Since February, CNIL has issued formal notices to several organizations, telling them that their use of the service is unlawful. The regulator revealed it has issued formal notices to more organizations with the release of the latest guidance. These organizations have one month to switch over to a GDPR-compliant alternative.
CNIL Tells Organizations to Stop Using Google Analytics
CNIL has determined that Google Analytics in its current form does not offer sufficient data protection to European citizens. This is because of how the tool works. It assigns a unique identifier to every person visiting a website. When combined with browser and OS metadata, this information can be used to track individuals. Furthermore, Google Analytics stores the data it collects on servers in the U.S., which opens the possibility of “unlawful access” by American authorities. CNIL added that Google Analytics does not use anonymization measures. Also, its use of Standard Contractual Clauses (SCCs) and other “legal, organizational and technical measures” are not sufficient to protect privacy. CNIL has urged all organizations, including those that have not been issued notices, to stop using Google Analytics.
GDPR, Schrems II, and EU-U.S. Data Transfers
The EU’s privacy law, the GDPR, has garnered a lot of attention since it came into effect on May 25, 2018. It lays down rules to protect the personal data of European citizens. This includes how companies are to treat user data. The GDPR also outlines the exact conditions for the transfer of personal data outside of the EU. For non-EU countries to access this data, they need an adequacy agreement, which signals that they have sufficient safeguards to protect EU citizens’ data. Complications around EU-U.S. data transfers began in 2020 when the Court of Justice of the European Union (CJEU) struck down the Privacy Shield. The Privacy Shield was an agreement that allowed for the free flow of data between the two regions. The CJEU ruled in the Schrems II case that the agreement did not sufficiently protect the data of European citizens. In particular, it did not have appropriate safeguards to prevent American authorities from unlawfully accessing EU citizens’ data. This decision led to a series of complaints — 101 to be exact — by the European Center for Digital Rights, NOYB, against organizations relying on real-time tracking services like Google Analytics and Facebook Connect. Consequently, the EU and the U.S. attempted to resolve the issue by issuing a joint declaration, stating they had “agreed in principle” on a new data transfer framework. However, the European Data Protection Board issued a statement clarifying that the declaration “did not constitute a legal framework.”
Can Google Analytics Comply With EU Privacy Law?
According to CNIL, there are certain additional safeguards that could make Google Analytics compliant with the EU’s privacy law. However, none of these avenues offer a straightforward solution. The first additional safeguard is to encrypt the data flowing to the United States. However, CNIL pointed out that this would only work if Google does not have access to the decryption keys. If it does, U.S. authorities could compel the company to hand them over. Encryption could work if the keys are in the hands of a data exporter (a third party that is based in the EU). Another option is to use a proxy server instead of a physical server in the U.S. However, such a server must also comply with a set of criteria specified by the EDPB. Navigating the GDPR can be extremely tricky for organizations. Our GDPR compliance checklist can make this process a lot easier.