The French Data Protection Authority (CNIL) has released a Q&A providing its controversial position, possible alternative solutions as well as guidance on using a compliant audience measurement solution in light of data transfer rules. It follows a set of formal notices issued by the CNIL to French companies using Google Analytics on their websites, in which the CNIL has indicated that, in its view, using this solution is not compliant with GDPR’s international data transfer rules.
Following complaints from the NOYB association regarding the use of the Google Analytics audience measurement solution, the French Data Protection Authority (CNIL) had issued several formal notices to French companies using this solution on their websites. These decisions were issued in the context of other decisions from European data protection authorities, and following the European Court of Justice’s (ECJ) Schrems II ruling invalidating the Privacy Shield and imposing additional assessment obligations when using Standard Contractual Clauses for transfers of personal data outside the EU.
The CNIL had made public only one of these decisions in February 2022 in an anonymized way. In this decision, the CNIL considers that the use of the Google Analytics audience measurement solution is not GDPR compliant because personal data collected through the cookies of the solution are transferred to the United States without sufficient measures applied to prevent any possible access from the authorities to the personal data. Although efforts were made by Google to deploy additional measures in consideration of the Schrems II ruling, the CNIL considers that this is still not sufficient.
The CNIL recommends anonymizing personal data collected through audience measurement cookies. That way, the solution can benefit from the consent exemption applicable to audience measurement cookies in France. The consent exemption is only applicable to complying tools with a set of cumulative criteria published by the CNIL, one of them being to produce only statistically anonymous data. The controller must, however, still ensure that transfers outside the EU are compliant.
To provide more background on these decisions and providing possible solutions, the CNIL released a Q&A on June 7, 2022 on the use of Google Analytics as well as guidance on the use of a compliant audience measurement solution.
Key points of the CNIL’s Q&A
Any company using Google Analytics is concerned
The Q&A is short and does not provide much more information than already provided in the anonymized decision published in February 2022. All French companies among the 101 complaints of the NOYB association have now received a formal notice from the CNIL regarding the use of Google Analytics and they have 1 month (renewable) to comply.
The goal of this Q&A is to make it clear that the prescription of the only published decision (February 2022 – anonymized) must be understood as being applicable to all companies using the solution and not only to the companies having received a formal notice.
Rejection of a risk-based approach
The CNIL considers that any additional legal, organizational and technical safeguards deployed by Google like Standard Contractual Clauses and supplementary measures will still not be sufficient to prevent access by non-EU authorities as Google remains subject to US jurisdictions.
The CNIL categorically and brashly refuses a risk-based approach and considers that the risks remain as long as an access to the data is possible: according to the CNIL, even if access by US authorities to data collected through the Google Analytics solution is unlikely ( ie, in practice authorities are not making such data access requests), as long as an access is technically possible, then technical measures are necessary to make such access impossible or ineffective.
The CNIL clearly states that the question is not “Is the access by foreign authorities likely?”, The only relevant question being “Is the access by foreign authorities possible?”
To this day, only the Austrian Data Protection Authority (DSB) voiced a similarly rigid rejection of a risk-based approach in its decision issued on 22 April 2022.
Modifying the settings of the solution: Not sufficient
Modifying the settings of the Google Analytics solution (eg changing the characteristics of the processing of the IP address, only hosting personal data within the EU, etc.) is not sufficient according to the CNIL as long as possible access by non-EU authorities is still possible and enable to identify the user and track his / her navigation from one website to another.
Encrypting data: Currently not sufficient
The CNIL highlights that encryption is only an acceptable solution if the encryption keys are kept under the sole control of the data exporter or by other entities established within the EU or in adequate countries.
Regarding Google Analytics, the CNIL considers that encryption of data is not sufficient as in practice Google LLC is the entity that:
- encrypts the data;
- keeps the encryption key; and
- is under the obligation to provide them when receiving access requests (either granting access or providing the imported data in its possession).
The CNIL concludes that since Google LLC still has the possibility to access the data in clear, the encryption measures cannot be considered effective in case of requests from the US authorities. The conclusion to be drawn is therefore that encryption would be an appropriate measure if Google LLC did not have access to clear data or access to the encryption keys.
Collecting consent of users: Not applicable
Collecting consent of users for data transfers is not sufficient as, although this is one of the safeguards listed by Article 49 of the GDPR, this is considered by the EDPB as only applicable to single and non-recurring transfers, and cannot be used as a permanent solution for systematic transfers of personal data.
Using a proxy: Could be appropriate
The CNIL seems to only identify as a possible solution the use of a proxy. Indeed, as per the CNIL, the main issue relates to the direct contact, through an HTTPS connection, between the devices of the users and the Google servers, which enables to collect the IP address of the users as well as many other information that conduct to the re-identification of the user. Only solutions that break this contact between the device and the server, like a proxy, can address this issue, as data would be pseudonymized before being transferred outside the EU.
The proxy, or similar solution, must comply with the EDPB criteria, and in particular:
- Pseudonymized data cannot be longer attributed to a specific data subject without the use of additional information, in compliance with Article 4 (5) of the GDPR;
- This additional information is only kept by the data exporter and kept separately in an EU Member State or adequate country;
- Technical and organizational safeguards prevent from disclosure or unauthorized use of that additional information (ie data exporter is the only one having control over the encryption keys, algorithm or repository for example that enable to re-identify the data subject using the additional information); and
- Data controller has performed an analysis establishing that public authorities accessing the pseudonymized data cannot re-identify the data subject, even by cross-referencing the pseudonymized data with the additional information.
In addition, in the guidance on the use of a compliant audience measurement solution published together with the Q&A, the CNIL also underlines that the use of a proxy requires specific measures (eg, absence of transfer of the IP address to the servers of the measurement. tool, replacement of the user identifier by the proxy server, absence of any collection of cross-site identifiers, etc.) to be deployed and that the proxy server must be hosted in conditions that guarantee that the data it will be processing will not be transferred outside the EU.
In practice, all these criteria make it difficult from a technical standpoint to apply. The CNIL itself recognizes that this may be very costly and complex in practice, and eventually recommend using alternative solutions to Google Analytics.
The CNIL has published on its website a list of cookies solutions exempted from consent and that it considers as being compliant when properly configured. There are currently 18 certified solutions. The CNIL, however, indicates that such solutions have not been assessed on the issue of international transfers, which would mean that, although they are listed by the CNIL as compliant, they cannot be used as such but first require to verify data transfers and apply Schrems II’s safeguards.
What are the next steps? Challenging the CNIL’s position
Solutions offered by the CNIL remain in practice difficult to apply and no workable solution is eventually offered to companies.
As next steps, companies / controllers who receive an injunction to stop using Google Analytics have the possibility to challenge the CNIL’s position and the Q&A itself may be challenged by stakeholders before the French administrative courts.
The Q&A should also be seen as a signal of CNIL’s broader stance on data transfers because some EU authorities are using the audience measurement tools use case to take a stand on the data transfers. Companies should assess the audience measure solutions implemented on their websites, examine the related data flows and consider whether the measures and safeguards are sufficient in light of the GDPR, the Schrems II decision and the ePrivacy rules.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.