French Data Protection Authority Publishes Questions And Answers Regarding Use Of Google Analytics | Hogan Lovells


Background

Following complaints from the NOYB association concerning the use of the Google Analytics audience measurement solution, the French Data Protection Authority (CNIL) had sent several formal notices to French companies using this solution on their websites. . These decisions were made in the context of other decisions of European data protection authorities such as that of Austria, and following the judgment Schrems II of the CJEU invalidating the Privacy Shield which imposed implement additional measures to the standard contractual clauses to cover the transfer of personal data outside the EU.

The CNIL had made public only one of these decisions in February 2022 anonymously. In this decision, the CNIL considers that the use of the Google Analytics audience measurement solution does not comply with the GDPR because the personal data collected via the solution’s cookies is transferred to the United States without sufficient measures. be applied to prevent any possible access by the authorities to personal data. Although efforts have been made by Google to deploy additional measures in consideration of the Schrems II judgment, the CNIL considers that this is still not sufficient.

The CNIL recommends anonymizing the personal data collected through audience measurement cookies. In this way, the solution can benefit from the consent exemption applicable to audience measurement cookies in France. The consent exemption only applies to tools that meet a set of cumulative criteria published by the CNIL, one of them being to produce only anonymous statistical data. The controller must, however, continue to ensure that transfers outside the EU are compliant.

Advertising

In order to provide more context on these decisions and to provide possible solutions, the CNIL published on June 7, 2022 a question-and-answer session on the use of Google Analytics as well as advice on the use of a solution. compliant audience measurement.

Key Takeaways

Any company using Google Analytics is concerned

The questions and answers are short and do not provide much more information than those already provided in the anonymized decision published in February 2022. All French companies among the 101 complaints of the association NOYB have now received a formal notice from the CNIL concerning the use of Google Analytics and they have a period of 1 month (renewable) to comply.

The purpose of this Q&A is for the CNIL to specify that the prescription of the only decision published (February 2022 – anonymized) must be understood as being applicable to all companies using the solution and not only to companies that have received a formal notice.

Rejection of a risk-based approach

The CNIL considers that the additional legal, organizational and technical safeguards deployed by Google, such as standard contractual clauses and additional measures, will still not be sufficient to prevent access by non-European authorities, Google remaining subject to US jurisdictions.

The CNIL categorically refuses a risk-based approach and considers that the risks remain as long as access to the data is possible: according to the CNIL, even if access by the American authorities to the data collected via the Google Analytics solution is unlikely (i.e. in practice the authorities do not make such data access requests), as long as access is technically possible, then technical measures are necessary to make such access impossible or ineffective.

The CNIL makes it clear that the question is not “Is access by foreign authorities likely?” », the only relevant question being « Is access by foreign authorities possible? »

Several options are mentioned in the Q&A for a compliant use of the Google Analytics audience measurement solution, but most of them are considered insufficient by the CNIL and it seems that only the “proxy” solution is considered acceptable by the CNIL:

Changing solution parameters: insufficient

Modifying the parameters of the Google Analytics solution (for example changing the characteristics of the processing of the IP address, only hosting personal data within the EU, etc.) is not sufficient according to the CNIL as long as the access possible by non-European authorities is still possible and makes it possible to identify the user and to follow his navigation from one site to another.

Data encryption: currently insufficient

The CNIL stresses that encryption is only an acceptable solution if the encryption keys are kept under the exclusive control of the data exporter or by other entities established within the EU or in appropriate countries.

Regarding Google Analytics, the CNIL considers that the encrypThe presence of data is not sufficient because, in practice, Google LLC is the entity that:

  • encrypts data;
  • keeps the encryption key; and
  • is under an obligation to provide them when receiving access requests (either by granting access or by providing the imported data in its possession).

The CNIL concludes that, since Google LLC always has the possibility of accessing the data in clear, the encryption measures cannot be considered effective in the event of requests from the American authorities. The conclusion to be drawn is therefore that encryption would be an appropriate measure if Google LLC did not have access to clear data or the encryption keys.

Collection of user consent: Not applicable

Collecting users’ consent for data transfers is not sufficient because, although it is one of the safeguards listed in Article 49 of the GDPR, it is considered by the European Committee of data protection as applicable only to one-time, non-recurring transfers and cannot be used as a permanent solution for systematic transfers of personal data.

Using a proxy: might be appropriate

The CNIL seems to identify only the use of an agent as a possible solution. Indeed, according to the CNIL, the main issue concerns direct contact, via an HTTPS connection, between users’ devices and Google’s servers, which makes it possible to collect users’ IP addresses as well as many other information that allow to re-identify the user. Only solutions that break this contact between the device and the server, such as a proxy, can solve this problem, since the data would be pseudonymised before being transferred outside the EU.

The proxy, or a similar solution, must comply with the criteria of the European Data Protection Board, and in particular:

  • Pseudonymised data can no longer be assigned to a specific data subject without the use of additional information in accordance with Art. 4(5) GDPR;
  • This additional information is only retained by the data exporter and stored separately in an EU member state or an adequate country;
  • Technical and organizational safeguards prevent unauthorized disclosure or use of this additional information (i.e. only the data exporter has control over the encryption keys, algorithm or repository, for example, which allow the data subject to be re-identified using additional information); and
  • The controller has carried out an analysis establishing that public authorities accessing the pseudonymised data cannot re-identify the data subject, even by cross-referencing the pseudonymised data with the additional information.

Moreover, in the guide on the use of a compliant audience measurement solution published at the same time as the questions and answers, the CNIL also underlines that the use of a proxy requires specific measures (for example absence transfer of the IP address to the servers of the measurement tool, replacement of the user identifier by the proxy server, absence of any collection of cross-site identifiers, etc.) to be deployed and that the proxy server must be hosted under conditions guaranteeing that the data it will process will not be transferred outside the EU.

In practice, all these criteria make the application difficult from a technical point of view. The CNIL itself recognizes that this can be very expensive and complex in practice, and possibly recommends using alternatives to Google Analytics.

Alternative solutions

The CNIL has published on its website a list of cookie solutions exempt from consent and which it considers to be compliant when correctly configured. There are currently 18 certified solutions. The CNIL however indicates that such solutions have not been evaluated on the question of international transfers, which would mean that, although they are listed by the CNIL as compliant, they cannot be used as such but require first to verify the data transfers and to apply the guarantees of Schrems II.

What are the next steps?

The solutions proposed by the CNIL remain in practice difficult to apply and no feasible solution is ultimately offered to companies. As next steps, these questions and answers should be seen as a reminder to companies to assess their audience measurement solution and determine whether the measures put in place to limit access to data by authorities are sufficient.

Leave a Comment