The following article will summarize the main aspects of the SA decision highlighting the impacts for entities using Google Analytics and some underlying issues.
The case at stake and the Italian SA Decision no. 224, 9th June 2022.
The Italian SA declared the unlawfulness of the processing of users’ personal data of the website www.caffeinamagazine.it carried out by Caffeina Media S.r.l. through Google Analytics (Decision no. 224, 9th June 2022).
According to the findings of the investigation conducted by the SA, the company, in its capacity as data controller, has processed its website users’ personal data in violation of Articles 44 and 46, 5(1)(a) and (2), 13(1)(f), and Article 24, of EU Regulation 679/2016.
More precisely, Caffeina Media S.r.l. processed, through Google Analytics, mainly cookies, many users’ personal data 1 , and transferred them to the United States (through Google Ireland Limited as data processor and Google LLC as sub-processor); where the national legislation does not guarantee an adequate level of data protection for data subjects as well as provided by the European legislation. The Italian SA ordered to Caffeina Media S.r.l. to bring the processing into compliance with the GDPR by 90 days.
Grounds of the Decision.
The decisioni is grounded on a complex panel of rationales that shall be briefly reported hereinafter.
a) The U.S. legislation does not provide an adequate level of protection for data subjects as well as provided by the European legislation. Recalling the case law related to this issue 2 , the Italian SA points out that the so-called Privacy Shield does not guarantee a level of protections equivalent to those provided by the EU legislation since US domestic law allows exceptions to data protection legislation that exceed the restrictions deemed necessary in a democratic society," with main reference to the possibility for US public authorities to access to users personal data for intelligence purposes3.
b) The controller has not implemented the additional protective measures required according to the features of the case at stake. The protective measures implemented by the controller were found to be inadequate since they did not comply with the guidelines provided by the EDPB in Recommendation no. 1/2022. In particular, the data encryption key has resulted to be in the exclusive possession of the data processor (Google LLC) and the organizational and contractual measures taken by the company are not sufficient to compensate for the inadequacy of the technical ones. In addition, the standard contractual clauses for the transfer of personal data have not been subjected to the evaluation regarding their effectiveness considering the overall context (the tools used, the circumstances of the transfer, the legislation of the country where the data are transferred).
c) The controller has not fulfilled the actions and duties related in order to enforce the accountability principle, since the company did not verify, even with the help of the processor, whether the legislation of country where the personal data have been transferred affected the effectiveness of the guarantees set forth in Article 46 of the GDPR. Moreover, the SA has stated that the unequal bargaining power of the parties cannot constitute an exemption of such responsibilities inherent in the role of controller.
d) Incompleteness of the information under Article 13, GDPR since it did not contain the mandatory elements prescribed in case of data transfer.
Comments and critical issues.
First, it shall be considered that the SA approach is certainly consistent with both EU Regulation 679/2016 and its founding principles, as well as with the evolution of European case law regarding the consistency of the Privacy Shield with the EU legal framework and its adequacy to guarantee individual rights and freedoms in the new context.
In fact, the EDPB has moved in this direction through dedicated FAQ issued following the Schrems II decision.
However, the issue now shifts on the enforcement, remedial and penalty level.
At this stage, it shall be pointed out how disruptive and critical is the impact of this Decision for all public and private entities which use Google Analytics or in general tools provided by entities that are in a preeminent contractual position that may adversely affects the data controller's ability to take effective action to fulfill its obligations, contractually, technically, and in terms of monitoring the actions taken by the processor to comply with any additional organizational measures that may have been agreed upon.
The Privacy Shield adequacy Decision has been declared invalid by the EU Court of Justice, however, in the absence of a new dedicated legislation, the data controller, whatever its size, activity and know-how, shall bear the burden of a regulatory vacuum by intensifying, perhaps considerably, its efforts to identify and implement additional protective measures, especially technical ones, which may be difficult to implement, also taking into account precisely the know- how and financial resources that such interventions require. Otherwise, it will be necessary, to identify means alternative to those that imply or could imply risks in terms of control over data transfers to the United States and, probably, to discontinue the use, in the specific case, of Google Analytics.
Here we can understand the main issue behind the decision: the lack of a new bilateral regulation between the European Union and the United States related to data protection, with particular reference to individual rights’ protection. In this context emerges the urge of a regulatory action to get to the root of the problem.
In conclusion, it is worth briefly noting that the sanctions imposed (i.e. the warning to comply with the decision and the laws and the absence for the time being of financial penalties) shows how the SA is primarily oriented more toward solving a delicate legal problem than toward the rigid application of huge financial penalties without taking into account the complexity of the scenario.