The data protection watchdog in France the CNIL has issued updated guidelines regarding the usage of Google Analytics following a decision earlier in the year which discovered a local website’s usage of the tool in violation the European Union law.
The company has also confirmed that it has now given formal warnings to other companies to ensure that they are not using illegal application of Google Analytics into compliance.
The legal question that doesn’t solely affect the use of Google’s popular tool for analytics in France but also across the EU is based on the transfer of user data to the US to be processed by Google which is the export of personal information which is not protected by law in light of an EU court decision in 2020. highest court, which invalidated an important accord on data transfers (aka the Privacy Shield between the US and EU) due to the possibility of unauthorized access to Europeans information by US agents of intelligence.
Since then it has been reported that the EU as well as the US have announced ( in March) an agreement for a replacement transfer mechanism.
But, as CNIL states that their joint statement is not a legal framework , and is not a reliable source for customers of US cloud-based services that send Europeans data across the Atlantic Ocean for processing prior to the actual replacement agreement that is formally approved by the EU — something has been suggested by the Commission has indicated might not happen before the end of the year. (It is also likely to be subject to fresh legal challenges to see if it is just as flawed as previous ones in the sense that experts in the field of data protection suspect.)
The bottom line is that EU websites have the option of making modifications to their use of Google Analytics or risk regulatory enforcement, which could mean the need to change their practices and/or the possibility of a financial fine for being in violation. It’s also likely that the possibility of fines for not complying has increased since the guidance issued by regulators regarding this issue is becoming more precise, as it implies that there are less plausible reasons to not have made the required changes.
“All controllers of data using google Analytics using the same manner to organizations already notified must now view this practice as unlawful under the GDPR. Therefore, they must seek out a service provider that provides sufficient assurances of conformity.” the CNIL warns in its guidelines [which we’ve translated into French by machine translation.
Websites that receive an official notice from the regulator regarding its use in the use of Google Analytics are given one month to adhere — but with the option of an additional month’s extension.
The CNIL’s FAQ about the usage for Google Analytics goes on to claim that it is virtually impossible for EU organizations with a presence in the EU to use the software without implementing certain additional security measures of their own.
“None of the additional guarantees presented to the CNIL as part of the formal notice would prevent or render ineffective the access of US intelligence services to the personal data of European users when using the Google Analytics tool alone,” Google writes in response to the question whether you can count on additional safeguards Google asserts it has for the application.
Standard contractual clauses may not bridge the legal gap regarding exports of data, as the CNIL is also that it’s impossible to alter Google Analytics so that it does not transmit Europeans’ personal data to outside the EU and further advising: “Even in the absence of transfer, the application of data-related solutions provided by companies operating in non-European jurisdictions will cause problems with access to information. Indeed, some companies may be required by authorities of third-country jurisdictions to release personal data stored on servers in Europe. European Union.”(The data watchdog in France warns about the illegal application of Google Analytics)
illegal application of Google Analytics
As per the FAQ, additional security measures that those who reside in Europe and use Google Analytics might be able to employ to use the software without breaking the law are encryption (but only when the keys are by the exporter of the data or any other entity operating in a country that provides sufficient protection) as well as a proxy servers (to ensure that there is no direct contact to the Internet user’s device with the server of the tool for measuring).
It is suggested by the regulator that getting the explicit permission of users for the transfer of data could be a possibility, however, only in certain circumstances, because the CNIL declares that the exemption cannot be used to facilitate the purpose of facilitating systematic transfers (which are basically the same thing as Google Analytics data flows are). Thus, explicit consent isn’t an acceptable solution even if you believe it would be a good idea to interrupt every user with the request.
It is worth noting that the CNIL has previously released an alternative list of analytics tools that it has found can be set up in such a manner that they do not require the requirement to get consent from the user before processing their information. But it cautions that the it does not consider the implications of international transfers which means that site owners need to perform their own investigation to determine whether other analytics tools, such as those offered by a software manufacturer based in Europe that handles all processing within the EU could be an option that is less risky as Google Analytics.
Other EU authorities for data protection (such like Austria’s) have also issued websites with decisions regarding non-compliant usage of Google Analytics.
The scrutiny of the regulatory framework came after the filing of a number of complaints by the EU privacy advocates, noyb, in August of 2020 which targeted Google Analytics and Facebook Connect. This means that while Google’s analytics software is the first to be considered to be considered in DPA rulings but the issue isn’t restricted to Google or analytics tools, and could impact several other services based in the US that serve customers from the EU.
Google was approached to provide an explanation to the CNIL’s advice.