Following the snowball effect of the 101 NOYB complaints against the use of Google analytics and other tools, the decision of the Court of Justice of the European Union (CJEU) in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II) proves to be treading a fine line between ensuring the protection of personal data in accordance with EU data protection laws and stirring a move towards data localisation.
In the eyes of the CJEU, the key challenge for the use of Google Analytics tool is the extra-territorial application of US surveillance laws and in particular section 702 of the US Foreign Intelligence Surveillance Act (FISA). Under FISA, US intelligence services enjoy an indiscriminate access to all types of data processed by electronic communications service providers. Likewise, FISA would apply to any entity using an electronic communications service provider to process certain data provided the personal data is processed by the said provider, irrespective of the origin or the storage location of such data, thereby allowing access to data outside the U.S.
FISA requires companies which are based in the US and process personal data to make such data available to federal security authorities upon request. The standard contractual clauses (SCCs) used by Google Analytics as safeguards would not, given their mere contractual nature, be binding upon such public authorities and thus fail to protect the personal data transferred. However, since the Schrems II case, use of Google Analytics remains widespread within the EEA.
Consequently, the non-profit organisation European Centre for Digital Rights (NYOB), which action led to the Schrems I and II cases, announced on 17 August 2020 that it had issued 101 claims against EU companies which continue to use Google Analytics and other tools despite the Schrems II ruling against those applications.
We have considered first the convergence and divergence of the various decisions issued by the different data protection authorities in the EU in response to the NYOB complaints (Section 1), before considering what can be learnt specifically from the more detailed decision and guidance provided by the French data protection authority (CNIL) (Section 2).
- SECTION 1 – CONVERGENCE AND DIVERGENCE OF THE SUPERVISORY AUTHORITIES' DECISIONS ON THE USE OF GOOGLE ANALYTICS
- SECTION 2 – CNIL'S DECISION AND PROPOSED GUIDANCE
- Section 1
CONVERGENCE AND DIVERGENCE OF THE SUPERVISORY AUTHORITIES' DECISIONS ON THE USE OF GOOGLE ANALYTICS
The initial complaint made by NYOB related to the website of the European Parliament itself. NYOB claimed that the Parliament's COVID testing website violated data protection laws through its use of Google Analytics, which transfers personal data of website visitors to the US. On 5 January 2022, the European Data Protection Supervisor (EDPS) issued a decision on NYOB's complaint, confirming that the website was in fact in breach of data protection laws. In its decision, the EDPS highlighted that the use of Google Analytics violated the CJEU's Schrems II ruling on EU-US data transfers.
Following the further 101 complaints made by NYOB, the decisions of the Data Protection Authorities (DPAs) in Austria dated 22 December 2021 and 22 April 2022, in France dated 10 February 2022, and in Italy dated 9 June 2022 have all found the continued use of Google Analytics to be in breach of article 44 of European Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR). The public statements issued by other national DPAs have indicated that their own judgments will follow this same path, leading to convergence on the unlawfulness of data transfers in connection with Google Analytics (A) with some divergence when in relation to the choice of enforcement (B).
Each of the DPAs to have already ruled on the use of Google Analytics have determined the website owner, as data exporter, to be the party responsible under article 44 of the GDPR. Though the French and Italian DPAs only considered breaches by the website owners, the Austrian DPA explicitly addressed this issue and the possibility of liability for Google LLC itself.
In its decision, the Austrian DPA relied upon the European Data Protection Board's (EDPB) Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, which state that "a transfer implies that personal data are sent or made available by a controller or processor (exporter) which, regarding the given processing, is subject to the GDPR pursuant to Article 3 […] regardless of whether or not this importer is subject to the GDPR in respect of the given processing".
The decisions of all three DPAs also align in determining that Google's anonymisation of the personal data did little to mitigate the risks presented by the transfer and was thus insufficient as a supplementary measure to the SCCs. Indeed, the scope of s.702 FISA obligations remain unaffected by Google’ measure, as their performance would still require Google to provide un-anonymised data if requested.
Similar decisions are expected to be reached by other EU DPAs as the CNIL has disclosed that a coordinated taskforce was set up amongst them by the EDPB so as to “examine the legal issues raised” in the NOYB complaints and "prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries". As a result, although no new substantive decision has been reached against Google Analytics, the DPA of Luxembourg decided not to further pursue three complaints regarding data transfers to Facebook servers in the U.S, as the use of Google Analytics tools had ceased before a decision was reached. It is likely that all DPAs will follow suit and adopt the core arguments put forward by NOYB regarding the breach of Schrems II requirements by such data transfers.
In Netherlands, the Dutch data protection authority announced in January 2022 that it was investigating two complaints against the use of Google Analytics, expected to be completed later in the year. The complaints mirrored those in Austria, France and Italy.
In Norway, Datatilsynet, the Norwegian data protection authority, concurred with Austria by positioning against the use of Google Analytics and publicly advising Norwegian companies to seek alternatives to the service in a 26 January 2022 communication.
In Denmark, the Danish data protection authority Datatilsynet released a 19 January 2022 statement that they were examining the Austrian ruling along with other similar European Court of Justice rulings and would provide relevant guidance in due course.). On September 21, Datatilsynetb finally rallied with the other EU DPAs and announced its guidance that the use of Google Analytics is not compliant with the EU GDPR as the tool transfers personal data to the United States in breach of the Schrems II requirements. In terms of guidance in relation to the use of Google Analytics, Datatilsynet has posted on its website an FAQ to address a series of questions on the use of Google Analytics. The DPA refers in its guidance to the ability of organisation's to identify whether or not the tool complies with EU Data Protection Laws, to decide if appropriate supplementary measures may help them achieve compliance or otherwise be required to cease to use the tool. The Danish DPA recommends in particular the use of pseudonymisation as a possible supplementary measure and refers more broadly to the CNIL Guidance issued earlier in June 2022 (Please see Section 2).
The main point of divergence between the DPAs' decisions was in relation to the choice of enforcement. The French DPA took a hard line by giving the offending company one month to cease processing activities performed through the use of the "current version" of Google Analytics or face a penalty. However, subject to the companies' requests and the CNIL's subsequent approval, this one-month period may have been extended.
The Italian DPA, conversely, took note of the asymmetrical bargaining power of the parties concerned, as well as steps taken by the company to remedy the situation and the absence of negligence or special categories of personal data, and therefore issued only a warning and urged the relevant website owner to implement appropriate measures within 90 days. Since the decision, the Italian DPA has released a further update stating that not all transfers from the EU to the US will be illegal, but that legality will be judged on a case by case basis.
The Austrian DPA did not take any remedial measures since the Google Analytics tool had been uninstalled before the conclusion of the complaints procedure. Similarly, Spanish and Luxembourg DPAs both closed their cases due to the website owner uninstalling Google Analytics from their websites following the NYOB complaint.
- Section 2
CNIL'S DECISION AND PROPOSED GUIDANCE
On 10 February 2022, the CNIL published an anonymised decision on a specific company (the Company) in which it established that transfers of personal data via Google Analytics to Google in the United States did not comply with GDPR (the CNIL's Decision).
We set out below our analysis of the Decision and of the Questions and Answers published on 7 June 2022 by the CNIL in relation to its formal notices concerning the use of Google Analytics (the CNIL FAQ) (A) as well as a summary of the related Guidance on how to make analytics tool compliant with the GDPR (CNIL Guidance) published same day and explaining which measures could be implemented to allow for the use of Google Analytics (B).
A CNIL's Decision
The CNIL, in line with the European DPA's decisions, concluded that: (1) the NOYB complaints against a number of companies in France were well-founded, (2) ruled that the targeted companies had breached article 44 of the GDPR through their use of Google Analytics and (3) ordered them to comply with the GDPR within a month.
An anonymized version of one of those formal decisions, published by the CNIL, made clear that it would apply to all website operators using Google Analytics.
In this Decision, the CNIL laid down the following:
1. The use of Google Analytics, in its current version and in light of the measures implemented by Google to date, allows access from US surveillance agencies to European data subjects' personal data (namely online identifiers such as IP addresses).
2. The Company which claimed to have no ability to identify the website's users after anonymising the website's visitors' IP addresses was unable to "disclose the specific means deployed to ensure the anonymity of the collected identifiers". As a result, it was not possible to consider such data as anonymised which led to the conclusion that Google Analytics allows the Company's website manager as well as Google to identify the website's visitors.
3. There is currently no adequacy decision of the European Commission, pursuant to article 45 of the GDPR, in relation to the US.
4. Therefore, to ensure compliance with the GDPR, the websites operators, acting as data controllers when using the Google audience measurement tool, would need to justify either:
- the applicability of one of the derogations pursuant to article 49 of the GDPR or;
- the implementation of appropriate safeguards so as to maintain a sufficient level of protection of the data pursuant to article 46 of the GDPR.
5. As the Company was unable to rely on either of these transfer mechanisms, the transfer of personal data to the US was considered a breach of article 44 of the GDPR.
B CNIL's Guidance
The CNIL FAQ and its further CNIL Guidance offered more insight into the CNIL's position in relation to the use of Google Analytics.
In particular, the CNIL's Decision and detailed Guidance provide some useful insights on key aspects of the GDPR and its application to the use of Google Analytics within the EEA.
1. Adequate safeguards
The Company had attempted to rely upon the EU Standard Contractual Clauses (SCCs) as appropriate safeguards for data transfers to the US. In this respect, the CNIL concurred with the CJEU's judgment on Schrems II that the SCCs, due to the limited protection afforded by contractual guarantees, would not provide data subjects with actionable rights against the public authorities which may access the data under FISA.
Therefore, the CNIL concluded that the mere implementation of SCCs would not be sufficient to ensure that the use of Google Analytics would be compliant with the GDPR.
2. Supplementary Measures
Furthermore, the CNIL considered whether additional legal, technical and organisational security measures implemented in conjunction with the implementation of the SCCs would be sufficient to allow the lawful use of Google Analytics. In its decision, the CNIL explicitly referred to the EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB Supplementary Measures Recommendations) of 18 June 2021.
It is clear from the CNIL's Decision however that such supplementary measures would only be effective to the extent that they would be able to address the specific deficiencies of the existing contractual protections.
In this instance, the CNIL considered that the contractual and organisational measures implemented by Google, which included the notification of the users, the publication of a Transparency Report and the "careful review of each [public authority] request" would not be deemed sufficient to achieve compliance with the GDPR.
The technical measures implemented by the Company equally failed to convince the CNIL.
The Decision concludes that, "it has not been clarified, either by Google LLC or by the company, how the measures described […] in fact prevent or reduce the possibility of access by US intelligence services". Furthermore, the use of data encryption by Google would not constitute an impediment to its obligation to grant access to such personal data to US intelligence services, under FISA.
The CNIL further considered the following derogations under article 49 of the GDPR:
- consent of the data subject (article 49(1)(a)). The CNIL determined that the data subject’s consent obtained through use of the cookie banners was not an explicit and informed consent as required by the GDPR. Consent will only be effective if the data subject has already been "informed of the possible risks of such transfers" and;
- necessity for performance of a contract between the data subject and the controller (article 49(1)(b)). In this respect, the CNIL considered that the Company had failed to support this argument with "any specific evidence" and therefore did not establish any contractual relationship with the data subjects.).
The CNIL also confirmed that, in any event and as indicated in the EDPB's Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 , such derogations can only be used for non-systematic transfers, and cannot constitute a permanent, long-term solution.
4. Adopting a risk-based approach
The CNIL FAQ refers to the possibility that businesses may decide to carry on using Google Analytics on the grounds that the likelihood of data access requests may be limited. Such approach is clearly rejected by the CNIL as the mere fact that the public authorities ex EEA would be entitled to access personal data would require businesses to take appropriate measures to prevent access by such authorities if, like in the case of US public authorities, "the safeguards surrounding the issuing of data access requests are not sufficient to ensure a level of data protection substantially equivalent to that guaranteed in the EU".
5. Practical solutions
In its Guidance, the CNIL attempted to provide for practical guidance for the lawful use of Google Analytics.
The main risk associated with the use of Google Analytics is the possibility for Google to access certain user’s personal data which would enable Google LLC in the US to not only identify the data subjects but also provide access to their data to US public authorities if requested to.
The main challenge to EU data protection compliance from a technical stand point is the direct contact established, through an HTTPS connection, between an individual's terminal and the servers managed by Google.
If subject to a data access request, Google may retrieve from its servers not only the IP address of the Internet user but also a lot of information on the terminal used, enough to identify the user and, possibly, the individual's browsing history on all the sites using Google Analytics.
Google Analytics may be lawfully used if it becomes possible in the future to severe all contact between the terminal and the server.
Several solutions have been considered by operators to prevent such possibility of access and thus ensure respect of the users’ privacy, such as the modification of the configuration of the Google Analytics tool. However, the CNIL found that no such modification, including changing the IP address processing conditions, was enough to meet the requirements of the GDPR, as the data would still be transferred to the United States.
Yet, the CNIL makes available two alternative solutions as follows:
a) Use of "encryption" of the identifier generated by Google Analytics, or replacing it with an identifier generated by the website operator
In practice however, the CNIL considers that encryption would not prevent the possible re-identification of data subjects, as Google would continue to process the IP address.
Encryption would be an additional protection measure provided that Google (and not Google LLC) may encrypt the data before the transfer and that the encryption keys may be held under the exclusive control of the data exporter, or other entities established in a territory offering an adequate level of protection (i.e. not Google LLC, a data importer).
b) Use of a proxy server
The CNIL has considered the possibility of using a proxy server as a solution to the Google analytic conundrum, which would prevent direct contact between the website user's terminal and the Google's servers.
However, the CNIL reminds that it must be ensured that this server meets number of criteria set out in the EDPB Supplementary Measures Recommendations of 18 June 2021, in relation to the use case number 2 on pseudonymisation before data export.
Under the Recommendations, such pseudonymous data may only be transferred if the exporter is able to establish, through a thorough analysis, that it the data subject may not possibly be re-identified, "nor be used to single out the data subject in a larger group without the use of additional information" even when considering the considerable means available to the authorities likely to carry out such re-identification.
For the proxy to be valid, the CNIL considers the following measures to be necessary:
- No transfer of the IP address to Google's servers should take place;
- The user identifier should be replaced by the proxy server so as to ensure effective pseudonymisation;
- External referrer information should be removed from the website;
Any parameters contained in the collected URLs (e.g. UTMs, but also URL parameters allowing internal routing of the website) should be removed;
- Information that can be used to generate a fingerprint, such as user-agents should be removed, so as to prevent the rarest configurations that could lead to re-identification;
- No cross-site or lasting identifiers (CRM ID, unique ID) should be collected;
- Any other data that could lead to re-identification should be deleted.
The CNIL also requires for the hosting conditions of the proxy server to be adequate so as to ensure that the data is not transferred to a third country which does not provide a level of protection equivalent to that provided in the EEA.
Clearly, the CNIL is fully aware that the above proposed solutions may prove to be significantly costly and complex for businesses to implement in practice. The CNIL FAQ plainly suggest that businesses may consider sourcing equivalent analytics tools from providers "offering sufficient guarantees of compliance".
Otherwise, the CNIL recommends for now to use an alternative audience measurement tool, keeping in mind that a case-by-case analysis must always be conducted to assess a tool’s compliance with the issues raised by international transfers.
In a blog article dated 16 March 2022, Google announced that, as of 1 July 2023, Universal Analytics (the current model of Google Analytics on the market) will cease to process data and be superseded by Google Analytics 4 (GA4). Amongst other features, GA4 will include new, "privacy controls such as cookieless measurement, and behavioural and conversion modelling (sic)", however, there is no indication that GA4 will put an end to the offending transfers of personal data to the US.
Although it is clear that the upgrade to Google Analytics 4 will not be the silver bullet that will ensure data compliance, it is expected that Google will aim to include further enhanced privacy features.
It appears however that Google may rely instead upon agreement of a new 'Privacy Shield 2.0' between the EU and US, the so called "Transatlantic Data Privacy Framework", released on Friday 25 March. Though an "agreement in principle" has been announced by way of a joint statement of the European Commission and the government of the United States, there is no clear signposting on when the substance of this agreement might be agreed on and in force.
While such negotiation between the European Commission and the US government brings a glimmer of hope, it should be reminded that the principle agreement adopted between them at this stage does not yet constitute a valid basis for website operators to use Google Analytics.
In other words, until a solution is found, either through the finalisation of the Transatlantic Data Privacy Framework, leading to an EU adequacy decision, or by Google itself, making available a solution which would not involve a transfer of personal data to the US, businesses are warned: the only reliable way to exclude the possibility of being subject to enforcement measures by the competent data protection authorities is to suspend the use of the Google Analytics tool.
With thanks to Ben Green, Associate in the commercial team for his contribution.