After issuing official warnings to various website operators, the CNIL has confirmed that the use of Google Analytics in its standard version should now be considered “illegal”.
In a question-and-answer section on its website, the French data protection regulator states that none of the extra safeguards presented to it satisfies GDPR standards.
The sole option it proposes to enable the compliant use of Google Analytics is to use a proxy server to stop Google identifying the end user. Website operators will therefore need to review whether this is a cost-effective and technically viable option.
In summary, the CNIL indicates that:
- The use of Google Analytics on French websites infringes GDPR because it implies transfers of personal data to the United States,
- The additional technical measures proposed to reduce the risks of such transfers do not meet EU legal requirements,
- Website operators cannot adopt a risk-based approach based on the probability of access to data by US surveillance authorities. The mere possibility of such access infringes GDPR.
- The CNIL has issued official warnings to several French, website operators, ordering them to demonstrate their compliance on this issue within one month.
- All data controllers using Google Analytics in a similar way to the website operators who were the subject of official warnings must, as of now, consider that this use is illegal because it contravenes GDPR.
- It may be possible to use Google Analytics legally through proxy servers, thus preventing all contact by HTTPS between the end user’s terminal equipment and servers managed by Google.
- This solution would need to meet strict technical criteria to ensure there is no possibility for Google to re-identify the data subjects. More details on this “proxyfication” proposal are available on the CNIL’s website.
French website operators therefore need to review (1) whether they use Google Analytics and (2) whether proxyfication is a viable option for them.
The legal background
In February 2022, the CNIL issued its first an official warning to a website publisher which used Google Analytics, because this implied “illegal” transfers of personal data to the United States.
These different regulatory decisions apply the Schrems II judgment of the Court of Justice of the European Union (CJEU) in July 2020, which held that, under American law, US intelligence authorities had excessive access to personal data.
As a result, the court invalidated the Privacy Shield framework (at the time widely used to justify data transfers from the EU to the USA) and restricted the possibility to use contracts known as Standard Contractual Clauses (SCCs) for the same purpose.
The CNIL decision of February 2022 followed a series of complaints by the data protection activist group NOYB about websites using Google Analytics and Facebook Connect cookies. NOYB’s argument was that, applying Schrems II, the signature of SCCs was not capable of justifying data transfers to the USA by Google and Facebook. The CNIL essentially concurred, considering that, although Google had adopted additional measures to protect data transfers, these were not sufficient to exclude the possibility of access to this data by US intelligence services and that transfers of personal data to the US in this context therefore violated GDPR.