Websites that use Google Analytics (GA), without the guarantees provided for in Regulation (EU) 2016/679 (the “Regulation“), violate data protection legislation because they transfer user data to the United States which lacks adequate protection. The Data Protection Authority (“Garante“) made its ruling with a 9 June 2022 measure, adopted after a preliminary investigation initiated based on several complaints, in coordination with other European Privacy Authorities, and published the following 23 June.
GA is a web tool provided by Google to website operators that allows them to analyse detailed statistics on users to optimise the services offered and monitor marketing campaigns.
The Authority assessed the processing carried out using this tool and showed that website operators (such as the sanctioned company) use cookies transmitted to the user’s browser to collect information on how these interact with the website, individual pages, and services offered. The data collected consists of: unique online identifiers that allow the identification of the user’s browser or device while visiting the website, and the website operator (through the Google Account ID); address, website name and navigation data; IP address of the user’s device; information on the browser, operating system, screen resolution, language selected, and date and time of website visit.
This information is transferred to the United States of America, a country that, as the Data Protection Authority has repeatedly stated, does not guarantee a personal data protection system equivalent to that of the European Union. The US regulatory system allows US government and intelligence authorities to access personal information for national security purposes without the guarantees provided by European legislation.
The Data Protection Authority stated that the IP address is personal data to all intents and purposes as it enables the identification of an electronic communication device, thus indirectly making the data subject identifiable as a user. This data, even if truncated, is not anonymous, given Google’s ability to associate it with other data in its possession, allowing the user re-identification.
For these reasons, the Data Protection Authority adopted the first of a series of measures with which it cautioned the company that managed the website under investigation, ordering it to comply with the Regulation within 90 days. The Data Protection Authority considered the deadline appropriate to allow the website to adopt the required transfer measures, under the penalty of suspending the data flow to the United States using GA.
At the end of the 90 days, the Data Protection Authority will conduct inspections to verify compliance with the Regulation of the transfers carried out by data controllers.
◊◊◊◊
While waiting for the European Union and the United States of America to reach a legally binding agreement that guarantees an international transfer with protections equivalent to what is required in Europe, website operators must comply with applicable legislation. This includes relying on European providers that process users’ personal data within the EU.
Other related insights:
Economic growth is slowing down, and it is feared that many companies will have to close in the months to come. However, structural changes that are taking place in society are leading to an increasing demand for professional profiles that are difficult to find on the market because training is evolving too slowly. Employment continues to be at the top of the political agenda, with possible reforms in search of a difficult balance between guaranteeing decent pay for everyone and the flexibility needed to avoid stifling market energies. The changes taking place do not only concern the dynamics of supply and demand and legislator choices, but case law rulings, which have played a key role. The latest example of this kind dates to a few weeks ago, with the Constitutional Court intervening on dismissal regulation (ruling no. 125/2022). Studio Legale De Luca & Partners managing partner Vittorio De Luca said: “Dismantling the reforming effort started by the legislator in 2012 continues,” referring to the Fornero law and the measures launched by the Renzi government. “Already in the past, two rulings have affected the contract with increasing protections, implementing the reform known as Jobs Act, declaring the illegitimacy of the automatic mechanism for determining the indemnity calculated based solely on seniority.” As for Art. 18 of the Workers’ Statute, the Constitutional Court intervened on the part concerning dismissals for justified objective reason.
Click here to read more.
The Italian Data Protection Authority (“Garante”), in its 28 April 2022 injunction of 28 April 2022, imposed on a company in charge of managing the municipal waste collection service for the Municipality of Taranto (the “Municipality”), a € 200,000 fine for having entrusted processing personal data to a sub-processor without having requested and obtained specific or general written authorisation from the Municipality – the data controller.
Following widespread waste abandonment within the area under its responsibility, the municipality entrusted an owned company the task to verify and contest any offences arising from the violation of the municipal regulations on waste disposal. The municipality and the company agreed on installing video surveillance systems at sites considered particularly sensitive, as they were the places where the illegal dumping of waste occurred more frequently.
From a report received by the Data Protection Authority, it emerged that the company disseminated, through the publication on its Facebook profile of videos and images, collected through the above video surveillance systems, from which the offending citizens were or could be identified.
Following the report received, the Authority opened a preliminary investigation which revealed that the company started processing in March 2012 under a municipal ordinance without the relationship regulated under the previous legislation.
Since November 2020, it had used a supplier (designated as data controller) for the collection of video surveillance images without the “prior specific or general written authorisation of the data controller (ed. the Municipality)” as required by art. 28 of the GDPR. In January 2022, the Municipality and the company signed an “agreement for the protection of personal data and appointment as an external data controller” under art. 28 of the GDPR. In that agreement, the Municipality specified that “upon its prior written authorisation, the company may make Municipality-owned personal data available to third parties (as sub-processors), to entrust them with part of the processing activities.”
Continue reading the full version published in Norme & Tributi Plus Diritto of Il Sole 24 Ore
Following a report by a group of worker-members of a cooperative, the Data Protection Authority (“Garante”) established the unlawfulness of certain processing operations carried out through the publication of information on the assessment of their work, on the company notice board.
As part of a “contest with prizes for worker-members, entitled “Guardiamoci in faccia…soci!” (Let’s look at each other…members!) to incentivise the most deserving members and […] discouraging inefficiencies”, the cooperative used to share the recipients’ assessment on a weekly basis using emoticons accompanied by summary evaluations (such as, “absenteeism”, “sickness simulation”) placed next to the image and name of each employee. This information was visible not only to the worker concerned but anyone who accessed the premises where the company notice board was placed, including external persons occasionally present on the premises, and provided a cash reward for the first three winners.
Inspections carried out by the Data Protection authority established the processing illegitimacy for violation of the fundamental principles of lawfulness, correctness, transparency and data minimisation. The Authority confirmed that the employer may lawfully process the information necessary and pertinent to the management of the employment relationship – including the data necessary to carry out an assessment of the work performance or exercise disciplinary power (in the manner and within the limits provided for by the sector’s regulations). However, the authority noted that the systematic provision of such information by posting it on the notice board allowed the processing of data to persons (such as other colleagues or third parties) who are not entitled to know information on disciplinary assessments and remarks.
In addition, the Authority confirmed that the collection of consent, in circumstances such as this case, cannot be considered a legal basis for legitimising the processing of personal data. This is because the disproportionateness between the employment relationship parties cannot presuppose consent given expressly, freely and specifically and referring to an identified processing. The consent given at the time of the approval of the members’ resolution, as claimed by the company, is “functionally different” from the consent to the processing carried out by the company for the assessment of the members’ actions.
For these reasons, the Authority confirmed that “[…] continuously submitting the assessments on the quality of the work carried out or on the performance correctness to the observation of colleagues, even if it is part of a public competition” infringes the workers’ personal dignity, freedom and privacy.
◊◊◊◊
The company appealed against the Authority’s decision first to the local court and then the Court of Cassation. In ruling no. 17911/2022, published on 1 June, the Court of Cassation rejected the appeal – confirming the Data Protection Authority’s arguments – and confirmed the principle according to which “the processing legitimacy presupposes a valid consent given expressly, freely and specifically, with reference to a clearly identified processing operation; this general principle is relevant and prevails in every relationship.”
Other related insights:
Among the Ukraine conflict consequences is the increased cybercrime, especially for the many companies that work with Russia. But cybersecurity is an issue that concerns everyone who exchanges data and information with any electronic device daily. Even before the Ukraine crisis with the Covid-19 pandemic – and the increase in teleworking – it became necessary to think about the creation of an ad hoc cyber defence structure in our country. The establishment of the National Agency for Cybersecurity, was indispensable for developing a national cyber resilience strategy. Recently, Prime Minister Mario Draghi signed the “National Cybersecurity Strategy 2022-2026”, which stated that 1.2% of gross national investments should be allocated annually to cybersecurity.
In the last few months many Italian online services and sites, including the Senate, Ministry of Defence and ABI (Italian Banking Association) websites were cyber-attacked (including by the Russians), the issue concerns the public as much as the private sector. The 2022 edition of the Data Breach Investigations Report by Verizon pointed out a significant increase in ransomware attacks with a 13 per cent increase in just a year. This is the “largest growth over the past five years.” In its annual report Proofpoint pointed out that 2021 was a year of great creativity for cybercriminals: threat actors turned to unconventional, people-focused methods with 100,000 daily smartphone attacks while smishing doubled compared to the previous year.
Guido Moscarella, Coo of Innovery – an Italian multinational specialising in cybersecurity told Dealflower: “According to the data shared by the postal police, the first quarter of 2022 saw an increase in cyber-attacks of around 40 per cent compared to the same period last year. ‘This increase cannot be blamed entirely on the war, the number of cyber-attacks and their complexity are increasing yearly, especially in the post-pandemic era. The spread of remote working has quickly brought out new vulnerabilities, because it has expanded the perimeter of attack by cyber criminals, a perimeter that companies could not monitor.”
But are government measures sufficient? “To assess whether the planned investments are sufficient is not easy. The cost of cyber-crime is approximately €7 billion yearly. The planned investment for the agency is 623 million, to which further financial levers, such as tax relief should be added. In a country where 95 per cent of the production fabric is made up of small and medium-sized enterprises, the vast majority of which do not have an IT security system that is up to the task, due to budget problems, we would have hoped for a more substantial investment,” Moscarella said.
However, from SMEs to multinationals, all companies are subject to hacker attacks. Lawyer Elena Cannone, Managing Associate and Compliance and Focus Team Leader of the firm De Luca & Partners, told Dealflower: “This situation has worsened with the pandemic as corporate assets are more exposed with remote working.” But the solution may already be at hand if one looks at the GDPR. “This regulation and cybersecurity are sides of the same coin,” the lawyer said. Why? “In the regulation we talk about technical and organisational measures on cybersecurity. Everything is done under the principle of accountability: the company must make an assessment, understand the risks, survey them and, consequently, take measures appropriate to the risk level.”
If the GDPR could be a first step, Cannonne said, “we need to have an IT infrastructure that allows us to contain and reduce the risk as much as possible. Companies must be made aware of IT security, because this protects the company assets, image and reputation.” in addition to the numbers that are public, it should not be forgotten that many companies do not report hacker attacks. The ideal, is to prevent what might happen to protect the assets, but there is still a way to go. We are slowly getting there: since 2018, however, progress has been made.” What is lacking is awareness to train employees. “These must be trained and disciplined with specific and periodic training,” the lawyer emphasised.
Training is crucial and that goes beyond the company. Moscarella said: “Italy is facing a serious gap of profiles with skills in the IT sectors, especially in cybersecurity. The lack of these profiles makes it difficult to continuously monitor critical structures and guarantee immediate action in case of need.” Innovery has two SOCs – Security Operation Centres, in Italy, which guarantee continuous monitoring, active 24/7, 365 days a year, capable of responding to any emergency. “But to increase the effectiveness of these centres, it is necessary to implement them with ever new resources, capable of dealing with cyber risks at all levels, which is why it is essential to invest in training.”
According to a recent Fortinet report – an American multinational company that develops and markets IT security software, devices, and services, Italy lacks 100,000 cyber security experts. According to the data of the 2022 Cybersecurity Skills Gap analysis, which involved 1,223 managers from as many companies in 29 countries worldwide, the shortcomings of protection systems are evident. Massimo Palermo, Fortinet’s country manager for Italy and Malta, pointed out that Italy needs at least 100,000 specialised figures considering that we are “the third country in the world most affected by ransomware attacks.”
