Tietosuojavaltuutetun toimisto (Finland) - 7684/171/22

From GDPRhub
Tietosuojavaltuutetun toimisto - 7684/171/22
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 35 GDPR
Article 35(1) GDPR
Article 44 GDPR
Article 46 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.04.2023
Published: 22.05.2023
Fine: n/a
Parties: Ilmatieteenlaitos
National Case Number/Name: 7684/171/22
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Tietosuojavaltuutettu (Finland) (in FI)
Initial Contributor: n/a

The Finnish DPA ordered the controller to delete all personal data that were transferred without a lawful basis to the United States by use of Google Analytics and reCAPTCHA services.

English Summary[edit | edit source]

Facts[edit | edit source]

The Finnish Meteorological Institute (the controller) used Google Analytics and reCAPTCHA services including cookies on its website. Because Google is a US-based service provider, personal data of the controller’s website visitors, such as IP address and other information that could be used to identify a data subject, were transmitted to the United States through the use of the Google services in question.

Following a website user first contacting the controller on the issue, the controller filed a data breach notification with the Finnish DPA in September 2022. According to the controller, the data breach started on 1 January 2010, and the number of data subjects affected was estimated to be 330 000. As a result, the controller disabled the Google services in question from it’s website in September 2022.

Pursuant to Article 44 GDPR, transfers of personal data to a third country can only take place if the controller and processor comply with the conditions set out in Chapter V GDPR.

Holding[edit | edit source]

The DPA cited the “Schrems II” decision (C-311/18) and held that the controller had infringed Articles 44 and 46 GDPR because 1) the controller had not established a lawful basis for the transfers in accordance with Chapter V GDPR and 2) nor had the controller put in place appropriate safeguards for the transfers. Therefore, the controller had unlawfully transferred personal data of its website visitors to the United States by using Google Analytics and reCAPTCHA services.

As a result, the DPA 1) issued a reprimand to the controller and 2) ordered the controller to delete all personal data that were transferred to the United States without a lawful basis. Because the controller had already disabled the Google services from its website, the DPA did not deem necessary to order the controller to do the same and to bring the processing into compliance with the GDPR.

Finally, the DPA highlighted that controllers cannot transfer their responsibility to data subjects by instructing data subjects, for example, to install a Google add-on on their browser to block the use of Google's tracking technologies, such as Google Analytics. The DPA added that Google add-on does not completely prevent the transmission of the data subject's data to Google, as it does not prevent the downloading of Google Analytics scripts from Google's servers.

Comment[edit | edit source]

The Finnish DPA amended their decision by ordering a new decision on 31 May 2023 with regad to this case and replaced the original decision with the new decision.

Initially, the DPA also took into account that the controller had not carried out a data protection impact assessment (DPIA) pursuant to Article 35 GDPR for the data transfers. The DPA considered that the controller’s practice involved a likely high risk within the meaning of Article 35(1) GDPR and that, in particular, the possibility for US authorities to gain access to the personal data poses a high risk to the rights and freedoms of a natural person.

However, within the new decision, on 31 May 2023, the DPA deleted parts of the decision where it applied Article 35 GDPR in this case. This might imply that there was a confusion with Article 35 data protection impact assessment with the so-called "transfer impact assessment" required under chapter V GDPR.

New decision 31.5.2023 available (in Finnish) here.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Decision of the Deputy Data Protection Commissioner in the matter regarding the transfer of personal data to third countries

Keywords: Data transfer
Online services
Tracking technologies

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 7684/171/22

Thing

Processing of personal data related to the tracking technologies used on the website

Registrar

weather Institute

Information security breach notification by the data controller

The Finnish Meteorological Institute has submitted a data security breach notification to the Data Protection Commissioner's office on 16 September 2022. According to the notification, the controller has used online service plugins that use cookies in its online services, which are Google products.

According to the data controller, the data security breach was discovered when the user of the public pages contacted the data controller about the use of Google Analytics and reCAPTCHA services.

According to the data controller, the start date of the data security breach was January 1, 2010, and the analytics was disabled in September 2022. The data controller estimates the number of data subjects affected by the data security breach to be 330,000 people.

Statement received from the registrar

The Office of the Data Protection Commissioner has requested an explanation from the data controller with an explanation request dated September 22, 2022. The registrar has issued a written statement on the matter on October 7, 2022.
In his report, the controller has confirmed that Google Analytics and the reCAPTCHA service have been used on the website.

According to the report, ReCAPTCHA recognition has been used in connection with the feedback form, and the purpose has been to distinguish computer programs from people. The Google Analytics service has been used to monitor the number of visitors.

According to the controller, the supplementary protective measures referred to in the EU Court's decision in case C-311/18 (the so-called Schrems II decision) have not been implemented, and there has been no basis for the transfer of personal data in accordance with Chapter V of the General Data Protection Regulation. Regarding data transfers, no impact assessment has been carried out either.

On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) has been applied since May 25, 2018. As a regulation, the legislation is immediately applicable law in the member states. The general data protection regulation is specified in the national data protection act (1050/2018).

Article 35 of the General Data Protection Regulation provides for an impact assessment regarding data protection. According to paragraph 1 of the article, if a certain type of processing, especially when using new technology, is likely to cause – taking into account the nature, scope, context and purposes of the processing – a high risk in terms of the rights and freedoms of a natural person, the controller must carry out an assessment of the effects of the planned processing activities on the protection of personal data before the processing. A single assessment can be used for similar processing activities with similar high risks. According to paragraph 11 of the article, the controller must, if necessary, carry out a review to assess whether the processing takes place in accordance with the data protection impact assessment, at least if the risk involved in the processing operations changes.

Article 44 of the General Data Protection Regulation provides for the general principle regarding transfers of personal data. According to the article, the transfer of personal data that is processed or is intended to be processed after transfer to a third country or an international organization is only carried out if the controller and the processor of personal data comply with the conditions established in Chapter V of the General Data Protection Regulation, and unless other provisions of the General Data Protection Regulation arise ; this also applies to the onward transfer of personal data from the third country or international organization in question to another third country or another international organization. All provisions of Chapter V of the General Data Protection Regulation must be applied to ensure that the level of protection of personal data of natural persons guaranteed by the General Data Protection Regulation is not compromised.

Article 45 of the General Data Protection Regulation provides for the transfer of personal data based on a decision on the adequacy of data protection. According to paragraph 1 of the article, the transfer of personal data to a third country or an international organization can be carried out if the Commission has decided that the said third country or region of the third country or one or more specific sectors or the said international organization ensures an adequate level of data protection. No special permission is required for such a transfer.

Article 46 of the General Data Protection Regulation provides for the transfer of personal data to a third country or international organization, applying appropriate protective measures. If a decision in accordance with Article 45, paragraph 3 of the General Data Protection Regulation has not been made, the controller or personal data processor may transfer personal data to a third country or international organization only if the controller or personal data processor in question has implemented appropriate protective measures and if the data subjects have enforceable rights and effective legal remedies. Sections 2 and 3 of the article describe what appropriate protective measures can be. According to Article 2, appropriate safeguards may include: a) a legally binding and enforceable instrument between authorities or public bodies; b) the binding rules for the company under Article 47; c) standard data protection clauses issued by the Commission following the review procedure referred to in Article 93, paragraph 2; d) standard clauses regarding data protection, which are confirmed by the data protection authority and which are approved by the Commission following the review procedure referred to in Article 93(2); e) the approved codes of conduct referred to in Article 40 together with the binding and enforceable commitments of the third-country data controller or personal data processor for the application of appropriate safeguards, including the rights of data subjects; f) the approved certification mechanism referred to in Article 42 together with binding and enforceable commitments of the third country controller or processor of personal data to apply appropriate safeguards, including the rights of data subjects. According to paragraph 3 of the article, with the permission of the competent supervisory authority, appropriate safeguards may also include the following in particular: a) contractual clauses between the controller or personal data processor and the controller, personal data processor or recipient of a third country or international organization; or b) provisions that are included in administrative arrangements between authorities or public bodies and that include enforceable and effective rights of data subjects.

A legal question

The Deputy Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The Deputy Data Protection Commissioner must resolve:

1) Has the controller's procedure for international data transfers been in accordance with Articles 44 and 46 of the General Data Protection Regulation, and has there been a valid reason for the transfer of personal data to the United States.

2) Has the data controller properly fulfilled its obligation to prepare a data protection impact assessment in accordance with Article 35 of the General Data Protection Regulation with regard to data transfers.

Decision of the Deputy Data Protection Commissioner

Decision

In the case under consideration, the controller has not had a valid transfer basis for transferring personal data to the United States, and the controller's procedure has not been in accordance with Articles 44 and 46 of the General Data Protection Regulation. According to Article 44 of the General Data Protection Regulation, transfers of personal data to a third country can only be carried out if the controller and the personal data processor comply with the conditions established in Chapter V of the General Data Protection Regulation. For the transfer of personal data, there must be a transfer basis in accordance with Chapter V of the General Data Protection Regulation, and if the data controller cannot carry out data transfers based on the decision on the adequacy of data protection referred to in Article 45 of the General Data Protection Regulation, the data controller must implement protective measures in accordance with Article 46 of the General Data Protection Regulation. In accordance with the decision given by the EU Court in case C-311/18, the data controller could not use a decision on the adequacy of data protection as a basis for transfer, and the data controller has not defined or applied a legal basis for the transfer of personal data for reCAPTCHA and Google Analytics services (violated articles: 44 and 46) .

The controller has also not prepared a data protection impact assessment in accordance with Article 35 of the General Data Protection Regulation regarding data transfers, which the controller should have prepared in this case regarding the use of tracking technologies (violated articles: 35).

Regulation

The controller is given an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to ensure that personal data transferred to the United States without a legal basis for transfer when using the services evaluated in this case is deleted. Based on the report obtained in the matter, the controller has already taken measures to remove the reCAPTCHA and Google Analytics services from its website, and it is therefore not necessary to issue an order to remove the aforementioned services from the website in order to bring the processing operations into compliance with data protection regulations.

The deputy data protection commissioner leaves the appropriate measures to the discretion of the data protection officer, but orders a report on the measures taken to be submitted to the data protection commissioner's office by June 15, 2023, unless the data protection officer applies for an amendment to this decision regarding the order.

Note

When using the Google Analytics analytics tool and the reCAPTCHA service, the controller has transferred personal data to the United States without a valid basis for transferring personal data. In its procedure, the controller has violated Articles 44 and 46 of the General Data Protection Regulation. The controller has also neglected its obligation to prepare a data protection impact assessment in accordance with Article 35 of the General Data Protection Regulation regarding international data transfers related to the use of tracking technologies. The controller is given a notice in accordance with Article 58(2)(b) of the General Data Protection Regulation regarding personal data processing actions contrary to the provisions of the General Data Protection Regulation regarding transfers of personal data to the United States and failure to conduct an impact assessment regarding data transfers.

Regarding other services that may be available on the website, guidance is given to the controller (see page 7 of this decision document).

Reasoning

Transfers of personal data to the United States

Data transfers between the Union and the United States have previously been possible under the so-called Privacy Shield arrangement. The purpose of the arrangement was to secure a sufficient level of data protection for transferred personal data. In its ruling on July 16, 2020, in case C-311/18, the EU Court has annulled the Commission's decision regarding the Privacy Shield arrangement and stated that the Privacy Shield decision regarding the adequacy of data protection in the United States is invalid. According to the decision, if the controller established in the European Union or its personal data processor cannot take sufficient additional measures to ensure adequate protection of personal data, it must suspend or stop the transfer of personal data to the relevant third country.

reCAPTCHA and Google Analytics

CAPTCHA services are used to distinguish whether the site user is a human or a computer. In general, the purpose of CAPTCHA services is to enable, for example, blocking the automated operation of so-called bots, such as mass sending of feedback using a feedback form. In practice, the CAPTCHA test can be, for example, image verification, where images with a certain content must be selected from the grid (such as vehicles or traffic lights), or the test may be about an invisible method based on the evaluation of the website visitor's behavior.

The CAPTCHA service used in the case being evaluated is the US company Google's reCAPTCHA service. The service has been used in connection with the feedback form found on the controller's website. The website of the controller has also used the Google Analytics analytics tool.

Google Analytics and reCAPTCHA services are external services. When using external services, personal data is processed in the service of the external service provider, by that service provider (i.e. Google in this case). In this context, personal data referred to in Article 4 of the General Data Protection Regulation, such as IP addresses and other data, which can be used to identify the data subject, is forwarded to the service provider.

The information transmitted to the service provider may include, for example, information about the website visitor's browser and user (such as the browser used by the visitor on the site and the size of the browser screen, language options, time zone and installed fonts) and information about the terminal device (such as the visitor's terminal device type, operating system, screen resolution and size, and the type of video card). The comparison of the combinations formed from this data enables large-scale, automated identification and profiling of registered users, and a similar repeated combination in connection with different site visits indicates that it is probably always the same user. The data can thus be used to identify the data subject, and can also be combined with other data collected from the same user for identification and profiling purposes. As stated above, the information transmitted to the service provider also includes the IP address, which is considered personal data and enables the identification of the registered person.

The case being evaluated now concerns a US service provider (Google), whose personal data is transferred to the United States when using the services evaluated in this case, and for whose services the data controller should have made an appropriate assessment as to whether the data transfers comply with data protection regulations. According to the data protection commissioner's report to the office, the data controller has not defined the transfer basis in accordance with Chapter V of the General Data Protection Regulation in the case, or implemented additional protective measures that would effectively prevent the US service provider's and the US intelligence authority's access to all personal data.

As explained above, the controller has neglected its obligations according to Articles 44 and 46 of the General Data Protection Regulation. In the case of reCAPTCHA and Google Analytics services, the controller has not properly ensured that there is a valid transfer basis for personal data transfers, and in the absence of a transfer basis, the controller has also not suspended or stopped data transfers without delay after the decision of the EU Court in case C-311/18. The controller is given a notice regarding this procedure and an order to delete personal data transferred to the United States without a legal basis for transfer.

About the use of tracking more generally

In this context, the Deputy Data Protection Commissioner states on a general level that when processing personal data on websites, it should be noted that the controller cannot transfer its responsibility for ensuring the legality of data transfers to the data subjects, but the controller must ensure that when tracking technologies are used on the website, personal data is not transferred to, for example, the United States without a valid adequacy decision that can be used by the controller, or without appropriate additional safeguards. This must also be taken into account when using cookie banners. Even if the registrant has the option to deny cookies in the cookie banner, the registrant's personal data may illegally end up in, for example, the United States.

Let it be added that the data controllers cannot also transfer their responsibility to the data subjects by instructing the data subjects, for example, to install an add-on provided by Google in their browser, which can be used to prevent the use of Google's tracking technology, such as the Google Analytics service. According to the current information, the add-on offered by Google does not completely prevent the transfer of data of the registered person to Google, as it does not prevent the downloading of Google Analytics scripts from Google's servers. When downloading scripts, information enabling the identification of the registered person, such as the IP address and information about the user's browser, is transmitted to Google.

Impact assessment regarding data transfers

Article 35 of the General Data Protection Regulation requires that, before taking processing measures, the controller makes an assessment of the effects of the planned processing measures on the protection of personal data when the processing is likely to cause a high risk in terms of the rights and freedoms of a natural person.

The purpose of the data protection impact assessment is to describe the processing of personal data, assess its necessity and proportionality, and support the management of risks arising from the processing of personal data affecting the rights and freedoms of natural persons by assessing the risks and defining the measures to address them. The data protection impact assessment is an important tool in terms of the obligation of proof, as it helps data controllers not only to comply with the requirements of the General Data Protection Regulation, but also to demonstrate that compliance with the regulation has been ensured by appropriate measures. In other words, a data protection impact assessment is a procedure to improve and demonstrate compliance with requirements.

In the case being evaluated now, the data controller has stated in the report given to the data protection commissioner's office that it has not performed an impact assessment regarding data transfers related to the processing of personal data. The Deputy Data Protection Commissioner states that the data controller should have followed the risk-based approach required of the data controller in the processing of personal data and taken into account that the procedure involves a probable high risk as referred to in Article 35, Paragraph 1 of the General Data Protection Regulation, and that in particular the possibility of US authorities accessing personal data collected through tracking technologies constitutes a high risk in terms of the rights and freedoms of a natural person .

Let me specify what was stated above, that the impact assessment must also be prepared in a situation where the processing of personal data was not initially associated with a likely high risk, but such a risk has since become actualized.

As stated above, the controller should have drawn up an impact assessment regarding data transfers, in which the controller would have evaluated, for example, its protective measures related to international transfers of personal data. In the case under review, the data controller has neglected this key duty, and the data controller is given a notice regarding this procedure.

Applicable legal provisions

Those mentioned in the justifications.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

More information about this decision will be provided by the rapporteur

Chief Inspector Niina Miettinen, tel. 029 566 6774, niina.miettinen(at)om.fi

The decision was made by Deputy Data Protection Commissioner Annina Hautala.

The decision is not yet legally binding.

Supervision of the deputy data protection officer

The Deputy Data Protection Commissioner directs the data controller to also carefully review the other services available on its website to ensure that personal data is not transferred outside the EU/EEA area in violation of data protection regulations. In this evaluation, it should be taken into account that the problems related to data transfers found in the decision given by the EU Court in case C-311/18 are not limited to the services of one service provider, such as Google, and that, for example, the services of Finnish service providers may use other service providers in some parts, so that personal data is transferred in accordance with data protection regulations contrary to outside the EU/EEA area.

You cannot apply for a change to this guidance of the deputy data protection officer by appealing.