Google Analytics and data transfers: the French position

On 10 February 2022, the French Data Protection Authority (« CNIL ») published an anonymised decision in which it considered that transfers of personal data via Google Analytics (GA) to Google in the United States did not comply with GDPR. This decision was issued further to a series of complaints filed by the privacy association Nyob against 101 European companies on the grounds of violation of GDPR requirements on data transfers outside the European Economic Area (EEA).

The CNIL ordered the recipient company to take the appropriate measures to ensure compliance with GDPR within a month, or if that was not possible, to stop using GA.

In the last few months, actors in the digital sector have been looking for a GDPR-compliant solution that we will enable them to continue using GA.

In two communications published on 7 June 2022 (available here and here), the CNIL has provided further explanations on the approach which it considers should be taken in relation to GA given the issues identified in the 10 February decision.

Lack of conformity

The CNIL clearly states that its 10 February decision should not be considered as an isolated decision, and that any use of GA in similar terms should be considered as illegal under GDPR.

The CNIL underlines that the use of the standard contractual clauses which are integrated into Google’s standard contractual documentation, as well as the supplementary measures, are insufficient to ensure compliance with GDPR.

This is a clear warning to all businesses which have decided to adopt a wait and see approach and continue using GA in the short term (and possibly until the publication of an EU-US data privacy agreement currently under discussion).

Measures which are insufficient to ensure compliance with GDPR

The CNIL states that the following measures (which are the measures most commonly relied upon by business which continue to use GA) are not sufficient to ensure that personal data are transferred in accordance with GDPR:

• Modify the configuration of GA to prevent data transfer outside the EEA: The CNIL states that this measure is not effective as all data collected via GA are stored in the United States;
• Anonymisation of the IP address: The CNIL considers that it is not clear whether the anonymisation occurs before or after the transfer to the United States;
• In addition, the CNIL considers that the use of other unique identifiers in the context of the use of GA is likely to enable the identification of the data subjects (and this does not comply with the requirements provided by the CEPD which states that pseudonymisation can be used as a supplementary measure provided it prevents the reidentification of data subjects by public authorities);
• Collecting consent as a derogation under Article 49 GDPR: The CNIL stated that this derogation is only appropriate where transfers are not systematic;
• Adopting a risk-based approach: Businesses may have decided to continue using GA on the grounds that in practice the risk that public authorities seek to access the transferred data is limited. Such approach is not valid according to the CNIL. The mere fact that the public authorities are entitled to access the data requires businesses to take appropriate measures to prevent access by such authorities.

Measures which could be implemented

The CNIL proposes the following solutions which require the implementation of specific technical requirements and in some cases are likely to be costly and complex without necessarily providing an equivalent service to GA:

• Encryption of data: This may be a solution, provided that it prevents any access to the personal data by the foreign public authorities. In practice, this means that the importer has no access to data in clear, and that the encryption key is held by the exporter or any entity located in a country which provides an adequate protection.
• Use of audience measurement tools approved by the CNIL. The CNIL has published a list of tools which do not require the prior collection of consent (as per its guidelines and recommendations on the use of cookies and other trackers). However, it will still be necessary to perform a data transfer risk assessment to ensure that GDPR requirements are respected if the use of the tools implies transferring data outside the EEA, or the business providing the tool is part of international group based outside the EEA.
• Using a proxy. In order to rely on this solution, businesses will need to comply with a list of very detailed technical specifications provided in the CNIL’s communication.

As a conclusion: The CNIL has sent a clear message to the digital sector regarding the risks involved in the use of GA, while highlighting that there are currently very limited solutions that would enable businesses to continue using GA in accordance with GDPR.

However, it remains to be seen whether the CNIL will carry out further investigations on this issue (in particular since the subject of cookies is no longer a priority for its 2022 enforcement programme).

It will also be interesting to see whether any of the other European supervisory authorities (in addition to France and Austria) decide to publish their position on whether GA complies with the data transfer requirements in the GDPR.