Since our last post, the French Supervisory Authority (the “CNIL”) has published a Q&A and a post on June 7, 2022 regarding Google Analytics, where it highlights the key points of its formal notices and gives some practical advice to website operators.
- Lessons to be drawn from the formal notices regarding the use of Google Analytics
The CNIL confirms that, although the formal notices were issued only against certain French companies (notably specifically targeted by NOYB’s complaints) all websites using Google Analytics are concerned. Hence, the anonymization of the formal notices is a call from the CNIL to all website operators using Google Analytics to make their websites compliant.
Therefore, “all controllers using Google Analytics similarly to the companies targeted by the formal notices should consider the use thereof as unlawful under the GDPR”. Thus, the CNIL prompts all website operators using Google Analytics to find alternative solutions with sufficient safeguards.
While the legal issues raised by Google Analytics have been examined in coordination with other EU Supervisory Authorities, each website operator subject to a claim has been investigated on a case-by-case basis in accordance with the responses provided by each organization.
- Why is Google Analytics non-compliant
- The standard contractual clauses entered into between Google and website operators are not sufficient to ensure by themselves an adequate level of protection. The supplementary measures implemented by Google – whether contractual, organizational, or technical – are ineffective against access requests by US intelligence services.
- The setup of Google Analytics does not prevent the transfer of personal data outside the EU since all personal data collected via Google Analytics is hosted in the US. The sole use of solutions subject to third-country laws is likely to raise difficulties in terms of access by foreign government authorities to personal data hosted in the EU (unless such access is based on an international agreement in compliance with Article 48 of the GDPR). This begs the question whether companies should only use solutions offered by EU companies.
- The CNIL furthers notes that (i) even though an IP-anonymization function exists, it does not apply to all transfers as it is optional and (ii) it is unclear whether the anonymization takes place before the data is transferred to the US. The CNIL further states that the sole use of unique identifiers may render an individual identifiable when combined with other information such as browser or operating system meta data. Finally, the CNIL explains that the combined use of Google Analytics with other Google services such as marketing, may increase the risk of tracing individuals since it may allow to retrace their browsing history on a huge number of sites.
- Regarding the encryption of the personal data, the CNIL finds that it is not efficient since Google LLC proceeds to the encryption and must provide access to the data under its custody as well as to the encryption keys necessary to access the data in the clear. To be considered as a sufficient supplementary measure, the encryption keys should notably be kept under the exclusive control of the data exporter, or other entities established in a country offering an adequate level of data protection.
- Proxyfication and alternative solutions proposed by the CNIL but with stringent conditions
The CNIL opens a window enabling the use of Google Analytics by stating that a solution involving a proxy server that avoids direct contact between the user’s terminal and Google’s servers could be considered as a sufficient supplementary measure. However, the proxy server will have to meet all the criteria applicable to supplementary measures set forth in the Recommendations of June 18,2021.
The CNIL also refers to a list of audience measurement tools which do not require users’ consent. Amongst other, the following tools are mentioned:
- SmartProfile, version 21, from Net Solution Partner,
- Matomo Analytics, version 4, from Matomo,
- Eularian, version 6, from Eularian Technologies.
However, such list does not address the issues raised by international data transfers and notably the consequences of the Schrems II decision. Thus, although a data exporter uses a solution listed by the CNIL, it will not be exempted from carrying out a data transfer impact assessment in the event of data transfers to a third country.
If such data transfer impact analysis leads to the conclusion that supplementary measures are needed, the use of the proxyfication method as mentioned above for Google Analytics, which allows to send only pseudonymized data prior to the data export to servers located outside the EU when properly set up, could be considered as an appropriate measure.
This solution involves both technical and financial considerations for data controllers: the CNIL enumerates a list of measures that must be implemented in order to use a valid proxyfication, such as (i) guaranteeing that the IP address is not sent to the server of the measurement tool, (ii) replacing the user ID by the proxyfication server, (iii) removing any information on the referer website, (iv) re-processing information participating in the generation of fingerprint, (v) No collection of unique ID cross-sites, (vi) deletion of any data likely to lead to a reidentification, (vii) the proxyfication server should not involve transfers out of EU to a third country. However, the CNIL acknowledges that implementing all these measures can be expensive and complex. As an alternative, the CNIL recommends controllers to use a solution that does not transfer personal data outside the EU.
- A risk- based approach is not admitted
The CNIL finally reiterates that controllers cannot take a risk-based approach relying on the likelihood of data access requests. As long as such access is possible, additional technical measures as described in the EDPB’s recommendations on measures that supplement transfer tools must be taken in order to make such access impossible or ineffective.
The CNIL thus reaffirms the European position that has been taken since the Schrems II decision, maintaining the users of such tools in a difficult situation in particular when the likelihood of access to the data is very low.