France’s data protection watchdog, the CNIL, has released updated guidelines for the use of Google Analytics following a decision earlier this year finding that a local website’s use of the tool violated European Union law. .
It also confirmed that it has since sent formal notices to other organizations to reconcile their use of Google Analytics.
The legal issue – which affects not only the use of the popular analytics tool in France but across the EU – hinges on the transfer of user data to the US for processing by Google – an export of personal data that does not provide adequate legal protection in its wake. of a 2020 decision by the European Supreme Court that invalidated a flagship data transfer agreement (also known as the EU-US Privacy Shield) over the risk of illegal access to Europeans’ data by US intelligence agencies.
Since then, the EU and the US announced (in March) a political agreement on a replacement transfer mechanism.
But, as the CNIL points out, their joint statement is not a legal framework and cannot be relied upon by users of US cloud services who take Europeans’ data across the pond for processing prior to an actual replacement agreement formally adopted by the EU – which the Commission has suggested may not take place until the end of the year. (It will almost certainly also face new legal challenges to test whether the deal is as flawed as the previous ones, such as data protection experts suspect†
So the bottom line is that EU websites could either make changes to their use of Google Analytics or risk regulatory enforcement – which could include an order to change their processes and a financial penalty for violation. And it’s likely that the risk of non-compliance fines will increase as regulations on this issue become more granular, as there are less plausible excuses for not making the necessary changes.
“All controllers use Google Analytics in a similar way to [already notified] organizations must now consider this use illegal under the GDPR. They should therefore turn to a service provider that offers sufficient guarantees of conformity,” warns the CNIL in the guidance [which we’ve translated from French with machine translation]†
All sites that receive a formal notice from the regulator about their use of Google Analytics will be given one month to comply – with the option of an additional month of extension.
The CNIL’s FAQ on the use of Google Analytics further states that it is essentially impossible for EU-based organizations to use the tool without applying certain additional safeguards of their own.
“None of the additional guarantees given to the CNIL as part of the formal notice would prevent or render ineffective access by US intelligence agencies to European users’ personal data when using only the Google Analytics tool,” it writes in response. on whether it is possible to rely on additional safeguards that Google claims apply to the tool.
Standard contractual clauses are also not enough to bridge the legal gap related to data exports, the CNIL also emphasizes — noting that it is not possible to configure Google Analytics so that it does not transfer Europeans’ personal data outside the bloc and further warns: “Even in the absence of a transfer, the use of solutions offered by companies under non-European jurisdictions is likely to pose data access problems. Indeed, organizations may be required by third country authorities to disclose personal data hosted on servers in the European Union.”
According to the FAQ, possible additional safeguards that EU-based Google Analytics users can apply to use the tool without breaking the law are limited to: Encryption (but only if the keys are under the exclusive control of the data exporter or other entities located in an area offering an adequate level of protection); or a proxy server (to avoid any direct contact between the internet user’s terminal and the servers of the measuring instrument).
The regulator suggests that obtaining explicit user consent for a data transfer may also be valid, but only in exceptional circumstances, as the CNIL notes that the derogation cannot be used for systematic transfers (which is essentially what Google Analytics data streams are ). So, explicit permission is not a viable solution, even if you thought it was a good idea to bother every visitor with such a request.
The CNIL has previously published a list of alternative analytics tools that it has identified can be configured to avoid the general need to obtain user consent to process data. It warns, however, that that list does not take into account the issue of international transfers – ergo, site owners still have to do their own work to determine whether alternative analysis tools, for example offered by an EU-based software maker that do all processing in the EU , may offer a less legally risky option than Google Analytics.
Other EU data protection authorities (such as Austria’s) have also issued websites with decisions regarding non-compliant use of Google Analytics.
The regulatory inquiry followed a series of complaints filed in August 2020 by the EU privacy advocacy group noyb – targeting Google Analytics and Facebook Connect. So while Google’s analytics tool was first in line for DPA decisions, the problem is not limited to Google, nor to analytics tools and can influence many more US based services with EU customers.
Google has been contacted for a response to the CNIL guidelines.