Development of a tool for the automated analysis and reporting of personal data transfers to non-EEA domains

This thesis project is divided in two main parts. The goal of the first part was to develop a software tool which could help users identify illegal data transfers directed to non-EEA domains while navigating the web and generating reports which could be submitted to the Italian supervisory authority (namely Garante per la Protezione dei Dati Personali). The goal of the second part was to extend the work by creating a set of automatic scripts which could automatically navigate through websites and identify illegal request directed to non-EEA domains, and then run an analysis on the Italian public administration websites by using those scripts, possibly building visual representations of the obtained results. First of all, we focused on the legal aspects to understand when a certain data transfer to an external country is illegal. We identified the GDPR articles which regulate personal data transfers to third countries, and we considered as a specific case study the EU to US data transfers. Then we moved to the development of the application, which was written in JavaScript by using the Electron cross-platform framework. For the development, we adopted the best practices from the software engineering world. Basically, our application consists of a GUI which allows the users to navigate the web, a component which captures and analyzes the HTTP traffic, in order to detect requests addressed to domains belonging to companies located in countries for which no adequacy decision has been issued, and creates a HAR (HTTP Archive) log, and another component which builds the claim. Then we built minos-cli, the set of scripts targeted to analysis and visualization, by employing a mix of different languages and libraries. From the logical point of view, the approach was quite the same as for the GUI version: we record the network traffic, create a HAR log and analyze the HTTP requests to detect the illegal ones. The difference here is that everything is automatic, i.e. there is no explicit interaction of the user with the webpages. By using the tools we had just built, we ran the analysis on a set of 22890 public administration websites from Italy, and we computed some statistics on the results. We found that more than 15% entities were not GDPR-compliant, making requests to domains of companies from third countries lacking an adequacy decision. We also discovered that Amazon is by far the most popular company among all service providers, and that Italian PA organizations mostly demand cloud computing and cdn services. Our results highlight a discrepancy between the GDPR goals and the behaviour of the PA’s websites, which still keep transferring personal data to third countries without the proper legal basis.