Google Analytics and data transfers: how to make your analytics tool compliant with the GDPR?
The 10 February 2022, the CNIL, which was cooperating with its European counterparts, has issued and order to comply to several organizations using Google Analytics because of illegal transfers of data to the United States. The use of a properly configured proxy can however be an operational solution to limit the risks to individuals.
The Court of Justice of the European Union (CJEU), in its ruling of 16 July 2020, invalidated the Privacy Shield, a mechanism that provided a framework for transfers of personal data between the European Union and the United States. The US legislation does not offer sufficient guarantees in the face of the risk of access by the authorities, particularly the intelligence services, to the personal data of European residents.
Following this ruling, the CNIL received several complaints from the NOYB association, questioning the use by French companies of analytics tool Google Analytics, published in the United States. The CNIL ruled on these complaints, found them to be valid and ordered the companies concerned to comply.
In these decisions, the CNIL considered that the use of Google Analytics led, as it stood, to insufficiently regulated transfers to the United States.
As recalled in the CNIL Q&A, the simple implementation of standard contractual clauses is not sufficient to use Google Analytics in compliance with the GDPR.
A simple change in the tool's settings is not enough
Following these formal notices, many actors have sought to identify the technical settings and measures that can allow to maintain the use of Google Analytics while respecting the privacy of Internet users.
However, simply changing the processing settings of the IP address is not sufficient to meet the requirements of the CJEU, especially as these continue to be transferred to the US. Another idea often put forward is the use of "encryption" of the identifier generated by Google Analytics, or replacing it with an identifier generated by the site operator. However, in practice, this provides little to no additional guarantee against possible re-identification of data subjects, mainly due to the persistent processing of the IP address by Google.
The fundamental problem that prevents these measures from addressing the issue of access of data by non-European authorities is that of direct contact, via an HTTPS connection, between the individual's terminal and servers managed by Google.
The resulting requests allow these servers to obtain the IP address of the Internet user as well as a lot of information about his terminal. This information may realistically allow the user to be re-identified and, consequently, to access his or her browsing on all sites using Google Analytics.
Only solutions allowing to break this contact between the terminal and the server can address this issue. Beyond the case of Google Analytics, this type of solution could also make it possible to reconcile the use of other analytics tools with the GDPR rules on data transfer.
Proxy is a possible solution
In view of the criteria mentioned above, one possible solution is the use of a proxy server to avoid any direct contact between the Internet user's terminal and the servers of the analytics tool (in this case Google). However, it must be ensured that this server fulfils a set of criteria in order to be able to consider that this additional measure is in line with what is presented by the EDPB in his recommendations of 18 June 2021. Indeed, such a process would correspond to the use case of pseudonymisation before data export.
As stated in these recommendations, such an export is only possible if the controller has established, through a thorough analysis, that the pseudonymised personal data cannot be attributed to an identified or identifiable individual, even if cross-checked with other information.
It is therefore necessary, beyond the simple absence of a request from the user's terminal to the servers of the analytics tool, to ensure that all of the information transmitted does not in any way allow the person to be re-identified, even when considering the considerable means available to the authorities likely to carry out such re-identification.
The implementation of the measures described below can be costly and complex and may not always meet the operational needs of professionals.
To avoid these difficulties, it is also possible for professionals to use a solution that does not transfer personal data outside of the European Union.
The necessary measures to be put in place for the proxy to be valid
The server carrying out the proxyfication must therefore implement a set of measures to limit the data transferred. The CNIL considers, in principle, that is necessary :
- the absence of transfer of the IP address to the servers of the analytics tool. If a location is transmitted to the servers of the measurement tool, it must be carried out by the proxy server and the level of precision must ensure that this information does not allow the person to be re-identified (for example, by using a geographical mesh ensuring a minimum number of Internet users per cell);
- the replacement of the user identifier by the proxy server. To ensure effective pseudonymisation, the algorithm performing the replacement should ensure a sufficient level of collision (i.e. a sufficient probability that two different identifiers will give an identical result after a hash) and include a time-varying component (adding a value to the hashed data that evolves over time so that the hash result is not always the same for the same identifier) ;
- the removal of external referrer information from the site;
- the removal of any parameters contained in the collected URLs (e.g. UTMs, but also URL parameters allowing internal routing of the site);
- reprocessing of information that can be used to generate a fingerprint, such as user-agents, to remove the rarest configurations that can lead to re-identification;
- the absence of collection of cross-site or lasting identifiers (CRM ID, unique ID);
- the deletion of any other data that could lead to re-identification.
The hosting conditions of the proxy must also be adequate
The proxy server must also be hosted in conditions that ensure that the data it processes will not be transferred outside the European Union to a country that does not provide a level of protection substantially equivalent to that provided within the European Economic Area.
In any case, and in accordance with the EDPB recommendations, it will be up to the data controllers to carry out an analysis on this point and to put in place the necessary measures in case they wish to use this type of solutions, as well as to verify the maintenance of these measures over time, according to the evolutions of the products.