CNIL’s further guidance on Google Analytics
CNIL’s Q&A on formal notices concerning the usage of Google Analytics
On 7th June 2022, the CNIL published on its website a comprehensive Q&A and further guidance following the issuance of several formal notices regarding the usage of the audience measurement tool Google Analytics by websites’ publishers.
- Context
On 16th July 2020, the CJEU invalidated the legal framework (the “Privacy Shield”) for regulating transatlantic exchanges of personal data between the European Union and the United States, (“Schrems II”). Following this court ruling, the CNIL received several complaints from the association “None of Your Business” (“NOYB”) concerning websites using the audience measurement tool Google Analytics, whose data are hosted in the US.
On February 10th, 2022, in line with the position previously taken by other data protection authorities (especially the Austrian Authority), the President of the CNIL issued several formal notices against website publishers on the ground that the safeguards implemented by Google were not sufficient to prevent US authorities from accessing European residents’ personal data and that, as a result, this data was illegally transferred to the US. These actors had one month following its receipt to comply with the formal notice.
One of the formal notices (anonymized) was published on the CNIL’s website, to inform all data controllers using Google Analytics . The CNIL’s Q&A and its further guidance complete this prior public information and provides practical help to the website publishers to adapt their practices while using audience measurement tools.
- Use of Google Analytics
Regarding the use of Google Analytics, the CNIL takes the position that:
– The standard contractual clauses signed with Google which are offered by default do not ensure a sufficient level of protection;
– The additional legal, organizational, technical measures implemented by Google are deemed insufficient by the CNIL to ensure the effective protection of the transferred data;
– In so far as all data collected through Google Analytics is hosted in the US, it is not possible to configure the tool so that personal data is not transferred to the US.
– Google offered pseudonymization and IP anonymization, but it is not applicable to all data transfers. It was also unclear, according to the CNIL, whether this anonymization took place before or after the data transfer to the US;
– The use of unique identifiers can make data identifiable when combined with browser data, and the joint use of other Google services such as marketing services increases the risk of tracking;
– the implementation of data encryption by Google is insufficient as Google LLC itself encrypts the data and is also the entity providing the imported data and encryption keys. In the CNIL’s view, encryption keys should be kept by the data exporter following the EDPB recommendations No. 01/2020;
– Data controllers cannot rely on the express consent of data subjects which is one of the derogations of article 49 of the GDPR, as consent can only be used for non-systematic data transfers.
- Alternative solutions available to actors
The CNIL has published a list of consent-exempted audience measurement tools, but it does not address the issue of international data transfers raised by the Schrems II court ruling.
Consequently, the CNIL urges data controllers to evaluate the applicable legal framework when the tool used entails data transfers outside of the EU, or if the company publishing this tool has capitalistic links with a parent company established in a third country whose legislation allows intelligence services to access personal data.
Such assessment can be based on:
– ECHR or CJEU decisions that have already assessed the compliance of certain foreign legislation with EU data protection standards;
– Recommendations of other European data protection authorities on essential safeguards that are required in a third country.
The CNIL also recalls that data controllers must not adopt a risk-based approach when considering the likelihood of data access requests. As per the GDPR, personal data transferred outside of the EU must have a level of protection that is “substantially equivalent” to the one applied in the EU.
When such access is possible and it appears that the safeguards applied to data access requests are not equivalent to the ones applicable in the EU, then additional technical measures are necessary to render such access impossible or ineffective (See EDPB recommendations).
- How to make an audience measurement tool compliant with the GDPR?
One possibility detailed by the CNIL is the use of a proxy server, avoiding any direct contact between the user’s terminal and Google’ servers. This proxy server must fulfil certain criteria to be considered as a valid additional measure.
Such measure is considered as a case of pseudonymization before data export. Hence, data controllers must ensure that there is no risk of reidentification even the pseudonymized data if cross-checked with other information.
For proxyfication to be valid, the CNIL considers the following measures to be necessary:
- No transfer of the IP address to the servers of the audience measurement tool. If a location is transmitted to the servers of the measurement tool, it must be carried out by the proxy server and the level of precision must ensure that this information does not allow reidentification of the data subject;
- The replacement of the user identifier by the proxy server. To ensure effective pseudonymisation, the algorithm performing the replacement should ensure a sufficient level of collision (i.e. a sufficient probability that two different identifiers will give an identical result after hashing) and include a variable temporal component (adding to the hashed data a value that evolves over time so that the result of the hashing is not always the same for the same identifier);
- The removal of external referrer information from the website;
- The removal of any parameters contained in the collected URLs (e.g. UTMs, but also URL parameters allowing internal routing of the website);
- Reprocessing of information that can be used to generate a fingerprint, such as user-agents, to remove the rarest configurations that could lead to reidentification.
- No collection of identifiers between sites (cross-site) or deterministically (CRM, unique ID);
- Removal of any other data that could lead to re-identification.
Hosting conditions of the proxy server must also be adequate and should ensure that the data is not transferred to a third country which does not provide an appropriate level of protection.
Finally, the CNIL acknowledges that the measures described above can be complex and expensive for businesses, in which case the alternative is to use tools that do not transfer data outside of the EU.