Tietosuojavaltuutetun toimisto (Finland) - 4672/161/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(6 intermediate revisions by 3 users not shown)
Line 79: Line 79:
}}
}}


The Finnish DPA held that four cities had unlawfully transferred personal data to Google and the US when using Google Analytics and Tag Manager on their public library online services, and ordered them to delete data collected through these tools.
The Finnish DPA held that four cities in Finland had, among others, unlawfully transferred personal data to the US when using Google Analytics and Google Tag Manager on their public library online services. The DPA ordered them to delete the data collected through these tools.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Finnish DPA found that the online system (https://helmet.fi) of public libraries used by the cities of Helsinki, Espoo, Vantaa and Kauniainen, transferred personal data to Google and the US without adequate safeguards and information to data subjects. The transfer was done by using Google Analytics and Google Tag Manager tools on their web sites.
The cities of Helsinki, Espoo, Vantaa and Kauniainen (the controllers) used Google Analytics and Google Tag Manager, with servers located in the US, as a tracking technology tool on their online system (https://helmet.fi) of public libraries to monitor visitors and improve the service. The controllers installed cookie tracking technologies on the data subjects' terminal devices as soon as the website was accessed, even before a cookie banner would be shown to them. Information about processing of personal data was available on the library website under the "''About the website''" link. However, this general privacy note would not inform data subjects about data transfers to the US, but only mention that "''some service providers are located outside of the EU/EEA''" without specific information on the recipients in third countries. Information about the tracking technologies was also provided under the heading "''Cookies''".  


==== Tracking cookies ====
In light of the CJEU [[CJEU - C-311/18 - Schrems II|Schrems II]] judgement, the Finnish DPA started an ex officio investigation into the controllers' data transfers to third countries. The DPA considered four main issues: legal basis for processing of personal data collected through tracking technology tools, information given to data subjects related to the use of tracking technologies, implementation of technical and organisational measures for sharing data on search results with third parties, legal basis for data transfers to third countries.  
Tracking cookies has been uploaded to a data subjects computer before cookie banner. This has been technical error in cookie banner. Because of this, controller cannot have proper consent from data subject. Controller has use collected information to develop their online service. The information has been shared to tracking service provider. 
 
In the online service a user can search a publication from library. Search string has been transferred in URL and that information can in certain situations be transferred to tracking service provider. Such information can reveal significant amount of information about data subject's private life and such information can be used for profiling. Because of careless handling of the personal data such information has been transferred to Google. 
 
==== Informing data subjects ====
Privacy statement has been available for users behind "About this site" -link. There has been link "Customer register", which mentions that "some service providers are located outside of EU/EEC". There has not been information to which third parties (such as Google) private date is transferred to and for how long the data is stored.


=== Holding ===
=== Holding ===
First, with regards to the legal basis for processing personal data collected through the tracking technology, specifically Google Analytics and Google Tag Manager, the DPA noted that certain cookies were set on the website before an interaction with the cookie banner. Such cookies were not strictly necessary and therefore required valid consent of the data subject. The DPA held that the controllers violated [[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6(1) GDPR]], which require a valid legal basis for the processing of personal data. Moreover, the DPA found a violation of [[Article 25 GDPR|Article 25(1) GDPR]] because the controllers failed to effectively implement the principle of lawfulness under [[Article 5 GDPR]].


==== DPA jurisdiction about cookies ====
Second, the DPA assessed the information provided to data subjects and recalled that information on processing should be easily accesible to data subjects. The DPA held that providing the privacy notice in a section called 'About the website' was not clear and violated the principle of transparency ([[Article 5 GDPR|Article 5(1)(a) GDPR]]). The DPA also noted that the controllers were obliged, under [[Article 13 GDPR|Article 13(1)(e) GDPR]] to inform data subjects about transfers to third countries. However, the information provided was too general and not sufficient as it did not include the third countries nor recipients with whom data outside the EU would be shared. Hence, the DPA found a violation of [[Article 5 GDPR|Articles 5(1)(a)]], [[Article 13 GDPR|13]] and [[Article 25 GDPR|25(1) GDPR]].  
In Finland, the ''Information Society Code (917/2014)'' regulates the use of cookies and this is supervised by Traficom (not the Finnish DPA). In this case DPA assessed how the collected personal data was used and the holding did not assess if the Information Society Code was violated or not.
 
==== Legal matters considered ====
1) Was the processing of the personal data collected by tracking system lawful as defined in [[Article 6 GDPR|Article 6(1) GDPR]] and was data protection by design and default in place as defined in [[Article 25 GDPR|Article 25(1) GDPR]]?
 
2) Was the controller's processing of data subjects' book search history in line with [[Article 25 GDPR]] and [[Article 32 GDPR]]?
 
3) Did the controller inform data subjects about tracking technologies used in their online system as required by [[Article 5 GDPR|Article 5(1)(a)]], [[Article 13 GDPR|Article 13]] and [[Article 25 GDPR|Article 25(1) GDPR]]?
 
4) Did the data transfers to a third country comply with [[Article 44 GDPR]] and [[Article 46 GDPR]]?
 
==== Holding for legal matters ====
1) The processing of the personal data collected by the tracking tools violated [[Article 5 GDPR|Article 5(1)(a)]], [[Article 6 GDPR|Article 6(1)]] and [[Article 25 GDPR|Article 25(1) GDPR]].
 
2) The controller processed the book search history data in a way that it could have been transferred to a third party, violating [[Article 25 GDPR]] and [[Article 32 GDPR]].
 
3) The controller did not inform data subjects properly on how data collected by tracking tools was used, including transferring data to a third country, in violation of [[Article 5 GDPR#1a|Article 5(1)(a)]], [[Article 13 GDPR|Article 13]] and [[Article 25 GDPR#1|Article 25(1) GDPR]].  


4) Transferring data to United States without proper safeguards violated [[Article 44 GDPR]] and [[Article 46 GDPR]]
Third, the DPA considered that using Google Analytics for the search result page could lead to a security breach in the form of sharing the data with unauthorised third parties. The DPA explained that search data on a library website can reveal a considerable amount of information about a person's private life and can be used, for example, to create a personal profile of the data subject. The negligent processing of personal data by the controllers led to the transmission of this information at least to Google. Therefore, the DPA held that the controllers violated [[Article 32 GDPR|Articles 32(1)(2)]] and [[Article 25 GDPR|25 GDPR]] by systematically and unintentionally disclosing personal data to third parties through an 'obvious' lack of technical and organisational measures as well as a failure to implement the principle of privacy by design. 


==== Other considerations ====
Fourth, the DPA assessed whether the controllers had a valid legal basis for transferring personal data to the US. The DPA recalled that since the [[CJEU - C-311/18 - Schrems II|Schrems II]] judgement, controllers could no longer rely on the Privacy Shield adequacy decision. The DPA held that the controllers breached [[Article 44 GDPR]], which requires transfers to be carried out in accordance with the conditions of Chapter V of the GDPR, and [[Article 46 GDPR]], which requires appropriate safeguards in the absence of a decision under [[Article 45 GDPR]], as the controllers provided no valid legal basis for their transfers to the US.  
In the decision DPA stresses that as a public body controller should have follow regulation carefully and avoid use anything but necessary cookies in their online services.  


==== Decision ====
The DPA also made a general remark on the use of tracking technologies by public authorities. It held that the controllers should carefully consider what kind of tracking technology is actually necessary on their website and whether, for example, the online service could be provided entirely without tracking technologies other than those necessary for the functioning of the website. The controllers should have a legal basis for their processing activites and adequately inform data subjects of the purposes of processing.
Based on [[Article 58 GPDR#2d|Article 58(2)(d) GDPR]] the DPA ordered the controller to delete all data collected with Google Analytics and Tag Manager, which did not comply with the GDPR, as well as update information provided to data subjects.  


The DPA issued reprimands to the controller for violating the abovementioned provisions of the GDPR.  
In conclusion, based on [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], the DPA ordered the controllers to bring their processing activities in line with the GDPR, including the deletion of all data collected with Google Analytics and Tag Manager, as well as updating information provided to data subjects. The DPA issued reprimands, under [[Article 58 GDPR|Article 58(2)(b) GDPR]], to the controllers for violating the above-mentioned provisions of the GDPR.  


== Comment ==
== Comment ==

Latest revision as of 16:10, 21 March 2023

Tietosuojavaltuutetun toimisto - 4672/161/2022
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 25(1) GDPR
Article 32 GDPR
Article 44 GDPR
Article 46 GDPR
Data Protection Act (Tietosuojalaki )
Type: Investigation
Outcome: Violation Found
Started: 07.06.2022
Decided: 13.12.2022
Published: 17.01.2023
Fine: n/a
Parties: City of Helsinki
City of Espoo
City of Vantaa
City of Kauniainen
National Case Number/Name: 4672/161/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Finnish
Original Source: Finlex (in FI)
Tietosuojavaltuutetun toimisto (Press release) (in FI)
Initial Contributor: Eetu Salpaharju

The Finnish DPA held that four cities in Finland had, among others, unlawfully transferred personal data to the US when using Google Analytics and Google Tag Manager on their public library online services. The DPA ordered them to delete the data collected through these tools.

English Summary

Facts

The cities of Helsinki, Espoo, Vantaa and Kauniainen (the controllers) used Google Analytics and Google Tag Manager, with servers located in the US, as a tracking technology tool on their online system (https://helmet.fi) of public libraries to monitor visitors and improve the service. The controllers installed cookie tracking technologies on the data subjects' terminal devices as soon as the website was accessed, even before a cookie banner would be shown to them. Information about processing of personal data was available on the library website under the "About the website" link. However, this general privacy note would not inform data subjects about data transfers to the US, but only mention that "some service providers are located outside of the EU/EEA" without specific information on the recipients in third countries. Information about the tracking technologies was also provided under the heading "Cookies".

In light of the CJEU Schrems II judgement, the Finnish DPA started an ex officio investigation into the controllers' data transfers to third countries. The DPA considered four main issues: legal basis for processing of personal data collected through tracking technology tools, information given to data subjects related to the use of tracking technologies, implementation of technical and organisational measures for sharing data on search results with third parties, legal basis for data transfers to third countries.

Holding

First, with regards to the legal basis for processing personal data collected through the tracking technology, specifically Google Analytics and Google Tag Manager, the DPA noted that certain cookies were set on the website before an interaction with the cookie banner. Such cookies were not strictly necessary and therefore required valid consent of the data subject. The DPA held that the controllers violated Articles 5(1)(a) and 6(1) GDPR, which require a valid legal basis for the processing of personal data. Moreover, the DPA found a violation of Article 25(1) GDPR because the controllers failed to effectively implement the principle of lawfulness under Article 5 GDPR.

Second, the DPA assessed the information provided to data subjects and recalled that information on processing should be easily accesible to data subjects. The DPA held that providing the privacy notice in a section called 'About the website' was not clear and violated the principle of transparency (Article 5(1)(a) GDPR). The DPA also noted that the controllers were obliged, under Article 13(1)(e) GDPR to inform data subjects about transfers to third countries. However, the information provided was too general and not sufficient as it did not include the third countries nor recipients with whom data outside the EU would be shared. Hence, the DPA found a violation of Articles 5(1)(a), 13 and 25(1) GDPR.

Third, the DPA considered that using Google Analytics for the search result page could lead to a security breach in the form of sharing the data with unauthorised third parties. The DPA explained that search data on a library website can reveal a considerable amount of information about a person's private life and can be used, for example, to create a personal profile of the data subject. The negligent processing of personal data by the controllers led to the transmission of this information at least to Google. Therefore, the DPA held that the controllers violated Articles 32(1)(2) and 25 GDPR by systematically and unintentionally disclosing personal data to third parties through an 'obvious' lack of technical and organisational measures as well as a failure to implement the principle of privacy by design.

Fourth, the DPA assessed whether the controllers had a valid legal basis for transferring personal data to the US. The DPA recalled that since the Schrems II judgement, controllers could no longer rely on the Privacy Shield adequacy decision. The DPA held that the controllers breached Article 44 GDPR, which requires transfers to be carried out in accordance with the conditions of Chapter V of the GDPR, and Article 46 GDPR, which requires appropriate safeguards in the absence of a decision under Article 45 GDPR, as the controllers provided no valid legal basis for their transfers to the US.

The DPA also made a general remark on the use of tracking technologies by public authorities. It held that the controllers should carefully consider what kind of tracking technology is actually necessary on their website and whether, for example, the online service could be provided entirely without tracking technologies other than those necessary for the functioning of the website. The controllers should have a legal basis for their processing activites and adequately inform data subjects of the purposes of processing.

In conclusion, based on Article 58(2)(d) GDPR, the DPA ordered the controllers to bring their processing activities in line with the GDPR, including the deletion of all data collected with Google Analytics and Tag Manager, as well as updating information provided to data subjects. The DPA issued reprimands, under Article 58(2)(b) GDPR, to the controllers for violating the above-mentioned provisions of the GDPR.

Comment

Further Resources

Press release from Helmet libraries about the case and how they updated their visitor tracking system. https://www.helmet.fi/en-US/Events_and_tips/News_flash/Helmet_libraries_visitor_tracking_update(253626) (English)

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Processing of personal data related to the tracking technologies used on the libraries' website

Keywords: Tracking technologies
informing
Data transfer

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 4672/161/22

Decision of the Deputy Data Protection Commissioner in the case of legality of processing, security of processing, built-in and default data protection, information of data subjects and transfer of personal data to third countries

Thing

Processing of personal data related to the tracking technologies used on the libraries' website

Registrar

Helmet libraries in the capital region: Helsinki, Espoo, Vantaa and the city of Kauniainen

Statement received from the registrar

With a request for clarification dated June 7, 2022, the Office of the Data Protection Commissioner has asked the libraries of the capital region for clarification on the tracking technologies used on the Helmet.fi website.

The cities of Helsinki, Espoo and Kauniainen have issued a joint written report on the matter on 23 June 2022. The city of Vantaa has issued its own report with the same content on June 21, 2022.

In their report, the data controllers have said that in addition to essential cookies, such as cookies used for reserving material and renewing loans, the Helmet website uses tracking technologies whose purpose is visitor tracking and website development.

According to the report, Google Analytics and Matomo are used as analytics cookies, and Google Analytics has only been used on content pages, not in the material search or in the user's My Information section. According to the report, it has been decided to stop using Google Analytics.

Information about website tracking technologies has been available to registrants on the Helmet.fi website under the "About the site" link. Tracking technologies are described under the heading "Cookies" as follows:

"The website uses so-called cookies ("cookies"). Cookies can be used to collect information, for example from which page you have moved to the address, which of our www pages you have browsed and when, which browser you are using, what is your screen resolution and operating system, and what is your computer's IP address that is, from which internet address the information you send comes from and where it is received.
Some of the cookies used on the Helmet website are cookies that are necessary for the operation of the service, which enable, for example, the reservation of material and the renewal of loans. You cannot block essential cookies.

We also use, for example, statistical cookies on the website for website development. You can reject these and other cookies that are not necessary for the use of the service using the cookie tool. You can modify your own cookie choices at any time. Go to cookie settings."

Behind the "About the site" link is a link to the customer register of Helmet libraries, where it is stated regarding data transfers that "Some of the service providers also operate outside the EU or EEA".

On August 4, 2022, Helmet libraries supplemented the report given in June 2022. According to the registrants, tracking technologies will be removed from the Helmet.fi website between August and September, and Google Analytics will be replaced by Matomo's service.

On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) has been applied since May 25, 2018. As a regulation, the legislation is immediately applicable law in the member states. The Data Protection Regulation contains national leeway, on the basis of which national legislation can be used to supplement and clarify matters specifically defined in the regulation. The general data protection regulation is specified in the national data protection act (1050/2018).

Article 5(1)(a) of the General Data Protection Regulation provides for the principle of transparency. The principle requires that personal data is processed transparently from the point of view of the data subject. Article 5(1)(a) of the General Data Protection Regulation also provides for the principle of legality, according to which personal data must be processed in accordance with the law. The principle of transparency and the principle of compliance with the law are part of the requirement of built-in and default data protection (Article 25 of the General Data Protection Regulation), which is the starting point of the General Data Protection Regulation. The realization of built-in and default data protection requires that the data controller implements data protection principles, such as the principle of transparency and the principle of compliance with the law, effectively.

In the introductory paragraph 39 of the General Data Protection Regulation, the following is stated about the requirement for transparency in the processing of personal data: The processing of personal data should be legal and appropriate. It should be transparent for natural persons how personal data concerning them is collected and used, and how they are accessed or processed in another way, as well as clear about the extent to which personal data is processed or is to be processed. In accordance with the principle of transparency, information and communication related to the processing of personal data must be easily accessible and understandable and must use clear and simple language. This principle applies in particular to data subjects' information about the identity of the data controller and the purposes of the processing, as well as additional information that ensures the appropriateness and transparency of the processing of the natural persons in question, as well as their right to receive confirmation and notification of the processing of their personal data. Natural persons should be informed about the risks, rules, safeguards and rights related to the processing of personal data and how they can exercise their rights regarding such processing. In particular, the specific purposes of processing personal data should be determined and announced in connection with the collection of personal data unambiguously and in accordance with the law.

Article 6 of the General Data Protection Regulation provides for the legality of processing. According to the article, the processing of personal data is lawful only if and only to the extent that at least one of the conditions listed in paragraph 1 of the article, such as the existence of the consent of the registered person, is met.

Articles 12–14 of the General Data Protection Regulation provide for informing data subjects, the implementation of which falls under the duties of the data controller. By informing registrants about the processing of personal data, the controller also implements the principle of transparency in Article 5(1)(a) of the General Data Protection Regulation.

Article 13 of the General Data Protection Regulation provides for the information to be provided when personal data is collected from the data subject. According to paragraph 1 of the article, when collecting personal data concerning him from the registered person, the controller must, when the personal data is obtained, provide the registered person with all the information according to Article 13, paragraph 1, subparagraphs a–e. This information includes, for example, information about recipients or groups of recipients of personal data (subsection d), as well as, depending on the case, information that the controller intends to transfer personal data to a third country or an international organization, and information about the existence or absence of a Commission decision on the adequacy of data protection, or in the case of 46 or 47 the transfer referred to in Article or the second subparagraph of Article 49, paragraph 1, information about suitable or appropriate safeguards and how to obtain a copy of them or where they have been made available (subsection e). According to Article 2, subsection a, data subjects must also be provided with information about the retention period of personal data, or if that is not possible, the criteria for determining this period.

Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks caused by the processing to the rights and freedoms of natural persons, the controller must, in connection with the determination of the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures. According to paragraph 2 of the article, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for the specific purpose of the processing is processed.

Article 32 of the General Data Protection Regulation provides for the security of processing. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, which vary in their probability and severity, the controller and the personal data processor must implement appropriate technical and organizational measures to ensure a level of security corresponding to the risk. According to paragraph 2 of the article, when assessing the appropriate level of security, special attention must be paid to the risks involved in the processing, especially due to the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data of transferred, stored or otherwise processed personal data.

Article 44 of the General Data Protection Regulation provides for the general principle regarding transfers of personal data. According to the article, the transfer of personal data that is processed or is intended to be processed after transfer to a third country or an international organization is only carried out if the controller and the processor of personal data comply with the conditions established in Chapter V of the General Data Protection Regulation, and unless other provisions of the General Data Protection Regulation arise ; this also applies to the onward transfer of personal data from the third country or international organization in question to another third country or another international organization. All provisions of Chapter V of the General Data Protection Regulation must be applied to ensure that the level of protection of personal data of natural persons guaranteed by the General Data Protection Regulation is not compromised.

Article 45 of the General Data Protection Regulation provides for the transfer of personal data based on a decision on the adequacy of data protection. According to paragraph 1 of the article, the transfer of personal data to a third country or an international organization can be carried out if the Commission has decided that the said third country or region of the third country or one or more specific sectors or the said international organization ensures an adequate level of data protection. No special permission is required for such a transfer.

Article 46 of the General Data Protection Regulation provides for the transfer of personal data to a third country or international organization, applying appropriate protective measures. If a decision in accordance with Article 45, paragraph 3 of the General Data Protection Regulation has not been made, the controller or personal data processor may transfer personal data to a third country or international organization only if the controller or personal data processor in question has implemented appropriate protective measures and if the data subjects have enforceable rights and effective legal remedies. Sections 2 and 3 of the article describe what appropriate protective measures can be.

About the power of the data protection officer in cookie matters

The saving of cookies and other data describing the use of the service on the user's terminal device and the use of this data is regulated in § 205 of the Act on Electronic Communication Services (917/2014). Compliance with this provision is monitored by the Finnish Transport and Communications Agency Traficom (see § 303.1 of the Act on Electronic Communications Services). The competence to take a position on, for example, whether cookies have been stored on the user's terminal device and what kind of cookies the user's consent must be obtained, therefore belongs to the Finnish Transport and Communications Agency Traficom.

The Data Protection Commissioner supervises compliance with data protection regulations. For example, the supervision of the processing of personal data collected with the help of tracking technologies used on the website is the responsibility of the data protection commissioner's office.

The term further processing is used in this decision to clearly highlight the division of responsibilities for the processing of personal data following the acquisition and storage of consent related to website tracking technologies, such as cookies. Further processing is supervised by the data protection commissioner's office.

A legal question

The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The Deputy Data Protection Commissioner must resolve:

1) Whether the data controllers had a valid processing basis in accordance with Article 6 of the General Data Protection Regulation for the further processing of personal data collected through website tracking technologies, and whether the data controllers' procedure in this regard was in accordance with the legality principle and built-in data protection requirements (Article 5(1)(a) and Article 25 of the General Data Protection Regulation 1) in accordance with

2) Has the data controller's procedure for handling data retrieval information been in accordance with Articles 25 and 32 of the General Data Protection Regulation in the parts assessed in this decision.

3) Whether informing the data subjects about the processing of personal data related to the use of website tracking technologies, including international data transfers, was in accordance with Article 5(1)(a), Article 13 and Article 25(1) of the General Data Protection Regulation.

4) Whether the data controllers' procedure for international data transfers was in accordance with Articles 44 and 46 of the General Data Protection Regulation, and whether there was a valid reason for the transfer of personal data to the United States.

Decision of the Deputy Data Protection Commissioner

Decision

Helmet libraries have not had a legal basis for processing personal data for the further processing of personal data collected through tracking technologies on the Helmet.fi website, but have processed this personal data, for example for the purpose of developing websites, without a legal basis for processing (violated articles: 5(1)(a), 6(1) and 25 (1)).

Helmet libraries' procedure regarding the processing of material search data has also not been in accordance with data protection regulations, but Helmet libraries have operated in such a way that material search data could have been leaked to third parties (violated articles: Articles 25 and 32, paragraphs 1 and 2).

Helmet libraries have also insufficiently informed registrants about the processing of personal data related to the tracking technologies used on the Helmet.fi website, including data transfers to third countries (violated articles: 5(1)(a), Article 13(1) and (2), Article 25(1)), and there has been no legal basis for the transfer of personal data to the United States in the absence of additional protective measures (violated articles: 44 and 46).

The registrants are given an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to destroy the personal data they have collected through website tracking technologies for those data subjects whose personal data have been stored or used in different ways after their collection without a legal basis for processing. This provision also extends to personal data collected through tracking technologies transferred to the United States without a valid basis for transfer. In addition, the registrants are ordered to bring the processing operations in line with the data protection regulations regarding the information of the data subjects and to ensure that the information of the data subjects about the processing of personal data related to tracking technologies (including data transfers) meets the requirements of the data protection regulations.

Helmet libraries must submit to the data protection commissioner's office a report on the measures taken as a result of this order no later than February 15, 2022, unless this decision is appealed.

Since the Helmet libraries have announced that they will immediately take measures to remove tracking technologies from the Helmet.fi website, the deputy data protection commissioner does not give the data controllers an order in this decision regarding the termination of the processing of personal data related to the use of tracking technologies and the suspension of data transfers.

The data controllers are given a notice in accordance with Article 58, paragraph 2, subparagraph b of the General Data Protection Regulation regarding personal data processing activities that violate the provisions of the General Data Protection Regulation. With their procedure, as stated above, the controllers have violated Article 5(1)(a), Article 6(1), Article 13, paragraphs 1 and 2, Article 25, Article 32, paragraphs 1 and 2, and Articles 44 and 46 of the General Data Protection Regulation.

Reasoning

Basis for processing personal data

In the case being evaluated now, Helmet libraries have used various tracking technologies on the Helmet.fi website, such as the Google Analytics analytics tool and the Google Tag Manager service.

The Deputy Data Protection Commissioner pays particular attention to the basis of processing, that Helmet libraries have installed tracking technologies on the site visitor's terminal device as soon as they reach the website, before, for example, the window containing choices used to obtain cookie consent (the so-called cookie banner) has even been shown to the user. Helmet libraries have used this personal data, for example, for the purpose of developing the service, and this data has also ended up for business use by providers of tracking technology services.

The Deputy Data Protection Commissioner states that § 205 of the Act on Electronic Communication Services, the application of which is supervised by the Finnish Transport and Communications Agency Traficom, will apply with regard to the storage and use of tracking technologies. In order for the further processing following the acquisition of consent and the storage of tracking technologies to be in accordance with data protection regulations, the conditions set in Section 205 of the Act on Electronic Communication Services for the setting of cookies and other tracking technologies must first be met. As stated above, the evaluation of the legality of the use of website tracking technologies is the responsibility of Traficom regarding these initial conditions. Since the cookie banner of the Helmet.fi website, through which consent to cookies was supposed to be obtained, has not functioned properly, it can nevertheless be considered obvious that valid consent has not been obtained, and further processing has not been in accordance with data protection regulations.

Since Helmet libraries have utilized personal data collected through website tracking technologies without a legal basis for processing, the procedure has violated Articles 5(1)(a) and 6(1) of the General Data Protection Regulation, which require that for the processing of personal data, including personal data collected through website tracking technologies for further processing, there is a legal and actually applicable basis for processing. The procedure has also been in violation of Article 25 of the General Data Protection Regulation, and in the processing of personal data it has not been ensured that data protection is taken into account in the operations of the data controllers so that the requirements of built-in data protection are met. Article 25(1) of the General Data Protection Regulation (built-in data protection) requires the data controller to effectively implement the data protection principles of Article 5 of the General Data Protection Regulation, such as the legality principle of Article 5(1)(a).

Disclosure of information about material searches to third parties

Helmet libraries have told the data protection commissioner in their report to the office that the Google Analytics analytics service has only been used on the content pages, not in the material search or on the customer's My Information pages.

After investigating the matter, the Deputy Data Protection Commissioner states the following: You can search for works on the Helmet.fi website using the material search function. In this case, for example, the name of the searched book appears in the URL of the search results page, i.e. in the web address line (e.g. https://haku.helmet.fi/iii/encore/record/C__Rb2347993__Smuumipappa%20ja%20meri__Orightresult__U__X7?lang=fin&suite=cobalt).

If the user has then moved from a link on the search results page to, for example, the main page of the Helmet.fi website, which uses the Google Analytics service, information about the searched work may have ended up on Google via the Referer http header field. It should be noted that the Helmet libraries have not, for example, defined a so-called Referrer-Policy, with which it would have been possible for outsiders to interfere with the end of material search information.

Search data for library works can reveal a considerable amount of information about a person's private life, and they can be used, for example, to create a personal profile of the data subject. Carelessness in the processing of personal data has, in the case under review, led to the transmission of this data, at least for Google's use.

Article 32 of the General Data Protection Regulation (security of processing) requires the controller to take appropriate technical and organizational measures, among other things, to ensure that third parties' access to personal data is prevented. Article 25 of the General Data Protection Regulation (built-in and default data protection) requires that data protection is built into the operations of the controller and is taken into account by default in all processing of personal data. When personal data can end up in a systematic way to third parties without purpose, there are obvious shortcomings in the implementation of built-in and default data protection. Since material search data may have been leaked to third parties in the operation of Helmet libraries, the procedures of the registrars in these respects have not met the requirements of Article 32, Paragraphs 1 and 2 or Article 25 of the General Data Protection Regulation.

Informing registered users

Data protection information regarding the tracking technologies used by Helmet libraries has been available to registered users on the Helmet.fi website under the "About the site" link. Behind the "About the site" link, there is also a link to the customer register of Helmet libraries, where it is stated regarding data transfers that "Some of the service providers also operate outside the EU or EEA".

Data protection information must be easily found by the data subject. The name of the "About the site" link does not clearly indicate that the information required by law on the processing of personal data can be found behind it. The data protection information cannot therefore be considered to be easily found by the data subject, and the requirement of transparency in the processing of personal data is not met in this regard.

Regarding tracking technologies, the information provided to the registered does not include information about which service providers (such as Google) are involved in the processing of personal data using tracking technologies, and how long the personal data is stored. Article 13 of the General Data Protection Regulation requires that the data subject be given information about, for example, the recipients or groups of recipients of personal data (Article 13(1)(d)) and the retention period (Article 13(2)(a)). For example, in its decision C‑673/17, the EU Court has stated that the website user must be given information about the operating time of cookies and whether third parties have the opportunity to use these cookies.

According to Article 13 of the General Data Protection Regulation, data subjects must also be informed about transfers of personal data to third countries and the basis for the transfer (Article 13(1)(e)). The information given in the case being evaluated now, according to which "Some of the service providers also operate outside the EU or EEA" is not sufficient to form an understanding of, for example, which service providers are mentioned, and on the basis of which transfer basis personal data has been deemed possible to transfer outside the EU and EEA area. In addition, the information is placed behind the customer register link, and thus cannot be easily found by the registrants.

Informing the registered about the processing of personal data related to the use of tracking technologies, including data transfers, is incomplete as stated above, and based on the information provided, the data subject cannot get a clear understanding of how and under which conditions his personal data is actually processed in this context.

Data transfers to third countries related to the use of tracking technologies

The Helmet.fi website has used tracking technologies, through which the personal data of users of the library website has also been transmitted to third countries. For example, the US company Google's services such as Google Analytics and Google Tag Manager have been used.

Access to personal data by US authorities

In 2013, it was revealed that some of the world's largest technology companies, such as Microsoft, Facebook (Meta), Google, Skype and Apple, were involved in the surveillance programs of the US National Security Agency, NSA.

PRISM, included in these programs, has allowed the NSA direct access to the central servers of technology companies, and it is thus possible for the US authorities to see and collect, for example, all the data traffic of ordinary citizens going to Google in real time without Google's involvement.

In practice, e-mail messages, photos, online chats and call data have been the subject of collection. The data collection is aimed especially at foreigners, that is, in practice, for example, at people using the services of Google and other technology giants in the Nordic countries.
US companies must also hand over personal data to the authority at the legally binding request of the authority in accordance with US national regulations. Consequently, the authorities' access to personal data also extends to actors who are not involved in the NSA's surveillance programs.

The European Commission has published a report on 27 November 2013, according to which the United States has confirmed the existence of the PRISM program and its justification under the Foreign Intelligence Surveillance Act 1978 (FISA).

Google and data transfers to the United States

In the matter now being evaluated, Google's services, such as the Google Analytics analytics tool, have been used on the Helmet.fi website of the Helsinki metropolitan area libraries. The Google Analytics service stores and reads data collected through cookies placed on the user's browser, and the collected data is transmitted to Google servers located in the United States (statement provided by Google to the French Data Protection Authority (CNIL) in case dnro MDM221005). The personal data collected on the Helmet.fi website has therefore been transferred to the United States.

The General Data Protection Regulation requires that the transfer of personal data from the Union to registrars, personal data processors or other recipients in third countries does not jeopardize the level of protection of personal data based on the General Data Protection Regulation, and in order to secure an adequate level of data protection, the so-called Privacy Shield has previously been used in data transfers between the EU and the United States arrangement. However, the European Court of Justice has stated in its decision in case C-311/18 (the so-called Schrems II decision) that Decision 2016/1250 on the adequacy of the level of data protection provided by the Privacy Shield arrangement between the EU and the United States is invalid. In its decision, the Court of Justice of the European Union considers that the restrictions on personal data protection resulting from the internal legislation of the United States, which concerns the access of the United States authorities to personal data transferred from the Union to the United States and the use of this data, have not been delimited in a way that would meet the requirements of Union law. Registrants are also not given enforceable rights that they could invoke against US authorities in the courts. The Court of Justice of the European Union has further stated that the controller must suspend transfers of personal data to a third country if it cannot take sufficient additional measures to ensure the protection of personal data.

In the case being evaluated now, according to the report, Helmet libraries have not properly taken into account in their operations what was stated in the EU Court's decision C-311/18, but have used tracking technology on their website that includes data transfers to the United States without additional protective measures.

With regard to additional protective measures, such as the encryption of personal data, the deputy data protection commissioner points out in this context that, based on the FISA regulation, for example, Google is obliged to provide the US authorities with the encryption key as well. In other words, if the supplementary protection measure implemented by the data controller is one that enables, for example, Google to access plain language data, the supplementary protection measure does not meet the requirements set by the EU Court in its decision C-311/18. In its operations, the controller must also ensure that the US authority does not have access to personal data, for example, based on US national legislation, such as the CLOUD Act regulation.

Since the Helmet libraries have stated in their report to the data protection commissioner's office that Matomo's service has also been used and that Google Analytics will be replaced by the Matomo analytics service, the deputy data protection commissioner also points out that the data controllers must also ensure that the use of the service does not violate data protection regulations. data transfers and that the processing of personal data is otherwise in accordance with the General Data Protection Regulation when using the service. The service in question is not automatically such that its use cannot involve such data transfers.

With the procedure described above, Helmet libraries have violated Article 44 of the General Data Protection Regulation, which requires data transfers to be carried out in compliance with the requirements of Chapter V of the General Data Protection Regulation, and Article 46 of the General Data Protection Regulation, which requires appropriate protective measures in the absence of a decision in accordance with Article 45 of the General Data Protection Regulation , and there has not been a transfer basis required by law for the transfer of registered personal data to the United States.

According to the report received, Helmet libraries have taken measures to remove tracking technologies from the Helmet.fi website, and the data protection commissioner's office has directed Helmet libraries to ensure that no services remain available that involve transfers of personal data to the United States that violate data protection regulations.

About the tracking technologies used on official websites in general

With regard to the tracking technology used by the authorities on their websites, the deputy data protection commissioner states the following on a more general level of the matter now being evaluated:
The Deputy Data Protection Commissioner emphasizes that, in principle, it should be possible to use the authority's online services without the data subject potentially exposing himself to third parties' own purposes, to data collection by utilizing tracking technology, and without information about website visits ending up, for example, for commercial use and profiling purposes by external parties. It should be noted that, for example, Google explicitly states in its terms of use of the Google Analytics service that it can use the information obtained through the tracking technology for its own purposes. (According to the terms of use of the Google Analytics service, Google and its wholly owned subsidiaries may retain and use, subject to the terms of its privacy policy information collected in Your use of the Service) , see Google Analytics Terms of Service, section 6.)

The authority should also not use the personal data of visitors to its website as a means of payment, and the authority should therefore make an appropriate assessment of whether it is, for example, a free service, the use of which may in fact be paid for by the personal data of the registrants.

The authority must also take into account with regard to further processing that when the basis for the processing of personal data is the data subject's consent, the consent must be explicit, informed and must cover all processing purposes, including the possible disclosure of personal data. A separate, separate consent must also be obtained for all different processing purposes, so that, for example, the requirement of voluntary consent is actually fulfilled, and consents obtained for different purposes cannot be bundled under one consent. In accordance with Article 6(1) of the General Data Protection Regulation, legitimate interest is not a processing basis applicable to the authority's activities.

The authority must carefully consider what kind of tracking technology is actually necessary to have on its website, and whether the authority's online service could, for example, be offered completely without tracking technologies other than those necessary for the site's operation. In this assessment, it is justified to note that the authority's website can also be visited by persons in a weaker position, including elderly persons and children, whose digital skills may be deficient or who may find it challenging to understand what the processing of personal data through tracking technologies is about, and what use the data may be put to end up.

It should be noted that when using tracking technologies, it is also possible to track the activity of a website visitor across different sites, which enables, for example, tracking the Internet user's browsing path and online activity, as well as creating a detailed profile of the person in question. Because tracking technologies can lead to significant collection of personal data by third parties, the authority should exercise particular care when making decisions about what kind of tracking technology to put on its website. The use of tracking technology on websites requires both technical expertise and an understanding of data protection jurisprudence, including the concept of personal data.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

More information about this decision will be provided by the rapporteur

Chief Inspector Niina Miettinen, tel. 029 566 6774.

Deputy Data Protection Commissioner Heljä-Tuulia Pihamaa

The decision is not yet legally binding.