Q&A on the CNIL's formal notices concerning the use of Google Analytics

The context

On 16 July 2020, the Court of Justice of the European Union issued a major ruling :  the Privacy Shield, which was a framework for data transfers between the European Union and the USA, has been invalidated because it did not provide adequate safeguards against the risk of unlawful access by US authorities to the personal data of European residents.

In practice, such transfers may now only take place if additional technical, legal and organisational safeguards are put in place by organisations to prevent these accesses.

In August 2020, the non-governmental organization “noyb” filed 101 complaints with various European data protection authorities about websites using the audience analysis tool “Google Analytics”, whose parent company is located in the USA.

The decision

In  the order published on 10 February 2022 concerning one of these organisations, the CNIL considered that :

• the measures put in place by Google are not sufficient to exclude the possibility of access to data of European residents;
• the data of European Internet users is therefore illegally transferred through this tool.

One of the orders to comply relating to the use of Google Analytics was posted on the CNIL website on 16 February 2022, stripped of its elements allowing the identification of the organization.

The decision was anonymised because it did not seem useful to name any particular website publisher, given that the tool is widely used.

The objective of the publication was to advise all data controllers using this tool to take this publication into account.

The organisations given formal notice have a period of one month to comply and to justify this compliance to the CNIL. This one-month period may be renewed at the request of the organisations concerned, if the CNIL so agrees.

All data controllers using Google Analytics in a similar way to these organisations should now consider this use as unlawful under the GDPR.

They should therefore turn to a provider offering sufficient guarantees of compliance.

In order to harmonise decisions and provide legal certainty for stakeholders, the European authorities that received complaints from the association noyb (none of your business) on the subject of transfers by Google Analytics have organised themselves into a working group to examine jointly the legal issues raised in these cases and coordinate their positions and decisions.

The CNIL's decision is not the first at the European level: one month before the CNIL, the Austrian data protection authority issued the first decision of this kind in January, along the same lines as the French authority.

All the complaints filled by the association NOYB that were referred to the CNIL were investigated in a coordinated manner: however, situations were examined on a case-by-case basis and according to the responses provided by the organisations.

All organisations in France whose use of Google Analytics was the subject of complaints by NOYB have now been ordered to comply.

The organisations ordered to comply had established standard contractual clauses with Google, which Google offers by default to users of this solution. These standard contractual clauses alone cannot provide a sufficient level of protection in the event of a request for access from foreign authorities, in particular if such access is provided for by local laws.

In its response to the CNIL's requests, Google indicated that it had put in place additional legal, organisational and technical measures, which the CNIL however deemed insufficient to ensure the effective protection of the transferred personal data, in particular against requests for access to the data by US intelligence services.

No.

In response to the questionnaire sent by the CNIL, Google indicated that all the data collected through Google Analytics is hosted in the United States.

Even in the absence of transfer, the use of solutions offered by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data. Indeed, organisations may be required by third country authorities to disclose personal data hosted on servers located in the European Union.

Article 48 of the GDPR limits these disclosures to cases where the requesting third country and the EU or the member state concerned are parties to an international agreement providing for such communications.

In the context of the investigation, Google indicated that it uses pseudonymisation measures, but not anonymisation. Google does offer anonymisation of IP addresses, but it is not applicable to all transfers. Furthermore, it is not clear from the evidence provided by Google whether this anonymisation takes place prior to the transfer to the USA.

Furthermore, the use of of unique identifiers to differentiate individuals can make the data identifiable, especially when combined with other information such as browser and operating system metadata. This data allows accurate tracking of users, in some cases across multiple devices. If the EDPB admits in its recommendations of 18 June 2021 that using pseudonymisation can be an additional measure, its use is subject to an analysis to ensure that the set of information transmitted does not in any way allow for the re-identification of the individual, even taking into account the substantial means available to the authorities that may wish to carry out such re-identification.

Finally, the joint use of Google Analytics with other Google services, particularly marketing services, can increase the risk of tracking. Indeed, these services, which are widely used in France, can allow the IP address to be cross-checked and thus trace the browsing history of the majority of Internet users on a large number of sites.

Yes, but only under certain conditions.

The implementation of data encryption by Google has proven to be an insufficient technical measure as Google LLC itself encrypts the data and is obliged to grant access to or provide imported data in its possession, including the encryption keys necessary to make the data intelligible. As Google LLC retains the possibility to access the data of individuals in the clear, such technical measures cannot be considered effective in this case (see the recommendations of the European Data Protection Committee on measures that supplement transfer tools, §85).

Encryption is therefore an insufficient additional guarantee if the organisation subject to the demands of the US authorities can access personal data in clear text.

In order for encryption to be considered as a sufficient additional safeguard, the encryption keys should, inter alia, be kept under the exclusive control of the data exporter, or other entities established in a territory offering an adequate level of protection (see recommendations 01/2020 of the EDPB, §84).

None of the additional safeguards presented to the CNIL in the context of the formal notice would prevent or render ineffective the access of US intelligence services to the personal data of European users when using the Google Analytics tool alone.

However, a solution involving a proxy server to avoid any direct contact between the user's terminal and the servers of the measurement tool may be possible. However, it must be ensured that the server meets a number of criteria to be able to consider that this additional measure is in line with what is foreseen by the EDPS in its recommendations of 18 June 2021.

The explicit consent of the data subjects is one of the possible derogations provided for certain specific cases by Article 49 of the GDPR. However, as stated in the European Data Protection Committee's guidelines on these derogations, they can only be used for non-systematic transfers, and cannot constitute a long-term and permanent solution, as the use of a derogation cannot become the general rule.

The CNIL has published a list of audience measurement tools (in French) that can be exempted from consent when properly configured.

This list includes tools that have already demonstrated to the CNIL that they can be configured to limit themselves to what is strictly necessary for the provision of the service, and thus not require the user's consent, in accordance with Article 82 of the French law on Data Protection.

However, this list does not currently consider the issues raised by international transfers, including the consequences of the "Schrems II" judgment.

In the case where the envisaged tool transfers data outside the European Union or where the company publishing the tool has capital or organisational links with a parent company located in a country providing for the possibility for intelligence services to require access to personal data located in another territory, it is it is necessary to assess the legal framework of the third country.

This assessment can be based on:

• decisions of the CJEU or the European Court of Human Rights, which have been able to assess the compliance of certain legislation with European data protection standards.
• the recommendations of the European data protection authorities, which have, for example, detailed the essential guarantees that must be found in the third country when assessing the level of data protection.

It may also be possible to use the proxy method which, when properly configured, allows only pseudonymised data to be sent to a server outside the EU.

No.

The personal data transferred to a country outside the European Union must be afforded a level of protection "substantially equivalent" to that afforded in the EU.

In particular, the possibility of unlawful access to personal data beyond what is necessary and proportionate in a democratic society by public authorities seriously undermines the fundamental rights and freedoms of data subjects.

In cases where such access is possible (and not only where such access is likely) and the safeguards surrounding the issuing of data access requests are not sufficient to ensure a level of data protection substantially equivalent to that guaranteed in the EU (see EDPS recommendations on essential safeguards), additional technical measures are needed to make such access impossible or ineffective.

These measures are provided for in the recommendations on complementary measures to transfers of the European Committee for the Protection of Human Rights and Fundamental Freedoms