Google Analytics’ use is not legal without a new deal that would replace the disgraced EU-US data processing agreement, French data watchdog CNIL recently clarified on its website, which also dashed hopes that the tool could be reconfigured to allow data transfers to the US. EURACTIV France reports.
The use of Google’s web analytics tool does not comply with the General Data Protection Regulation (GDPR), the EU data protection law, despite the guarantees offered by the digital giant and the precautions website publishers can take when using the tool, CNIL said in a Q&A published on Tuesday (7 June) on its website.
The clarification comes after the agency sent out formal notices to a series of companies in February after it decided data transfers to the US via Google Analytics were illegal.
The watchdog’s decision in February, which came one month after its Austrian counterpart issued a similar decision, follows the EU Court of Justice invalidating the so-called “Privacy Shield” – an agreement between the EU and the US on data processing – in July 2020.
According to the Luxembourg judges, the agreement violated the EU’s high data protection standards as there is a risk US intelligence services could access personal data transferred across the Atlantic.
While a decision to replace the deal was announced, there is still a long way to go.
Negotiations are “finalised”, European Commission Vice-President Margrethe Vestager confirmed at the International Cybersecurity Forum in Lille between 7 and 9 June.
“A lot of work remains to be done” on the technical side, she added but declined to say whether this could be achieved this year.
An unambiguous ‘no’
In the meantime, France’s data protection authority has been keen to set the record straight.
In response to the Q&A question asking whether it is “possible to configure the Google Analytics tool in such a way as not to transfer personal data outside the European Union,” the CNIL responded with an unambiguous “no”. Google confirmed to the French body that all data collected by Google Analytics is indeed hosted on US soil.
“Even in the absence of a transfer, the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data,” the authority also states.
Google proposed additional guarantees like anonymisation and encryption but none have been deemed satisfactory by the CNIL.
On anonymisation, CNIL acknowledges that Google offers an IP address anonymisation feature. Still, it does not apply to all transfers, and Google could not demonstrate that such anonymisation occurred before being transferred to the US.
According to the CNIL, using unique identifiers is not sufficient either, as their use can be identified through their association with other data.
Well aware that Google Analytics is not the only solution offered by Google to companies, the data watchdog notes that “these services, which are widely used in France, can allow the IP address to be cross-checked and thus trace the browsing history of the majority of Internet users on a large number of sites.”
The CNIL also addressed the encryption solutions proposed by Google, saying they were ineffective due to Google offering and conserving encryption keys, allowing it to access personal data if it so wishes.
Companies wishing to keep using the tool need explicit consent from the individuals concerned.
Not a long term solution
However, this is no “permanent and long-term solution” as this exemption only applies to non-systematic transfers, the CNIL also said.
The data watchdog also said that using a proxy to avoid any direct contact between the devices of internet users and Google servers could also be “considered”.
But it also warned that ‘the implementation of the measures described below can be costly and complex and does not always meet the operational needs of professionals.”
[Edited by Alice Taylor]