Following complaints from the NOYB association regarding the use of the Google Analytics audience measurement solution, the French data protection authority (CNIL) had issued several formal notices to French companies that use this solution on their websites. These decisions were taken in the context of other decisions by European data protection authorities such as the Austrian and following the ECJ’s Schrems II ruling, which invalidated the Privacy Shield, to implement additional measures on Standard Contractual Clauses to cover the transfer of personal data outside of the EU.
The CNIL published only one of these decisions anonymously in February 2022. In this decision, the CNIL considers that the use of the Google Analytics audience measurement solution is not GDPR compliant, since personal data collected through the solution’s cookies are transferred to the United States without adequate measures being taken in order to prevent possible access by the authorities to the personal data. Although Google has made efforts to take additional measures in view of the Schrems II judgment, the CNIL considers that this is still not enough.
The CNIL recommends anonymizing the personal data collected through audience measurement cookies. This allows the solution to benefit from the consent exception that applies to audience measurement cookies in France. The exception of consent only applies to tools that meet a series of cumulative criteria published by the CNIL, one of which consists in producing only statistical anonymous data. However, the controller still needs to ensure that transfers outside the EU are lawful.
On June 7th, 2022, to provide more background information on these choices and to offer possible solutions, the CNIL published a Q&A on the use of Google Analytics as well as a guide on how to use a compliant audience measurement solution.
The central theses
Every company that uses Google Analytics is affected
The questions and answers are short and do not provide much more information than is already contained in the anonymized decision published in February 2022. All French companies among the 101 complaints of the NOYB association have now received a formal notification from the CNIL regarding the use of Google Analytics and they have 1 month (renewable) to comply.
The aim of these questions and answers is for the CNIL to clarify that the rule of the only published decision (February 2022 – anonymized) applies to all companies using the solution and not only to the companies that have received a formal notification.
Rejection of a risk-based approach
The CNIL considers that all additional legal, organizational and technical safeguards provided by Google, such as standard contractual clauses and additional measures, will still not be sufficient to prevent access by non-EU authorities, as Google remains under US jurisdiction.
The CNIL categorically rejects a risk-based approach and considers that the risks remain as long as the data can be accessed: even if access by US authorities to data collected via the Google Analytics solution is reported CNIL is unlikely (ie practice authorities do not make such data access requests) while access is technically possible, then technical measures are required to make such access impossible or ineffective.
The CNIL clearly states that the question is not “Is access by foreign authorities likely?”, but the only relevant question is “Is access by foreign authorities possible?”.
Several options for a compliant use of the Google Analytics audience measurement solution are addressed in the questions and answers, but most of them are considered insufficient by the CNIL and it seems that only the “proxy” solution is considered acceptable by the CNIL is seen:
Changing the settings of the solution: Not sufficient
According to the CNIL, changing the settings of the Google Analytics solution (e.g. changing the IP address processing characteristics, hosting personal data only within the EU, etc.) is not sufficient as long as access from non-EU authorities is possible is still possible and allows to identify the user and track his navigation from one site to another.
Encrypt data: Currently not sufficient
The CNIL emphasizes that encryption is only an acceptable solution if the encryption keys are kept under the sole control of the data exporter or other entities located in the EU or in appropriate countries.
Regarding Google Analytics, the CNIL considers that encrypting data is not enough, since in practice Google LLC is the company that:
- encrypts the data;
- keeps the encryption key; and
- is obliged to provide them upon receipt of access requests (either by granting access or providing the imported data in its possession).
The CNIL concludes that the encryption measures cannot be considered effective in the event of requests from the US authorities, since Google LLC still has the possibility of accessing the data in plain text. In conclusion, encryption would be an appropriate measure if Google LLC did not have access to unique data or access to the encryption keys.
Obtaining user consent: Not applicable
Obtaining users’ consent for data transfers is not sufficient as, while this is one of the safeguards listed in Article 49 of the GDPR, this is considered by the EDPB to be applicable only for one-off and one-off transfers and cannot be used as a permanent solution for the systematic transfer of personal data.
Using a proxy: Might be appropriate
The CNIL only seems to see the use of a proxy as a possible solution. In fact, according to the CNIL, the main problem relates to direct contact via an HTTPS connection between users’ devices and Google’s servers, which allows the IP address of users to be acquired, as well as many other information to re-identify the user. Only solutions that break this contact between the device and the server, such as A proxy, for example, can fix this problem as data would be pseudonymised before being transferred outside the EU.
The proxy or similar solution must meet the EDPB criteria and in particular:
- Pseudonymized data can no longer be assigned to a specific data subject without additional information in accordance with Article 4 (5) GDPR;
- This additional information will only be retained by the data exporter and will be retained separately in an EU Member State or Eligible Country;
- Technical and organizational protection measures prevent disclosure or unauthorized use of this additional information (i.e. the data exporter is the only one who has control over, for example, the encryption keys, algorithm or repository that allow the data subject to be re-identified from the additional information ); and
- The data controller has carried out an analysis which shows that authorities accessing the pseudonymised data cannot re-identify the data subject, even if the pseudonymised data are compared with the additional information.
In addition, in the guide to using a compliant audience measurement solution published together with the questions and answers, the CNIL emphasizes that the use of a proxy requires specific measures (e.g. no transmission of the IP address to the servers of the measurement tool). , replacing the user identifier with the proxy server, lack of any collection of cross-site identifiers, etc.) and that the proxy server must be hosted under conditions that ensure that the data it processes is not transferred outside the EU.
In practice, all these criteria make technical application more difficult. The CNIL itself recognizes that this can be very expensive and complex in practice and finally recommends the use of alternative solutions to Google Analytics.
The CNIL has published on its website a list of cookie solutions that are exempt from consent and that it considers compliant if properly configured. There are currently 18 certified solutions. However, the CNIL points out that such solutions have not been evaluated in relation to international transfers, which means that although they are listed as compliant by the CNIL, they cannot be used as such, but first verify and request the transfer of data Safety precautions must be taken by Schrems II.
What are the next steps?
The solutions offered by the CNIL are still difficult to apply in practice and, finally, no viable solution is offered to companies. As a next step, these questions and answers should be viewed as a reminder for organizations to evaluate their audience measurement solution and whether the measures taken to restrict data access by government agencies are sufficient.