December 2, 2022

Volume XII, Number 336


December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

The Italian Supervisory Authority Weighs In On Website Analytics

Following the positions expressed by the Austrian, German, and French supervisory authorities (see our previous alert), the Italian Supervisory Authority (Garante per la Protezione dei Dati Personali)(Garante) published on 9 June 2022 a specific measure, according to which website analytics solutions used to measure online audiences (Analytics Service Solutions) infringe on the EU General Data Protection Regulation no. 2016/679 (GDPR) when such use implies a transfer of personal data to a third country without an adequate level of personal data protection, such as the United States. Generally speaking, the Garante aligned its position on the matter with its counterparts.

In the case at hand, following an investigation initiated in August 2020, based on a data subject complaint, the Garante admonished (without issuing a fine) an online newspaper (the Company) for transferring, through Analytics Service Solutions, the personal data of users to the United States without adopting the necessary safeguards. In particular, the Garante pointed out that the Company had no autonomy in making choices regarding data transfers to third countries and “no possibility to verify the implementation at technical level” of any additional measures Analytics Service Solutions would dictate.

In particular, the Garante took a position on a controversial topic relating to the characterization of an internet protocol (IP) address: According to the Garante, the IP address should be deemed as personal data in as much as it allows the identification of an electronic communication terminal and, therefore, indirectly, the identification of a user behind that terminal. The above occurs, for instance, when users access a website while at the same time being logged to the Analytics Service Solutions’ own service (such as webmail), since the data transmitted by the website’s cookies may be reconciled with such service and account. 

Furthermore, Garante disregarded the use of an “IP anonymization” functionality selected by the Company, considering that it would not be sufficient to prevent the identification of the user and, therefore, the transfer of actual personal data. According to the Garante, the partial IP address truncation was deemed to be mere pseudonymization, unable to prevent further re-identification of the user when using Analytics Service Solutions’ services.

In light of the above, the Garante reiterated the principle already established by the Court of Justice of the European Union: Under GDPR’s accountability framework, EU-based data exporters are required to assess whether the data importer’s applicable regulatory framework or best practices affect the effectiveness of the standard contractual clauses’ safeguards. In particular, the exporter must verify whether the public authorities in the third country have access to the exported personal data through the exporter itself. Generally speaking, data exporters subject to GDPR must ensure, on a case-by-case assessment, that the safeguards set out under Article 46 GDPR et seq. are effective. Therefore, in the event that it is not possible to ensure compliance with GDPR safeguards, additional measures must be implemented to ensure a level of personal data protection that complies with the GDPR. In addition, the Garante pointed out that, in the case at hand, the encryption key remained in Analytics Service Solutions’ provider and, reiterating what the European Data Protection Board had already stated in its Recommendation 1/2020, such loss of control over the encryption key prevented any organization or technical measures from being considered adequate.

As a result of all the investigations conducted, deeming that the Company’s breach fell within the scope of Article 83 GDPR, paragraph 2 (“minor violation”), the Garante ordered to the Company to comply with Chapter V GDPR within 90 days and, failing this, to prohibit any international data flow to Analytics Service Solutions.

In addition to the above, Mr. Guido Scorza, one of the Garante’s members, highlighted in a press release that this matter affected each and every website operator in Italy, which now all have a 90-day deadline to comply with the issued measure.


All website stakeholders in Italy must now review their Analytics Service Solutions and whether they would fall within the scope of the Garante’s requirements.

  • Where such international data transfers would effectively occur, the stakeholder should assess the best way forward. If their Analytics Service Solutions do not offer the sufficient safeguards, and following the similar recent decision by the French Supervisory Authority, the Italian stakeholders may notably consider the implementation of IT solutions such as encryption and proxy servers.

Copyright 2022 K & L GatesNational Law Review, Volume XII, Number 210

About this Author

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...

Eleonora Curreri Milan Italy Associate Attorney IP Patent Litigation K&L Gates LLP Law Firm

Eleonora Curreri is an associate in the firm’s Milan office where she is a member of the IP Procurement and Portfolio Management and Technology Transactions and Sourcing groups.

Eleonora manages trademarks and patent portfolios of national and international companies, advising clients on prosecution, litigation, infringement, and enforcement matters, including national and international filing strategies. She also has experience in negotiating and drafting IP-related agreements, including sponsorship (influencer marketing), licensing,...