On June 7, 2022, the French Data Protection Authority (‘CNIL‘) published a Guidance and FAQs regarding CNIL’s enforcement stance on using the Google Analytics tool by data controllers and the required measures to be implemented for compliance with the European General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR‘).
CNIL’s stance on the use of Google Analytics was published as a result of the Schrems II judgment by the European Court of Justice (‘CJEU‘), which invalidated the privacy shield, an international agreement that settled the transfer of personal data between the European Union and the United States. The CJEU judgment stated that the US legislation, specifically the National Security Surveillance Act, does not offer sufficient guarantees against the risk of access to personal data by the US authorities.
The following measures are considered insufficient according to CNIL:
- Configure the Google Analytics tool not to transfer Personal Data to the US – According to Google’s response to a questionnaire sent by CNIL, all data collected through Google Analytics is hosted in the United States. Even in the absence of a transfer, companies still may be obliged by authorities of third countries to disclose personal data hosted on servers located in the European Union.
- Configure the Google Analytics tool to transfer solely anonymized data to the US – Google indicated it uses pseudonymization measures, but not anonymization. The IP address anonymization function is not applicable to all transfers, and the elements provided by Google make it hard to determine whether the anonymization takes place prior to the transfer to the United States. Moreover, Google’s unique identifiers enable data to become identifiable when cross-checked with other information (e.g., browser and operating system data). For Example, the use of Google Analytics with other Google Services, including marketing, endangers revealing the user’s browsing history when the IP address is cross-checked with additional information.
- Encryption – Encryption has proven to be an insufficient technical measure since Google encrypts the data itself and retains it in the US while subject to US authorities’ requests for access to personal data of European data subjects, including encryption keys. According to CNIL, encryption can be considered a sufficient technical measure if the encryption keys are kept under the exclusive control of the data exporter or other entities established in a country offering an adequate level of protection.
Potential effective technical measures according to CNIL:
CNIL stated that in order to avoid non-European authorities’ access to personal data of European data subjects, a potential solution is a proxy server, enabling avoiding any direct contact between the terminal device of the European user and the servers of the measurement tool. However, such proxy servers must meet the criteria provided by the European Data Protection Board’s recommendations 01/2020 to ensure only pseudonymized data that cannot be attributed to an identified or identifiable natural person is transferred outside the EU.
In addition, CNIL outlines the following measures that must be implemented for the proxy server to be valid:
- The absence of transfer of the IP address to the servers of the measurement tool;
- The replacement of the user identifier by the proxy server;
- The deletion of the referring site information external to the site;
- The deletion of any parameter contained in the URLs collected (e.g., the UTMs, but also the URL parameters allowing the internal routing of the site);
- The reprocessing of information that can participate in the generation of a fingerprint, such as ‘user-agents,’ to remove the rarest configurations that can lead to re-identification;
- The absence of any collection of identifiers; and
- Deletion of any other data that may lead to re-identification.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.
