On 7 June 2022, French data protection authority (CNIL) released answers to frequently asked questions (FAQ) on the use of Google Analytics. The CNIL assumes that the use of Google Analytics, without additional safety measures, is not compatible with GDPR.
Context
On the 16 July 2020, the Court of Justice of the European Union handed down a significant ruling making the previously used Privacy Shield, which governed data transfers between the EU and the United States to be invalid due to risks of unlawful access by American authorities to the personal data of EU residents. After the decision, in August 2020, a non-profit organization NOYB filed 101 complaints to various European data protection authorities about websites using, among others, the widely used web analytics tool Google Analytics, whose parent company is located in the US. The CNIL has issued formal notices to several organizations that use Google Analytics regarding transferring personal data to the United States without sufficient guarantees for the rights of European users. The CNIL is not the only European data protection authority to take this stance. Austrian data protection authority issued its first Google Analytics decision in January of 2022.
Can Standard Contractual Clauses and additional guarantees be used for Google Analytics?
According to CNIL the answer is “no”. Standard Contractual Clauses (SCC’s) are offered by Google by default to the users of Google Analytics. These SCC’s alone cannot provide a sufficient level of protection in the event of a request for access from foreign authorities, particularly if such access is provided for by local laws. The CNIL also noted, that in its response to their request, Google indicated that it had put in place additional legal, organizational and technical measures, which were however deemed insufficient to ensure the effective protection of personal data transferred, in particular against requests for access to data by US intelligence services.
Can settings prevent personal data transfer to the United States?
Unfortunately, according to CNIL, the answer is also negative. In response to the questionnaire sent by the CNIL, Google indicated that all data collected through Google Analytics is hosted in the United States.
Is it possible to have Google Analytics set up so that only anonymous data is transferred to the US?
Google indicated that it uses pseudonymization measures, but not anonymization. Google offers IP anonymization, but it is not applicable to all transfers. It is not clear from the evidence provided by Google whether this anonymization takes place before the transfer to the US. CNIL also highlights that the joint use of Google Analytics with other Google services, particularly marketing services, may increase the risk of tracking.
Can any measures be taken to continue using Google Analytics and ensuring protection of personal data?
The answer is “yes”, but with several conditions:
1. Implementation of data encryption where encryption keys are retained only by the data controller. The implementation of data encryption by Google has proven to be an insufficient technical measure because Google LLC itself encrypts the data and is obliged to grant access to or provide the imported data in its possession, including the encryption keys necessary to make the data intelligible. Such technical measures cannot be considered effective, unless additional measures, such as retaining exclusive control of encryption keys is used.
2. Involving a proxy server to avoid direct contact between the user’s terminal and the servers of the measurement tool. More specifically, CNIL outlined that the server performing the proxy will have to implement additional measures to ensure the absence of transfer of the IP address to the servers of the measurement tool, the replacement of the user identifier by the proxy server, the deletion of the referring site information external to the site, the deletion of any other data that may lead to re-identification, and etc.
Additionally, CNIL highlighted that it must also be ensured that a proxy server is hosted under conditions guaranteeing that the data it processes will not be transferred outside the EU. Moreover, CNIL emphasized that data controllers will be required to carry out an analysis to ensure that the measures and guarantees are effectively implemented, as well as to monitor that they are maintained over time, as products evolve. This additional measure must also be in line with the EDPS recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
What to take out from this?
Implementation of the measures indicated above shall be used as a complex and it requires huge costs. All this may be avoided if the data controllers avoid using such solutions as Google Analytics, and instead rely on those, that do not transfer personal data outside the EU. Whilst no unanimous position regarding the use of Google Analytics and other similar solutions that transfer personal data outside EU have been made by data protection authorities, it is only a question of time. The analysis carried out by the CNIL, whilst applicable to data controllers and processors in France, are relevant to all.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related with personal data protection, please consult the experts of ECOVIS ProventusLaw.
The article by CNIL can be accessed here. The text is available in French only.
This review was prepared by certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė