24 2022

Italy: Garante finds US data transfers through the use of Google Analytics unlawful

View 933

word 1.1K read time 5 minutes, 24 Seconds

The Italian data protection authority ('Garante') announced, on 23 June 2022, that it had published its Decision No. 224, as issued on 9 June 2022, in which it issued a reprimand to Caffeina Media s.r.l., for violations of Articles 5(1)(a), 5(2), 13(1)(f), 24, 44, and 46 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the Garante reported that, according to the complaint, Caffeina Media, as operator of the website , had transferred the complainant's personal data to Google LLC, based in the US, through the use of Google Analytics, in the absence of the guarantees provided for by Chapter V of the GDPR. Subsequently, the Garante noted that it had started an investigation, in close coordination with other EU data protection authorities.

Findings of the Garante

Further to the above, as a result of the investigation carried out, the Garante outlined that it had ascertained that the transfers made by Caffeina Media to Google, by means of Google Analytics, breached Articles 44 and 46 of the GDPR.

Specifically, the Garante determined that Caffeina Media had used Google Analytics, in its free version, for the pursuit of purely statistical purposes and had not implemented the 'IP-Anonymization' feature offered by Google Analytics. As regards the processing carried out, the Garante determined that Caffeina Media collected, by means of cookies transmitted to the user's browser, information on how the latter interacts with the website, as well as with the individual pages and services offered. More in detail, the Garante outlined that the data collected and transferred to the US included the user device IP address, along with information on browser, operating system, screen resolution, selected language, and date and time of page viewing. Notably, the Garante highlighted that an IP address is personal data and took the view that the 'IP-Anonymization' featured offered by Google is a pseudonymisation, rather than anonymisation, technique, considering Google's capabilities to enrich the personal data in question through additional information it holds.

In the light of the above, the Garante outlined that the use of Google Analytics by website operators, such as Caffeina Media, entails a transfer of personal data to Google; such transfers, insofar as they are made to a third country that does not ensure an adequate level of protection under the GDPR (i.e. the US), must be carried out in compliance with Chapter V of the GDPR. Further to this, the Garante explained that, in light of the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') and the European Data Protection Board's ('EDPB') Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, data controllers, as exporters, are obliged to verify, on a case-by-case basis and, where necessary, in cooperation with the importer in the third country, whether the law or practice in force in the third country affects the effectiveness of the appropriate safeguards contained in the Standard Contractual Clauses ('SCCs'), to determine whether the safeguards provided therein can be complied with in practice.

Further to this, the Garante outlined that, if as a result of the above-mentioned assessment, it is found that the legislation and practices of the third country prevent the importer from complying with the obligations under the chosen transfer instrument, as found in the present case, exporters must adopt additional measures ensuring a level of protection of personal data substantially equivalent to that provided for in the GDPR. More in detail, the Garante determined that the encryption mechanisms implemented in the case in question (i.e. cryptography at rest and in transit) were not sufficient to avoid the risks of access, for national security purposes, to the data transferred from the EU by US public authorities, since such encryption techniques provide that the encryption key rests in the hands of Google, which holds it, as importer, by virtue of the need to have the data in plain text in order to carry out processing and provide services. Importanly, the Garante highlighted that the obligation to allow access, on the part of the US authorities, falls on Google, not only with regard to the imported personal data, but also with regard to any cryptographic keys necessary to make them intelligible. As such, the Garante concluded that, as long as the encryption key remains at the importer's disposal, the measures taken cannot be considered adequate. Moreover, the Garante noted that, in the absence of appropriate technical measures, the additional contractual and organisational measures adopted could not reduce or prevent the possibility of access to the personal data subject to transfer by US authorities.

In the light of the foregoing, the Garante took the view that the additional safeguards adopted in the present case could not be regarded as adequate, with the consequent unlawfulness, within the meaning of Articles 44 and 46 of the GDPR, of the relevant transfers of personal data to the US.

Separately, the Garante also found Caffeina Media in breach of:

Articles 5(2) and 24 of the GDPR, thus rejecting Caffeina Media's argument as to its lack of autonomy with regard to the decisions to be taken on the transfer of data to third countries; and Articles 5(1)(a) and 13(1)(f) of the GDPR, for the lack of information on data transfers on the website's privacy policy, which was generated using the automatic service offered by iubenda s.r.l. for the management of privacy policies and cookie policies.


Given the established facts, the Garante issued a reprimand against Caffeina Media and ordered the same to bring its processing into compliance with the GDPR within 90 days. On this aspect, the Garante considered the imposed deadline appropriate in order to allow Caffeina Media to implement adequate measures in connection with the data transfers; should the deadline not be met, the Garante pointed out that it would order the suspension of all Google Analytics-related data flows to the US. In addition, the Garante noted that Caffeina Media may, within 30 days, lodge an appeal before the ordinary judicial authority.

Notably, the Garante urged all Italian website operators, both public and private, to take into account the unlawfulness of the data transfers to the US resulting from the use of Google Analytics, calling upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with the #GDPR

Source by Redazione

LSNN is an independent editor which relies on reader support. We disclose the reality of the facts, after careful observations of the contents rigorously taken from direct sources, we work in the direction of freedom of expression and for human rights , in an oppressed society that struggles more and more in differentiating. Collecting contributions allows us to continue giving reliable information that takes many hours of work. LSNN is in continuous development and offers its own platform, to give space to authors, who fully exploit its potential. Your help is also needed now more than ever!

In a world, where disinformation is the main strategy, adopted to be able to act sometimes to the detriment of human rights by increasingly reducing freedom of expression , You can make a difference by helping us to keep disclosure alive. This project was born in June 1999 and has become a real mission, which we carry out with dedication and always independently "this is a fact: we have never made use of funds or contributions of any kind, we have always self-financed every single operation and dissemination project ". Give your hard-earned cash to sites or channels that change flags every time the wind blows , LSNN is proof that you don't change flags you were born for! We have seen the birth of realities that die after a few months at most after two years. Those who continue in the nurturing reality of which there is no history, in some way contribute in taking more and more freedom of expression from people who, like You , have decided and want to live in a more ethical world, in which existing is not a right to be conquered, L or it is because you already exist and were born with these rights! The ability to distinguish and decide intelligently is a fact, which allows us to continue . An important fact is the time that «LSNN takes» and it is remarkable! Countless hours in source research and control, development, security, public relations, is the foundation of our basic and day-to-day tasks. We do not schedule releases and publications, everything happens spontaneously and at all hours of the day or night, in the instant in which the single author or whoever writes or curates the contents makes them public. LSNN has made this popular project pure love, in the direction of the right of expression and always on the side of human rights. Thanks, contribute now click here this is the wallet to contribute

Similar Articles / Italy: G... unlawful