Last February, the French data protection authority (CNIL) issued a formal notice to a number of organisations using Google Analytics and transferring personal data to the United States in violation of the Schrems II ruling.
On 16 July 2020, the Court of Justice of the European Union invalidated the Privacy Shield, which governed data transfers between the European Union and the United States, because it did not offer appropriate guarantees against the risk of unlawful access by American authorities to the personal data of European residents.
Google then tried to put in place additional measures and guarantees to make its Google Analytics tool compliant with the GDPR. Unfortunately, the CNIL considered that the additional measures proposed by Google were not sufficient to ensure real compliance.
With Google Analytics being used on the majority of websites in Europe, this situation has become a real headache for website publishers and their web agencies.
In order to clarify the situation for the data controllers concerned, the CNIL has just published a question and answer on the compliance of the use of Google Analytics and a practical guide to compliance with the RGPD for website audience measurement tools. Organisations had until the end of July 2022 to comply.
What are the CNIL’s main conclusions on the GDPR compliance of Google Analytics?
Are the standard contractual clauses and additional guarantees offered by Google sufficient?
The CNIL considers that these measures alone cannot provide a sufficient level of protection in the event of a request for access from foreign authorities, particularly if this right of access is provided for by local laws, which is the case in the United States.
The CNIL also found insufficient the additional legal, organisational and technical measures put in place by Google to ensure the effective protection of European users’ personal data transferred to the United States, in particular against requests for access to the data by the intelligence services.
Can Google Analytics be set up so that personal data is not transferred outside the European Union?
The CNIL considers that this is not the case at present. Indeed, Google has indicated that all the data collected through Google Analytics is hosted in the United States.
The CNIL therefore stresses that even in the absence of a transfer, the use of solutions proposed by companies subject to US jurisdiction is likely to pose difficulties in terms of access to data. Indeed, Google may be obliged by the US authorities to disclose personal data hosted on their servers located in the European Union. However, in the context of the invalidation of the Privacy Shield by the CJEU, the CNIL recalls that such disclosures no longer comply with the conditions set out in Article 48 of the GDPR.
Can Google Analytics be set to only transfer anonymous data to the US?
In the context of the formal notice, Google indicated that it uses pseudonymisation measures, but not anonymisation. This is problematic because pseudonymised data can potentially re-identify an individual when coupled with unique identifiers and/or other information such as browser and operating system metadata.
The CNIL also points out that the collection of IP addresses coupled with Google’s marketing tools can make it possible to trace the browsing history of the majority of Internet users on a large number of websites.
As for the possibility of anonymising IP addresses proposed by Google, this is not applicable to all transfers. Another concern highlighted by the CNIL is that the information provided by Google does not make it possible to determine whether this anonymisation of IP addresses takes place before the transfer to the United States or not.
How to comply with the GDPR when using Google Analytics?
In summary, solutions are possible, but complicated to implement and potentially costly.
Could data encryption be a sufficient additional guarantee?
Google’s implementation of data encryption has proven to be an insufficient technical measure as Google itself encrypts data and is obliged to grant access to or provide imported data in its possession, including the encryption keys necessary to make the data intelligible.
Is it possible to continue to transfer data via Google Analytics with the explicit consent of individuals?
The CNIL considers that the possible derogations provided for in Article 49 of the GDPR are not applicable. Indeed, the derogations can only be used for non-systematic transfers and cannot constitute a long-term and permanent solution, as the use of a derogation cannot become the general rule.
Can we consider using the proxyfication method to be compliant?
When properly configured, proxyfication allows only pseudonymised data to be sent to a server outside the European Union. The CNIL insists that only solutions that break the contact between the terminal and the server can address this issue. Therefore, beyond the simple absence of a request from the user’s terminal to the servers of the measurement tool, it is necessary to ensure that all the information transmitted does not in any way allow the person to be re-identified, even taking into account the considerable resources available to the authorities likely to want to carry out such re-identification
The CNIL recalls that it must however be ensured that this server fulfils a set of criteria in order to be able to consider that this additional measure is in line with what is foreseen by the EDPS in his recommendations of 18 June 2021.
Is using alternative audience measurement tools other than Google Analytics a safer option?
The CNIL has published a list of audience measurement tools that may be exempt from consent when properly configured.
This list includes tools that have already demonstrated to the CNIL that they can be configured to limit themselves to what is strictly necessary for the provision of the service, and thus not require the user’s consent, in accordance with Article 82 of the Data Protection Act.
However, this list does not currently consider the issues raised by international transfers, including the consequences of the “Schrems II” judgment.
One major concern is that many of these alternative audience measurement tools are not free, unlike Google Analytics, whose main features are provided free by Google. In addition, Google Analytics is integrated with other Google tools widely used by businesses and their web agencies.
Therefore, the implementation of alternative tools can potentially pose operational and budgetary concerns for data controllers.
Some organisations will therefore be tempted to take a risk-based approach and/or wait for the implementation of a new “privacy shield” which should put transfers of personal data to the United States on a legitimate basis.
However, the CNIL has warned organisations against this risk-based approach in its Questions & Answers document.