CNIL deems use of Google Analytics to be in breach of the EU General Data Protection Regulation (GDPR)
The French data protection authority CNIL has on 2 March 2022 given three decisions concerning the use of Google Analytics (GA) in France based on complaints by the NOYB (None of Your Business) privacy NGO headed by data protection activist Max Schrems. In short, CNIL deemed that the use of GA is generally not allowed under the GDPR in France, unless express consent is acquired from data subjects. As explained in more detail below, express consent for analytics use is in most cases unrealistic, so in effect this means that use of GA in France will for the foreseeable future be deemed illegal.
I and my colleague Suvi Julin wrote an article (in Finnish) about a similar decision by the Austrian data protection authority DSB in 22 December 2021, which concerned similar complaints by NOYB. As explained in that article, these cases are pending in essentially all EU Member States, and it is readily apparent that EU data protection authorities are reaching similar conclusions. Therefore it is a question not if, but when use of GA will become illegal or at least very problematic in a given Member State.
The CNIL decisions in more detail
The CNIL found that use of GA by three anonymous companies was against the GDPR’s provisions on the transfer of personal data outside the EU, as GA routinely transferred the personal data of website visitors to the United States (US). Under the GDPR, transfers outside the EU are generally prohibited, unless the receiving country is deemed to have an adequate level of data protection (see Privacy Shield 2.0 below). Alternatively, transfers can be based on express consent from the data subject, or another legal basis, most commonly EU Commission approved standard contractual clauses with related supplementary protection measures.
In this case, the CNIL first established that the US does not have an adequate level of data protection. Secondly, they established that the standard clauses and supplementary measures used by Google did not effectively safeguard the rights of data subjects, primarily because US intelligence agencies could access the data through the US court system regardless of these contractual safeguards. Finally, the use of ”cookie consent” mechanisms was not deemed to be sufficient for express consent, which is hardly surprising – express consent is a very high threshold to meet.
(How) can you still use Google Analytics in the EU?
Based on the CNIL and earlier Austrian decisions, it is becoming increasingly difficult to remain compliant with the GDPR while using GA on a website aimed at EU citizens. As we see it, there are three remaining pathways:
1. Express consent gathered from website visitors
2. Effective anonymisation of website visitors so the processed data can no longer be connected with individual persons
3. US becomes an adequate country again (“Privacy Shield 2.0”)
The first of these, while superficially the easiest, is in most cases going to be very difficult or impossible to execute. Website owners would need to implement a process where visitors are told of all of the various uses that GA/Google could put their data to, and secure their consent through a verifiable process before GA is enabled. Furthermore, visitors would always have the right to withdraw consent, after which the data in question would need to be deleted. This solution is unlikely to be practical in most cases, as it runs against the whole logic of ”big data” analytics. Furthermore, the GDPR and various data protection authority guidelines set an extremely high bar for implementing even ”normal” consent under the GDPR, so the notion of using express consent for mass harvesting and processing website visitor data is not realistic except in very limited cases.
In the short to medium term, we foresee that many companies that use GA will rely on the second solution, i.e. partly masking website visitor IP addresses in order to ”wash” the personal data of its identifying characteristics. While this is a more practical solution, there are problems with this approach as well. While it is true that the visitors’ IP address is crucial in identifying visitors, GA data may be combined with other, non-IP address identifiers that together allow the personal data of website visitors to be connected with individual users. Therefore, while this approach may be viable, it must be carried out based on a case-by-case analysis of what data is collected from the website, to ensure that it is not combined in such a way that the resulting dataset is no longer anonymous.
The last option, and in our view the only viable long-term solution, is that the US implements a new privacy framework allowing for data transfers between the EU and US based on an adequate level of data protection.
A new path to data adequacy in the US? Trans-Atlantic Data Privacy Framework a.k.a Privacy Shield 2.0
The US and the European Commission have committed to a new Trans-Atlantic Data Privacy Framework as a successor to the EU-U.S. Privacy Shield. The drafting of the new framework is just beginning, but in many respects the new framework seems to be building on top of its predecessor. The White House has stated that the US has committed to implementing new safeguards to ensure that in the future signals intelligence activities (i.e. spying) are necessary and proportionate in the pursuit of defined national security objectives. The framework aims to provide commitments regarding the protection of personal data of EU individuals and maintain data flows in business between US and EU companies.
According to EU and US officials, the new framework should, namely,
-strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities,
-establish a new redress mechanism with independent and binding authority, and
-enhance its existing oversight of signals intelligence activities.
According to the communications from the White House, the participating companies and organizations will be required to adhere to the Privacy Shield Principles like before, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.
It remains to be seen how GA type issues will be solved in practice by the new privacy framework. Given how badly the two previous attempts (Safe Harbour and Privacy Shield) to form a data bridge between the EU and US have crashed and burned, we are a little skeptical about this new venture as well. If nothing else, it is almost certain to be challenged by NOYB after implementation and eventually end up before the EU Court of Justice.