French Data Protection Authority publishes Q&A regarding use of Google Analytics – JD Supra

admin on June 15, 2022 Leave a Comment

Background

Following complaints from the NOYB association regarding the use of the Google Analytics audience measurement solution, the French Data Protection Authority (CNIL) had issued several formal notices to French companies using this solution on their websites. These decisions were issued in the context of other decisions from European data protection authorities like the Austrian one, and following the Schrems II ruling of the ECJ invalidating the Privacy Shield that has imposed to implement additional measures to Standard Contractual Clauses to cover transfer of personal data outside the EU.

The CNIL had made public only one of these decisions in February 2022 in an anonymized way. In this decision, the CNIL considers that the use of the Google Analytics audience measurement solution is not GDPR compliant because personal data collected through the cookies of the solution are transferred to the United States without sufficient measures applied to prevent any possible access from the authorities to the personal data. Although efforts were made by Google to deploy additional measures in consideration of the Schrems II ruling, the CNIL considers that this is still not sufficient.

The CNIL recommends anonymizing personal data collected through audience measurement cookies. That way, the solution can benefit from the consent exemption applicable to audience measurement cookies in France. The consent exemption is only applicable to tools complying with a set of cumulative criteria published by the CNIL, one of them being to produce only statistic anonymous data. The controller must, however, still ensure that transfers outside the EU are compliant.

To provide more background on these decisions and providing possible solutions, the CNIL has released a Q&A on June 7, 2022 on the use of Google Analytics as well as guidance on the use of a compliant audience measurement solution.

The Q&A is short and does not provide much more information than already provided in the anonymized decision published in February 2022. All French companies among the 101 complaints of the NOYB association have now received a formal notice from the CNIL regarding the use of Google Analytics and they have 1 month (renewable) to comply.

The goal of this Q&A is for the CNIL to make clear that the prescription of the only published decision (February 2022 - anonymized) must be understood as being applicable to all companies using the solution and not only to the companies having received a formal notice.

The CNIL considers that any additional legal, organisational and technic safeguards deployed by Google like Standard Contractual Clauses and additional measures will still be not sufficient to prevent access by non-EU authorities as Google remains subject to US jurisdictions.

The CNIL categorically refuses a risk-based approach and consider that the risks remain as long as an access to the data is possible: according to the CNIL, even if access by US authorities to data collected through the Google Analytics solution is unlikely (i.e. in practice authorities are not making such data access requests), as long as an access is technically possible, then technical measures are necessary to make such access impossible or ineffective.

Several options are raised in the Q&A for a compliant use of the Google Analytics audience measurement solution, but most of them are considered as not sufficient by the CNIL and it seems that only the proxy solution is considered acceptable by the CNIL:

Modifying the settings of the Google Analytics solution (e.g. changing the characteristics of the processing of the IP address, only hosting personal data within the EU, , etc.) is not sufficient according to the CNIL as long as possible access by non-EU authorities is still possible and enable to identify the user and track his/her navigation from one website to another.

The CNIL highlights that encryption is only an acceptable solution if the encryption keys are kept under the sole control of the data exporter or by other entities established within the EU or in adequate countries.

Regarding Google Analytics, the CNIL considers that encryption of data is not sufficient as in practice Google LLC is the entity that:

The CNIL concludes that since Google LLC still has the possibility to access the data in clear, the encryption measures cannot be considered effective in case of requests from the US authorities. Conclusion to be drawn is therefore that encryption would be an appropriate measure if Google LLC did not have access to clear data or access to the encryption keys.

Collecting consent of users for data transfers is not sufficient as, although this is one of the safeguard listed by Article 49 of the GDPR, this is considered by the EDPB as only applicable to single and non-recurring transfers, and cannot be used as a permanent solution for systematic transfers of personal data.

The CNIL seems to only identify as a possible solution the use of a proxy. Indeed, as per the CNIL, the main issue relates to the direct contact, through a HTTPS connection, between the devices of the users and the Google servers, which enables to collect the IP address of the users as well as many other information that conduct to the re-identification of the user. Only solutions that break this contact between the device and the server, like a proxy, can address this issue, as data would be pseudonymized before being transferred outside the EU.

The proxy, or similar solution, must comply with the EDPB criteria, and in particular:

In addition, in the guidance on the use of a compliant audience measurement solution published together with the Q&A, the CNIL also underlines that the use of a proxy requires specific measures (e.g. absence of transfer of the IP address to the servers of the measurement tool, replacement of the user identifier by the proxy server, absence of any collection of cross-site identifiers, etc.) to be deployed and that the proxy server must be hosted in conditions that guarantee that the data it will be processing will not be transferred outside the EU.

In practice, all this criteria make it difficult from a technical standpoint to apply. The CNIL itself recognizes that this may be very costly and complex in practice, and eventually recommend using alternative solutions to Google Analytics.

The CNIL has published on its website a list of cookies solutions exempted from consent and that it considers as being compliant when properly configured. There are currently 18 certified solutions. The CNIL, however, indicates that such solutions have not been assessed on the issue of international transfers, which would means that, although they are listed by the CNIL as compliant, they cannot be used as such but first require to verify data transfers and apply Schrems IIs safeguards.

Solutions offered by the CNIL remain in practice difficult to apply and no workable solution is eventually offered to companies. As next steps, this Q&A should be seen as a reminder for Companies to assess their audience measure solution and consider whether the measures put in place to limit access to data by authorities are sufficient.

See the original post:
French Data Protection Authority publishes Q&A regarding use of Google Analytics - JD Supra

Related Posts
Posted in Encryption

Comments are closed.