting (see note of January 28, 2022, page 13; see also note of September 15, 2021, page 11).

On this point, it is worth highlighting that the "IP-Anonymization" actually consists of a pseudonymisation of the data relating to the user's network address, since, unlike what the Company maintains in this regard (see above par. 1, point b), the truncation of the last octet does not prevent Google LLC from re-identifying the same user, taking into account the overall information held by the same relating to web users. Furthermore, Google LLC has the possibility - if the interested party has accessed his / her Google profile - to associate, as already highlighted, the IP address with other additional information already in its possession (such as information contained in the user account). Therefore, despite the activation of "IP-Anonymization", it is still possible to re-identify the user.

Secondly, with regard to the circumstance represented by the Company that the truncation operation of the least significant octet is carried out, except in exceptional cases, on proximity servers, or, in the present case, located in the European Union (see above paragraph 1, point b), it is noted that the aforementioned exceptional cases have not been clarified nor the probabilities that IP treatment will be in place in the United States have been indicated. It is therefore not possible to exclude that the IP address, in its entirety, is transmitted to the systems of Google LLC, before the truncation operation, with the risk that it will be accessed by the US government authorities.

For all the aforementioned reasons, it is therefore believed that Google LLC is still able to identify a user directly (in the case of authenticated users) or through the IP address, received before the IP-Anonymization operation, or, again, through re-identification carried out on the basis of the IP address without the last octet in combination with the other information in its possession.

In light of the overall considerations made, the arguments made by IlMeteo S.r.l. in relation to the fact that no transfer of personal data takes place due to the anonymization of the IP addresses of the users of the site www.ilmeteo.it. (see above, paragraph 1, point b).

Considering therefore that, for all the reasons expressed above, the use of GA by the managers of the websites - such as IlMeteo S.r.l. - involves the transfer of the personal data of visitors to the aforementioned sites to Google LLC based in the United States; since these are transfers made to a third country that does not guarantee an adequate level of protection pursuant to data protection legislation (i.e. the United States), they must be carried out in compliance with Chapter V of the Regulation.

2.2 The unlawfulness of transfers following ruling C-311/18, of July 16, 2020, so-called Schrems II.

It is recalled that the Court of Justice of the European Union, with ruling C-311/18, of 16 July 2020 (so-called Schrems II), in declaring the decision of the EU Commission no. 2016/1250 of 12 July 2016, on the adequacy of the protection offered by the EU-US privacy shield regime (so-called Privacy Shield), found that the domestic law of the United States (in particular the Executive Order 12333 and the Article 702 of the Foreign Intelligence Surveillance Act - hereinafter "FISA 702") entails exceptions to the data protection legislation that exceed the restrictions deemed necessary in a democratic society. All this with particular reference to the provisions that allow public Authorities, within the framework of certain national security programs, to access without adequate limitations to the personal data being transferred, as well as the failure to provide for the rights of the interested parties, which can be activated on site. judicial.

The Court, with the same ruling, also reaffirmed the validity of decision no. 2010/87 / EC of the Commission of 5 February 2010 concerning the standard contractual clauses for the transfer of personal data to managers established in third countries - clauses adopted by IlMeteo S.r.l. in the present case. At the same time, he pointed out that, based on the principle of accountability, data controllers, as exporters, are in any case required to verify, on a case-by-case basis and, where necessary, in collaboration with the importer in the third country, whether the law o the practice of the latter affect the effectiveness of the adequate guarantees contained in the aforementioned clauses; this in order to determine whether the guarantees provided for by the standard contractual clauses can be respected in practice (Article 5, paragraph 2, and Article 24; see also Recommendation No. 1/2020 concerning the measures that integrate the transfer instruments in order to ensure compliance with the EU level of protection of personal data, of 18 June 2021, paragraphs 1-5).

In general terms, it is therefore necessary to evaluate, in concrete terms, ie on the basis of the circumstances of the transfer, if the instrument chosen by the exporter, among those identified by art. 46 of the Regulation, is effective in the specific case.

This examination, as noted by the European Data Protection Board - hereinafter "EDPB" (see Recommendation No. 1/2020, cit., P. 4), must "focus first of all on the legislation of the third country [and on practices applicable] relevant [i] for the transfer [as well as] on the transfer instrument [identified] pursuant to Article 46 of the RGPD "in order to verify that the aforementioned legislation and the aforementioned practices do not effectively prevent compliance, by part of the importer, of the obligations established by the instrument used. More specifically, the above assessment "involves the need to determine whether or not the transfer in question falls within the scope of the [aforementioned legislation]". It must "be based on objective factors, regardless of the likelihood of access to personal data" (see Joint Opinion 2/2021 of the EDPB and the EDPS on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted January 14, 2021, par. 86).

For this purpose, the characteristics of the specific transfer carried out are relevant, such as: the purposes, the nature of the subjects involved, the sector in which the transfer takes place, the categories of personal data transferred, the circumstance that the data are stored in the third country or there remote access, the format of the data to be transferred and any subsequent transfers (see Recommendation No. 1/2020, cit., par. 33).

The assessment required of the exporter, therefore, must focus on the legislation and practices applicable, in the third country, to the data specifically transferred and involve the verification of "whether or not it is possible for the public authorities of the third country (...) to attempt to access to the data "as well as the" ability or not, for the public authorities of the third country (...) to access the data through the importer himself or through telecommunications providers or communication channels "(see Recommendation No. 1/2020, cit., para. 31).

With regard to the aforementioned possibility of access, by the US Authorities, however, it must be considered that it is confirmed in the "Transparency report on United States national security requests for user information" made available by Google on its website (available at the following link https : //transparencyreport.google.com/user-data/us-national-security? hl = en); report containing the numerical data relating to access requests received by Google, pursuant to FISA 702, at the request of the US Authorities.

Having duly said, with reference to the Company's claims with respect to these profiles in its defense briefs, it is worth highlighting that:

- with regard to the assessment of the suitability of the additional measures adopted in the present case (see above, paragraph 1, point a), the Company first of all took into consideration elements other than those contemplated by the EDPB, namely: the "identification capacity very limited "(see conversely, supra, par. 2.1) and the" scarce importance "for the intelligence activities of the information transferred due to the nature of the site www.ilmeteo.it"; the alleged "circumstance that several million sites around the world use Google Analytics"; the fact that “from the launch of the service to date, Google has never received requests from US public authorities for access to data processed through Google Analitycs” (see note of January 28, 2022, pages 3, 4 and 7). The same also based the aforementioned assessment on the probability that "the US Authorities (...) actually try to obtain data relating to the visit of (...) any user to an Italian website that provides publicly accessible weather forecasts, within the framework of the 'acquisition of' foreign intelligence information '(see note of 28 January 2022, pages 7-8). On this point, on the other hand, it is reiterated that the Court, in the aforementioned ruling, did not refer to "any subjective factor, such as, for example, the probability of access" to the personal data transferred (see Joint Opinion 2/2021 of the EDPB and of the EDPS, cit., para. 87);

- with regard to the limitations put forward by the Company with respect to the type of data that can be accessed pursuant to FISA 702 (see above, paragraph 1, point a), the IP address is also included among the information of interest for the US authorities together with other metadata; a circumstance that emerges from the "Transparency report on United States national security requests for user information" made available by Google on its website (see in particular, the description contained in the section entitled "non-content requests under FISA", which reports expressly the reference also to "non-content metadata", such as IP addresses).

2.3. Unsuitability of the additional measures adopted by the data controller.

If, following the above assessment, it is found that the legislation and practices of the third country prevent the importer from complying with the obligations under the chosen transfer instrument, as found in the present case, the exporters must take additional measures which guarantee a level of protection of personal data substantially equivalent to that provided for by the Regulation (see Recommendation No. 1/2020, cit., paragraphs 50-57, which indicates the criteria for identifying the measures to be adopted) .

In this regard, with regard to the additional measures of a technical nature, but also contractual and organizational, adopted in the hypothesis in question (see above paragraph 1, point c), it is worth noting the following.

The technical measures consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when they are stored in the systems (at rest).
In-transit encryption is adopted where data is transferred between different systems, services or data centers through networks or infrastructures not controlled by the Company (eg geographic networks).

At rest encryption, on the other hand, concerns user data that are stored on disk drives or backup units and is based on data encryption using standard algorithms (generally using AES256) and on encryption, at various levels, starting from encryption at the hardware level, based on the type of application and specific risks. Access to Google LLC data centers is protected by 6 levels of physical security measures.

In this regard, it should be noted that, taking into account the indications provided by the EDPB in Recommendation no. 1/2020, the aforementioned technical measures are not adequate.

With regard to the data encryption mechanisms highlighted above, in fact, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, as the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC which holds it, as an importer, by virtue of the need to have the data in clear text to carry out processing and provide services. It is also worth noting that the obligation to allow access by the US authorities falls on Google LLC not only with reference to the personal data imported, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1 / 2020, cit., Par. 81).
From this it follows that, as long as the encryption key remains available to the importer, the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., Par. 95).

This also taking into account some contractual and organizational measures consisting specifically of the commitment to:

verify, in accordance with US law, the legitimacy of each individual request for access to user data transferred by the public authorities, assessing its proportionality; not accept the same if, following a careful assessment, it is concluded that the conditions under the relevant legislation do not exist;

promptly notify the interested party of access requests from US public authorities, unless such communication is prohibited by the relevant legislation, informing the interested party in any case if the above prohibition is lifted;

publish a "Transparency Report" containing a summary of the requests for access to data received by the US public authorities, to the extent that such publication is permitted by the relevant legislation;

publish the policy for managing requests for access to user data transferred by the US public authorities.

In this regard, given the arguments of the Company (see above, paragraph 1, point c), it is noted that, as considered by the EDPB, "the combination of different measures that complement and support each other can [at most] improve the level of protection and can therefore contribute to achieving Union standards ", but in any case the contractual and organizational measures such as those indicated above, in themselves, cannot reduce or prevent the possibility of access to the data being transferred by US authorities. "There will in fact be situations" ‒as it emerges in the hypothesis under examination‒ "in which only adequately implemented technical measures could prevent or render ineffective access to personal data by the public authorities of third countries, in particular for surveillance purposes" (see Recommendation 1/2020, cit., paragraphs 52-53).

In light of the above represented overall, therefore, the additional measures, adopted in this case, cannot be considered adequate with consequent illegality, pursuant to art. 44 and art. 46 of the Regulation, of the related transfers of personal data to the United States.

2.4 Accountability of the owner.

The owner is required to put in place "adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the [Regulation]" (so-called accountability principle; see art. 5, par. 2 and art.24, par.1 of the Regulation).

It is therefore up to the owner to decide autonomously the methods, guarantees and limits of the processing of personal data in compliance with the relevant legislation. The Regulation, in fact, strongly emphasizes the "empowerment" of the owner, that is, on the adoption of proactive behaviors such as to demonstrate the concrete adoption of measures aimed at ensuring the application of the personal data protection discipline (see , in particular art.24 of the Regulation).

The implementation of the accountability principle with reference to data transfers to third countries places the responsibility on the holder as an exporter to verify, case by case and, where necessary, in collaboration with the importer in the third country , if the law or the practice of the latter affect the effectiveness of the adequate guarantees contained in the transfer instruments referred to in Article 46 of the Regulation.

In such cases, the exporter is required to adopt, in application of this principle, additional measures that allow the importer to comply with the obligations under the instrument adopted pursuant to art. 46 of the Regulation; all this in order to ensure that the level of protection of individuals guaranteed by the Regulation is not jeopardized (see Article 44 of the Regulation; see in this regard, Recommendation 1/2020, cit., paragraphs 1-5).

For all the reasons set out above, without prejudice to the found unsuitability of the additional measures adopted in the present case, the claims of IlMeteo S.r.l. in relation to the lack of autonomy of the same with respect to the decisions to be taken regarding the transfer of data to third countries (see above, paragraph 1, point d); this considering that the Company, by reason of the role covered under the personal data protection regulations, is required, as already clarified, to implement, also in the context of cross-border transfers, adequate and effective measures to protect the rights and freedom of interested parties and to be able to demonstrate their compliance with the Regulations.

In light of the above considerations, in carrying out the described conduct, IlMeteo S.r.l. has therefore violated Articles 5, par. 2, and 24, of the Regulation.

2.5. Unsuitability of the information provided pursuant to art. 13 of the Regulation.

With reference to the information that must be provided to the interested party, pursuant to art. 13 of the Regulation, it should be noted that, in the information provided to the complainant on the website www.ilmeteo.it, at the time of the collection of data concerning him (see note of 15 September 2021, annex 10) it was not fully compliant with provisions contained in art. 13, par. 1, lett. f) of the Regulations.

Indeed, in consideration of the fact that personal data must be "processed in a lawful, correct and transparent manner towards the data subject" (Article 5, paragraph 1, letter a), of the Regulation), the data controller, if a transfer of personal data is in place, it has the obligation, in compliance with the principle of transparency, to inform the interested parties also with regard to "the intention to transfer personal data to a third country" as well as "the existence or the absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), the reference to appropriate or appropriate safeguards and the means to obtain a copy of such guarantees or the place where they were made available "(Article 13, paragraph 1, of the Regulations).

In this regard, in any case taking note of the update in the aforementioned terms of the information to be made to users on the website www.ilmeteo.it (see "Privacy and cookies policy for visitors" available at https: // www. ilmeteo.it/portale/privacy/?refresh_ce; see supra paragraph 1, point e), it is noted that the model provided by IlMeteo S.r.l. to the complainant in this case, did not clearly define all the elements referred to in art. 13, par. 1, lett. f) of the Regulations concerning the transfer.

It follows, therefore, with reference to this model, the violation of art. 5, par. 1, lett. a) and art. 13, par. 1, lett. f), of the Regulation.

3. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2 of the Regulations.

For the aforementioned reasons, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure and that they are therefore unsuitable to order the dismissal of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company is therefore illegal, in the overall terms indicated above, in relation to art. 5, par. 1, lett. a) and par. 2, in art. 13, par. 1, lett. f), in art. 24, and art. 44 and 46, of the Regulation.

Violation of the aforementioned provisions entails the application of the administrative sanctions provided for by art. 83, par. 5, letters a), b) and c), of the Regulation.

In this regard, with reference to the elements to be taken into consideration in order to assess whether to inflict a pecuniary administrative sanction (Article 83, paragraph 2, of the Regulation), it is noted first of all that, in relation to the nature and gravity of the violation, the disputed processing operations did not have as their object particular categories of personal data.

With regard to the subjective element of the offender, it should be considered that IlMeteo S.r.l. - given the asymmetry of bargaining power deriving from the primary market position assumed by Google in the sector of web analytics services - has erroneously assumed as suitable, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power on the same.

With regard to the measures adopted by the Company to mitigate the damage suffered by the data subjects, it is also noted the initiatives undertaken by the data controller, concerning the updating of the text of the information on the Company's website and adherence to the option of " IP-Anonymization "made available by Google; the latter measure implemented following the notification of violation pursuant to art. 166, paragraph 5 of the Code (see note of January 28, 2022, pages 13-16).

Furthermore, for the purposes of the Authority's assessments, the absence of previous violations and the loyal cooperation with the Guarantor during the proceedings are also noted.

The nature and gravity of the violation, the negligent nature of the same, as well as the additional elements mentioned above therefore lead to qualify the case in question as a "minor violation" (see Article 83, paragraph 2, and cons. 148 of the Regulation ).

It is therefore believed that, in relation to the present case, it is necessary to warn the data controller, pursuant to art. 143 of the Code and 58, par. 2, lett. b) of the Regulations, for having carried out a treatment in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR:

a) pursuant to art. 57, par. 1, lett. f) of the Regulations, declares the unlawfulness of the processing of personal data of users of the site www.ilmeteo.it put in place, through Google Analytics, by IlMeteo S.r.l. based in Padua, P.I. 05184350287, regarding the violation of articles 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

b) pursuant to art. 58, par. 2, lett. d), of the Regulation, orders IlMeteo S.r.l. to comply with Chapter V of the Regulations within the term of ninety days from the notification of this provision, the processing of personal data of users of the site www.ilmeteo.it carried out through Google Analytics, adopting adequate additional measures;

c) pursuant to art. 58, par. 2, lett. j), of the Regulation, orders the suspension of the flows, to Google LLC based in the United States, of the personal data identified above, where IlMeteo S.r.l. fails to comply with the provisions of point b) of this device within the deadline set forth therein;

d) pursuant to recital 148 and art. 58, par. 2, lett. b), of the Regulation warns IlMeteo S.r.l. for having carried out a processing of personal data in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

e) believes that the conditions set out in art. 17 of Regulation no. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to 157 of the Code, it requests IlMeteo S.r.l. to communicate which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, within ninety days from the date of notification of this decision; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree of 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, July 7, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei

[doc. web n. 9806053]

Provision of 7 July 2022

Record of measures
n. 243 of 7 July 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members and the cons. Fabio Mattei, general secretary;

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016 (hereinafter, the "Regulation");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN the complaint of 18 August 2020 submitted pursuant to art. 77 of the Regulations by Mr. XX towards IlMeteo S.r.l .;

EXAMINED the documentation in deeds;

HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;

Rapporteur Dr. Agostino Ghiglia;

WHEREAS

1. The complaint against the Company and the preliminary investigation.

With a complaint presented on 18 August 2020, Mr. XX complained that IlMeteo S.r.l. (hereinafter also "the Company"), would have transferred to Google LLC, based in the United States, the personal data concerning him processed through the website www.ilmeteo.it; this in the absence of the guarantees provided for by Chapter V of the Regulation.

As part of the investigation initiated by the Guarantor, the Office, with notes dated November 16, 2020 and July 20, 2021, asked the Company to provide information and clarifications on the facts of the complaint.

With the communications of 15 December 2020 and 15 September 2021, in responding to the requests of the Office, IlMeteo S.r.l. stated the following:

the processing of personal data of users of the website www.ilmeteo.it, object of dispute by the complainant, is carried out by the Company through the Google Analytics tool "in its basic / free version" (see note of 15 December 2020, page 2) which, by means of cookies transmitted to the user's browser, "collects information on how the users of the site interact with the individual pages and with the services offered" (see note of 15 December 2020, page . 3);

the data being processed consists of the identifier of the cookie downloaded to the user's browser, the IP address and the type of device used (see note of 15 December 2020, page 3);

the Company has also activated the Google Signals tool, which “is based on the intersection of the data of users logged in to Google who have activated the“ Ads Personalization ”system with the data collected from navigation. This process allows Google Analytics to collect and cross traffic data in addition to those collected through a standard implementation and to provide additional features by providing, for example, holistic information on the cross-device behavior of users, enriching their demographic and interest characteristics. when they interact with the ilMeteo.it site from multiple browsers and devices "(see note of 15 September 2021, page 4);

in relation to the processing carried out through Google Analytics, on May 26, 2018, the Company pursuant to art. 7 of the "Google Analytics Terms of Service", has signed a contract with Google LLC pursuant to art. 28 of the Regulation called "Google Ads Data Processing Terms", "according to which ilMeteo s.r.l. is the data controller and Google LLC is responsible "for the same (see note of 15 December 2020, page 5 and attachment 5). As of April 30, 2021, following the entry into force of the "new Google Analytics Terms of Service" for all customers in the EMEA area, "the contractual relationships [above] are no longer in place between the and Google LLC, but between ilMeteo and Google Ireland Limited "(see note of September 15, 2021, page 1 and attachment 2), therefore appointed as data processor pursuant to art. 28 of the Regulation;

the transfer of data is governed by art. 10 of the "Google Ads Data Processing Terms" pursuant to which IlMeteo S.r.l. agrees that Google Ireland Limited, as data processor “may use Google's affiliates as sub-processors; [as well as] store or process personal data in other countries where Google or its sub-processors have offices. For the transfer of data to countries for which an adequacy decision has not been taken, the Weather, pursuant to these Processing Terms, operates as an exporter and enters into the Standard Contractual Clauses (...) with Google LLC (as an importer). According to these clauses, Google LLC acts as Data Processor "(see note of 15 December 2020, page 5 and note of 15 September 2021, page 2);

the transfers referred to above are "subject to the Standard Clauses" (referred to in attachment 5 of the note of 15 December 2020), which correspond to the standard scheme, adopted on 5 February 2010, by the European Commission with decision no. 2010/87 / EU (see note of 15 December 2020, pages 5 and 7 and note of 15 September 2021, page 2); these clauses were integrated "by the additional measures adopted by Google and described in the pages of the latter's site", measures which the Company took note of following the communication made by Google, as reported in Annex 2 of the note dated 15 December 2020 (see note of 15 December 2020, page 7 and note of 15 September 2021, page 10);

the Company, as a further supplementary measure with respect to those prepared by Google, "has proceeded to obscure the last digits of the IP address, in order to exclude the possibility of user identification (so-called IP-Anonymization)", following the procedure provided available from Google for this purpose. This function was definitively activated at the end of November 2020 (see note of 15 September 2021, pages 1, 9 and 11 and annex 9). In this regard, the Company specified that "with the anonymization of IP addresses, the data made available to Google (...) are not personal data [as] they do not allow (...) to identify the user of the site"; therefore there is no “transfer of personal data outside the Union” and it is not necessary to adopt “any encryption technique to protect” such information (see note of 15 September 2021, page 10);

IlMeteo S.r.l. "It has no autonomy with respect to the choices related to the possible transfer of data to third countries by Google. With respect to the service in question, there is no way to opt for solutions that avoid the transfer of data outside the European Union, neither in the free version used by IlMeteo s.r.l., nor in the paid business version "(see note of 15 December 202 , page 5). Furthermore, given the difficulty in finding "on the market similar services comparable to those provided by Google Analytics in its basic / free version", it is "extremely complex, for small companies [such as IlMeteo S.r.l.], to evaluate alternative options that can offer similar characteristics of economy, usefulness and compliance "(see note of 15 December 2020, page 2);

the Company has made Mr. XX, pursuant to art. 13 of the Regulation, the information referred to in the disclosure template attached to the note dated 15 September 2021 (see attachment 10); this model "was recently updated referring to the transfer of data that legitimizes it" (see note of 15 December 2020, page 8 and attachment 3).

With regard to the matters represented by the Company, further observations were also acquired from the complainant, transmitted with a note dated 21 February 2021.

On November 30, 2021, the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found with reference to art. 5, par. 1, lett. a), and par. 2, of the Regulations and art. 13 of the Regulation, as well as art. 44 and 46, of the Regulation.

On January 28, 2022, the Company sent its defense papers in which it represented that:

a) in relation to the elements on the basis of which IlMeteo S.r.l. carried out its own assessment of the suitability of the chosen instrument for the purposes of the transfer and the adoption of additional measures to be adopted in the case in question, the Company - in recognizing "a more than negligible risk" - took into account the "fact that [the website] can be used free of charge without any user registration. In particular, the following factual and legal circumstances were appreciated (...): a) the adoption of the new standard contractual clauses (...) and a set of additional technical, contractual and organizational measures; b) the nature of the data (anonymised); c) the purposes of the processing (analytical); d) the conservation, as a matter of practice, of the data on the servers closest to the users; (...) e) the fact that several million sites around the world use Google Analytics, as proof of the reliability of the tool; (...) f) that, from the launch of the service to date, Google has never received requests from US public authorities for access to data processed through Google Analytics (...); g) that the scope of applicability of the obligations imposed on Google LLC for access to data transferred by US public authorities is limited (see Section 702 Foreign Intelligence Surveillance Act - "FISA", which provides that the objective of 'access is limited to the collection of "foreign intelligence information") "(see note of January 28, 2022, pages 3-8);

b) with regard to the IP-Anonymization function, "the anonymization through the truncation of the last octet is effective, since it implies that 256 possible addresses can be traced to the anonymized address, (...) takes place within an infinitely short time (thousandths of second) and is generally performed on proximity servers [or servers located in the EU]; only in exceptional cases - which, according to Google's statements, have never occurred in the last 5 years - can the data be transferred [unencrypted] and anonymised outside the EU. In addition, the data processed through Google Analytics are and remain, by design and by default, distinct and separate from the data of registered users collected by Google and the intersection of data that the Guarantor assumes is possible, does not actually happen ". Based on these considerations, the Company therefore considered that the "IP-Anonymization" function allowed "to eliminate the identification capacity of the data, thus solving the problem of transferring personal data outside the European Union upstream" (see note of January 28, 2022, pages 4, 7-12);

c) as regards the additional technical measures implemented, these "must be considered adequate" given that, with particular reference to the encryption mechanisms adopted in the present case, "the inadequacy of [this] single additional measure (...) does not it is sufficient (…) to invalidate the effectiveness of the whole set of additional measures adopted, which, taken together, guarantee a negligible level of risk "(see note of 28 January 2022, pages 12-13); moreover, the Company pointed out that "the measure of encryption with the storage of the key at IlMeteo, suggested by the EDPB Recommendation 1/2020, was not at all practicable considering the type of service in question" (see note of 28 January 2022, p. . 8);

d) with regard to the level of autonomy of the Company regarding the choices relating to data transfers to third countries, IlMeteo S.r.l. reiterated that due to the position held by Google in the market, "the assessment of the adequacy of the measures remained within the scope of the service provided by Google and the functions made available by the latter for the protection of personal data" (see note of January 28, 2022, page 6);

e) regarding the unsuitability of the information provided pursuant to art. 13 of the Regulations, the same was updated by the Company according to the indications provided by the Authority in the notification of violation sent pursuant to art. 166, paragraph 5 of the Code (see note of January 28, 2022, page 16).

2. Observations on the legislation on the protection of personal data relevant in the present case and violations ascertained.

First of all, it is represented that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor".

Having duly stated, upon the outcome of the investigation and examination of the documentation acquired during the same, it was ascertained that the transfers made by IlMeteo S.r.l. towards Google LLC (based in the United States), through the Google Analytics tool (hereinafter also "GA"), have been implemented in violation of Articles 44 and 46 of the Regulation; it is also noted that violations of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), and art. 24, of the Regulation, as explained below.

2.1 The transfers of personal data to the United States made through Google Analytics.

Google Analytics is a web analytics tool provided by Google to website managers that allows them to analyze detailed user statistics in order to optimize the services rendered and to monitor their marketing campaigns.

IlMeteo S.r.l. uses GA in its free version for the pursuit of purely statistical purposes, or aimed at obtaining aggregate information on user activity within its website. The same acts as data controller and designates Google responsible, pursuant to art. 28 of the Regulation, based on the "Google Analytics Terms of Service" and the "Google Ads Data Processing Terms".

More specifically, in the case in question, Google LLC held, until April 30, 2021, the role of responsible for the processing of data collected through Google Analytics following the signing of the "Google Analytics Terms of Service".

Starting from 1 May 2021, Google Ireland Limited took over as contractual counterpart of the same "Google Analytics Terms of Service" which, pursuant to the aforementioned terms of service, may use other subjects, as sub-processors , including Google LLC.

As regards the processing carried out through GA, it was found that IlMeteo S.r.l. collects, by means of cookies transmitted to users' browsers, information regarding the methods of interaction of the latter with the website, as well as with the individual pages and with the services offered. More specifically, the data collected consists of: unique online identifiers that allow both the identification of the browser or device of the user visiting the website, and of the site manager himself (through the Google account ID); address, website name and navigation data; IP address of the device used by the user; information relating to the browser, the operating system, the screen resolution, the selected language, as well as the date and time of the visit to the website.

In this regard, it is worth highlighting that the IP address constitutes personal data to the extent that it allows the identification of an electronic communication device, thus making the data subject indirectly identifiable as a user (see Group pursuant to Article 29, WP 136 - Opinion no. 4/2007 on the concept of personal data, of 20 June 2007, page 16). All this especially where, as in the present case, the IP is associated with other information relating to the browser used, the date and time of navigation (see recital 30 of the Regulation).

In addition, if the visitor to the website logs in to his Google account - a circumstance, however, which occurred in the hypothesis under examination, which can be numerically very significant - and has selected some options in this account (for example the one time to receipt of personalized advertising), the data indicated above may be associated with other information present in the relevant account, such as the email address (which constitutes the user ID of the same), the telephone number and any additional personal data including the gender , the date of birth or the user's profile picture. In addition, the Company's adhesion to the Google Signals service allows for more accurate analyzes of logged in users, examining their behavior in cross-device mode if they interact with the www.ilmeteo.it site from multiple browsers and devices.

However, it remains understood that, regardless of access to the Google account, the IP address can in any case allow ‒ above all, as already explained above, when associated with other information relating to the browser used and the date and time of navigation‒ to identify an electronic communication device and, therefore, indirectly the user.

As part of the GA service, Google has also made the option called "IP-Anonymization" available to website operators, which involves sending the user's IP address to Google Analytics after obscuring the less significant octet ( based on this operation, for example, the addresses from 122.48.54.0 to 122.48.54.255 would be replaced by 122.48.54.0). In the present case, the Company stated that the aforementioned option was definitively activated at the end of November 2020, and that, at the date of submission of the complaint, some tests were in progress aimed at verifying the impact of the anonymization function of the 'IP address on GA reporting (see note of January 28, 2022, page 13; see also note of September 15, 2021, page 11).

On this point, it is worth highlighting that the "IP-Anonymization" actually consists of a pseudonymisation of the data relating to the user's network address, since, unlike what the Company claims in this regard (see above par. 1, point b), the truncation of the last octet does not prevent Google LLC from re-identifying the user, taking into account the information held by the same regarding web users. Furthermore, Google LLC has the possibility - if the interested party has accessed his / her Google profile - to associate, as already highlighted, the IP address with other additional information already in its possession (such as information contained in the user account). Therefore, despite the activation of "IP-Anonymization", it is still possible to re-identify the user.

Secondly, with regard to the circumstance represented by the Company that the truncation operation of the least significant octet is carried out, except in exceptional cases, on proximity servers, or, in the present case, located in the European Union (see above paragraph 1, point b), it is noted that the aforementioned exceptional cases have not been clarified, nor have the probabilities that the IP treatment will be in place in the United States been indicated. It is therefore not possible to exclude that the IP address, in its entirety, is transmitted to the systems of Google LLC, before the truncation operation, with the risk that it will be accessed by the US government authorities.

For all the aforementioned reasons, it is therefore believed that Google LLC is still able to identify a user directly (in the case of authenticated users) or through the IP address, received before the IP-Anonymization operation, or, again, through re-identification carried out on the basis of the IP address without the last octet in combination with the other information in its possession.

In light of the overall considerations made, the arguments made by IlMeteo S.r.l. in relation to the fact that no transfer of personal data takes place due to the anonymization of the IP addresses of the users of the site www.ilmeteo.it. (see above, paragraph 1, point b).

Considering therefore that, for all the reasons expressed above, the use of GA by the managers of the websites - such as IlMeteo S.r.l. - involves the transfer of the personal data of visitors to the aforementioned sites to Google LLC based in the United States; since these are transfers made to a third country that does not guarantee an adequate level of protection pursuant to data protection legislation (i.e. the United States), they must be carried out in compliance with Chapter V of the Regulation.

2.2 The unlawfulness of transfers following ruling C-311/18, of July 16, 2020, so-called Schrems II.

It is recalled that the Court of Justice of the European Union, with ruling C-311/18, of 16 July 2020 (so-called Schrems II), in declaring the decision of the EU Commission no. 2016/1250 of 12 July 2016, on the adequacy of the protection offered by the EU-US privacy shield regime (so-called Privacy Shield), found that the domestic law of the United States (in particular the Executive Order 12333 and the Article 702 of the Foreign Intelligence Surveillance Act - hereinafter "FISA 702") entails exceptions to the data protection legislation that exceed the restrictions deemed necessary in a democratic society. All this with particular reference to the provisions that allow public Authorities, within the framework of certain national security programs, to access without adequate limitations to the personal data being transferred, as well as the failure to provide for the rights of the interested parties, which can be activated on site. judicial.

The Court, with the same ruling, also reaffirmed the validity of decision no. 2010/87 / EC of the Commission of 5 February 2010 concerning the standard contractual clauses for the transfer of personal data to managers established in third countries - clauses adopted by IlMeteo S.r.l. in the present case. At the same time, he pointed out that, based on the principle of accountability, data controllers, as exporters, are in any case required to verify, on a case-by-case basis and, where necessary, in collaboration with the importer in the third country, whether the law o the practice of the latter affect the effectiveness of the adequate guarantees contained in the aforementioned clauses; this in order to determine whether the guarantees provided for by the standard contractual clauses can be respected in practice (Article 5, paragraph 2, and Article 24; see also Recommendation No. 1/2020 concerning the measures that integrate the transfer instruments in order to ensure compliance with the EU level of protection of personal data, of 18 June 2021, paragraphs 1-5).

In general terms, it is therefore necessary to evaluate, in concrete terms, ie on the basis of the circumstances of the transfer, if the instrument chosen by the exporter, among those identified by art. 46 of the Regulation, is effective in the specific case.

This examination, as noted by the European Data Protection Board - hereinafter "EDPB" (see Recommendation No. 1/2020, cit., P. 4), must "focus first of all on the legislation of the third country [and on practices applicable] relevant [i] for the transfer [as well as] on the transfer instrument [identified] pursuant to Article 46 of the RGPD "in order to verify that the aforementioned legislation and the aforementioned practices do not effectively prevent compliance, by part of the importer, of the obligations established by the instrument used. More specifically, the above assessment "involves the need to determine whether or not the transfer in question falls within the scope of the [aforementioned legislation]". It must "be based on objective factors, regardless of the likelihood of access to personal data" (see Joint Opinion 2/2021 of the EDPB and the EDPS on the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries, adopted January 14, 2021, par. 86).

For this purpose, the characteristics of the specific transfer carried out are relevant, such as: the purposes, the nature of the subjects involved, the sector in which the transfer takes place, the categories of personal data transferred, the circumstance that the data are stored in the third country or there remote access, the format of the data to be transferred and any subsequent transfers (see Recommendation No. 1/2020, cit., par. 33).

The assessment required of the exporter, therefore, must focus on the legislation and practices applicable, in the third country, to the data specifically transferred and involve the verification of "whether or not it is possible for the public authorities of the third country (...) to attempt to access to the data "as well as the" ability or not, for the public authorities of the third country (...) to access the data through the importer himself or through telecommunications providers or communication channels "(see Recommendation No. 1/2020, cit., para. 31).

With regard to the aforementioned possibility of access, by the US Authorities, however, it must be considered that it is confirmed in the "Transparency report on United States national security requests for user information" made available by Google on its website (available at the following link https : //transparencyreport.google.com/user-data/us-national-security? hl = en); report containing the numerical data relating to access requests received by Google, pursuant to FISA 702, at the request of the US Authorities.

Having duly said, with reference to the Company's claims with respect to these profiles in its defense briefs, it is worth highlighting that:

- with regard to the assessment of the suitability of the additional measures adopted in the present case (see above, paragraph 1, point a), the Company first of all took into consideration elements other than those contemplated by the EDPB, namely: the "identification capacity very limited "(see conversely, supra, par. 2.1) and the" scarce importance "for the intelligence activities of the information transferred due to the nature of the site www.ilmeteo.it"; the alleged "circumstance that several million sites around the world use Google Analytics"; the fact that “from the launch of the service to date, Google has never received requests from US public authorities for access to data processed through Google Analitycs” (see note of January 28, 2022, pages 3, 4 and 7). The same also based the aforementioned assessment on the probability that "the US Authorities (...) actually try to obtain data relating to the visit of (...) any user to an Italian website that provides publicly accessible weather forecasts, within the framework of the 'acquisition of' foreign intelligence information '(see note of 28 January 2022, pages 7-8). On this point, on the other hand, it is reiterated that the Court, in the aforementioned ruling, did not refer to "any subjective factor, such as, for example, the probability of access" to the personal data transferred (see Joint Opinion 2/2021 of the EDPB and of the EDPS, cit., para. 87);

- with regard to the limitations put forward by the Company with respect to the type of data that can be accessed pursuant to FISA 702 (see above, paragraph 1, point a), the IP address is also included among the information of interest for the US authorities together with other metadata; a circumstance that emerges from the "Transparency report on United States national security requests for user information" made available by Google on its website (see in particular, the description contained in the section entitled "non-content requests under FISA", which reports expressly the reference also to "non-content metadata", such as IP addresses).

2.3. Unsuitability of the additional measures adopted by the data controller.

If, following the above assessment, it is found that the legislation and practices of the third country prevent the importer from complying with the obligations under the chosen transfer instrument, as found in the present case, the exporters must take additional measures which guarantee a level of protection of personal data substantially equivalent to that provided for by the Regulation (see Recommendation No. 1/2020, cit., paragraphs 50-57, which indicates the criteria for identifying the measures to be adopted) .

In this regard, with regard to the additional measures of a technical nature, but also contractual and organizational, adopted in the hypothesis in question (see above paragraph 1, point c), it is worth noting the following.

The technical measures consist in the adoption of data encryption mechanisms, during the transfer between systems (in transit) and when they are stored in the systems (at rest).
In-transit encryption is adopted where data is transferred between different systems, services or data centers through networks or infrastructures not controlled by the Company (eg geographic networks).

At rest encryption, on the other hand, concerns user data that are stored on disk drives or backup units and is based on data encryption using standard algorithms (generally via AES256) and on encryption, at various levels, starting from encryption at the hardware level, based on the type of application and specific risks. Access to Google LLC data centers is protected by 6 levels of physical security measures.

In this regard, it should be noted that, taking into account the indications provided by the EDPB in Recommendation no. 1/2020, the aforementioned technical measures are not adequate.

With regard to the data encryption mechanisms highlighted above, they are not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the European Union by the public authorities of the United States, as the encryption techniques adopted provide that the availability of the encryption key is in the hands of Google LLC which holds it, as an importer, by virtue of the need to have the data in clear text to carry out processing and provide services. It is also worth noting that the obligation to allow access by the US authorities falls on Google LLC not only with reference to the personal data imported, but also with regard to any cryptographic keys necessary to make them intelligible (see also Recommendation 1 / 2020, cit., Par. 81).
From this it follows that, as long as the encryption key remains available to the importer, the measures taken cannot be considered adequate (see Recommendation 1/2020, cit., Par. 95).

This also taking into account some contractual and organizational measures consisting specifically of the commitment to:

verify, in accordance with US law, the legitimacy of each individual request for access to user data transferred by the public authorities, assessing its proportionality; not accept the same if, following a careful assessment, it is concluded that the conditions under the relevant legislation do not exist;

promptly notify the interested party of access requests from US public authorities, unless such communication is prohibited by the relevant legislation, informing the interested party in any case if the above prohibition is lifted;

publish a "Transparency Report" containing a summary of the requests for access to data received by the US public authorities, to the extent that such publication is permitted by the relevant legislation;

publish the policy for managing requests for access to user data transferred by the US public authorities.

In this regard, given the arguments of the Company (see above, paragraph 1, point c), it is noted that, as considered by the EDPB, "the combination of different measures that complement and support each other can [at most] improve the level of protection and can therefore contribute to achieving Union standards ", but in any case the contractual and organizational measures such as those indicated above, in themselves, cannot reduce or prevent the possibility of access to the data being transferred by US authorities. "There will in fact be situations" ‒as it emerges in the hypothesis under examination‒ "in which only adequately implemented technical measures could prevent or render ineffective access to personal data by the public authorities of third countries, in particular for surveillance purposes" (see Recommendation 1/2020, cit., paragraphs 52-53).

In light of the above represented overall, therefore, the additional measures, adopted in this case, cannot be considered adequate with consequent illegality, pursuant to art. 44 and art. 46 of the Regulation, of the related transfers of personal data to the United States.

2.4 Accountability of the owner.

The owner is required to put in place "adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in accordance with the [Regulation]" (so-called accountability principle; see art. 5, par. 2 and art.24, par.1 of the Regulation).

It is therefore up to the owner to decide autonomously the methods, guarantees and limits of the processing of personal data in compliance with the relevant legislation. The Regulation, in fact, strongly emphasizes the "empowerment" of the owner, that is, on the adoption of proactive behaviors such as to demonstrate the concrete adoption of measures aimed at ensuring the application of the personal data protection discipline (see , in particular art.24 of the Regulation).

The implementation of the accountability principle with reference to data transfers to third countries places the responsibility on the holder as an exporter to verify, case by case and, where necessary, in collaboration with the importer in the third country , if the law or the practice of the latter affect the effectiveness of the adequate guarantees contained in the transfer instruments referred to in Article 46 of the Regulation.

In such cases, the exporter is required to adopt, in application of this principle, additional measures that allow the importer to comply with the obligations under the instrument adopted pursuant to art. 46 of the Regulation; all this in order to ensure that the level of protection of individuals guaranteed by the Regulation is not jeopardized (see Article 44 of the Regulation; see in this regard, Recommendation 1/2020, cit., paragraphs 1-5).

For all the reasons set out above, without prejudice to the found unsuitability of the additional measures adopted in the present case, the claims of IlMeteo S.r.l. in relation to the lack of autonomy of the same with respect to the decisions to be taken regarding the transfer of data to third countries (see above, paragraph 1, point d); this considering that the Company, by reason of the role covered under the personal data protection regulations, is required, as already clarified, to implement, also in the context of cross-border transfers, adequate and effective measures to protect the rights and freedom of interested parties and to be able to demonstrate their compliance with the Regulations.

In light of the above considerations, in carrying out the described conduct, IlMeteo S.r.l. has therefore violated Articles 5, par. 2, and 24, of the Regulation.

2.5. Unsuitability of the information provided pursuant to art. 13 of the Regulation.

With reference to the information that must be provided to the interested party, pursuant to art. 13 of the Regulation, it should be noted that, in the information provided to the complainant on the website www.ilmeteo.it, at the time of the collection of data concerning him (see note of 15 September 2021, annex 10) it was not fully compliant with provisions contained in art. 13, par. 1, lett. f) of the Regulations.

Indeed, in consideration of the fact that personal data must be "processed in a lawful, correct and transparent manner towards the data subject" (Article 5, paragraph 1, letter a), of the Regulation), the data controller, if a transfer of personal data is in place, it has the obligation, in compliance with the principle of transparency, to inform the interested parties also with regard to "the intention to transfer personal data to a third country" as well as "the existence or the absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), the reference to appropriate or appropriate safeguards and the means to obtain a copy of such guarantees or the place where they were made available "(Article 13, paragraph 1, of the Regulations).

In this regard, in any case taking note of the update in the aforementioned terms of the information to be made to users on the website www.ilmeteo.it (see "Privacy and cookies policy for visitors" available at https: // www. ilmeteo.it/portale/privacy/?refresh_ce; see supra paragraph 1, point e), it is noted that the model provided by IlMeteo S.r.l. to the complainant in this case, did not clearly define all the elements referred to in art. 13, par. 1, lett. f) of the Regulations concerning the transfer.

It follows, therefore, with reference to this model, the violation of art. 5, par. 1, lett. a) and art. 13, par. 1, lett. f), of the Regulation.

3. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2 of the Regulations.

For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow to overcome the findings notified by the Office with the act of initiating the procedure and that they are therefore unsuitable to order the dismissal of this proceeding, since none of the cases provided for by art. 11 of the Guarantor Regulation n. 1/2019.

The processing of personal data carried out by the Company is therefore illegal, in the overall terms indicated above, in relation to art. 5, par. 1, lett. a) and par. 2, in art. 13, par. 1, lett. f), in art. 24, and art. 44 and 46, of the Regulation.

Violation of the aforementioned provisions entails the application of the administrative sanctions provided for by art. 83, par. 5, letters a), b) and c), of the Regulation.

In this regard, with reference to the elements to be taken into consideration in order to assess whether to inflict a pecuniary administrative sanction (Article 83, paragraph 2, of the Regulation), it is noted first of all that, in relation to the nature and gravity of the violation, the disputed processing operations did not have as their object particular categories of personal data.

With regard to the subjective element of the offender, it should be considered that IlMeteo S.r.l. - given the asymmetry of bargaining power deriving from the primary market position assumed by Google in the sector of web analytics services - has erroneously assumed as suitable, on the basis of the information provided by Google, the additional measures adopted by the latter without exercising any decision-making power on the same.

With regard to the measures adopted by the Company to mitigate the damage suffered by the data subjects, it is also noted the initiatives undertaken by the data controller, concerning the updating of the text of the information on the Company's website and adherence to the option of " IP-Anonymization "made available by Google; the latter measure implemented following the notification of violation pursuant to art. 166, paragraph 5 of the Code (see note of January 28, 2022, pages 13-16).

Furthermore, for the purposes of the Authority's assessments, the absence of previous violations and the loyal cooperation with the Guarantor during the proceedings are also noted.

The nature and gravity of the violation, the negligent nature of the same, as well as the additional elements mentioned above therefore lead to qualify the case in question as a "minor violation" (see Article 83, paragraph 2, and cons. 148 of the Regulation ).

It is therefore believed that, in relation to the present case, it is necessary to warn the data controller, pursuant to art. 143 of the Code and 58, par. 2, lett. b) of the Regulations, for having carried out a treatment in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation.

Finally, it is noted that the conditions set out in art. 17 of the Guarantor Regulation n. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

WHEREAS, THE GUARANTOR:

a) pursuant to art. 57, par. 1, lett. f) of the Regulations, declares the unlawfulness of the processing of personal data of users of the site www.ilmeteo.it put in place, through Google Analytics, by IlMeteo S.r.l. based in Padua, P.I. 05184350287, regarding the violation of articles 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

b) pursuant to art. 58, par. 2, lett. d), of the Regulation, orders IlMeteo S.r.l. to comply with Chapter V of the Regulations within the term of ninety days from the notification of this provision, the processing of personal data of users of the site www.ilmeteo.it carried out through Google Analytics, adopting adequate additional measures;

c) pursuant to art. 58, par. 2, lett. j), of the Regulation, orders the suspension of the flows, to Google LLC based in the United States, of the personal data identified above, where IlMeteo S.r.l. fails to comply with the provisions of point b) of this device within the deadline set forth therein;

d) pursuant to recital 148 and art. 58, par. 2, lett. b), of the Regulation warns IlMeteo S.r.l. for having carried out a processing of personal data in violation of art. 5, par. 1, lett. a) and par. 2, of art. 13, par. 1, lett. f), of art. 24, and of the articles. 44 and 46, of the Regulation;

e) believes that the conditions set out in art. 17 of Regulation no. 1/2019, concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

Pursuant to 157 of the Code, it requests IlMeteo S.r.l. to communicate which initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, within ninety days from the date of notification of this decision; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, par. 5, lett. e) of the Regulations.

Pursuant to art. 78 of the Regulation, of art. 152 of the Code and 10 of the legislative decree of 1 September 2011, n. 150, against this provision, it is possible to appeal before the ordinary judicial authority, under penalty of inadmissibility, within thirty days from the date of communication of the provision itself or within sixty days if the applicant resides abroad.

Rome, July 7, 2022

PRESIDENT
Stanzione

THE RAPPORTEUR
Ghiglia

THE SECRETARY GENERAL
Mattei