France: CNIL publishes FAQs on Google Analytics enforcement, highlights proxy server use as potential solution
The French data protection authority ('CNIL') published, on 7 June 2022, FAQs in relation to CNIL's enforcement actions regarding the use of Google Analytics, as well as guidance on bringing audience measurement tools into compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
In particular, CNIL recalled that in its decisions it had ruled that the use of Google Analytics by French website operators resulted in the transfer of personal data to the US in the absence of an sufficient safeguards for European data subjects, violating Chapter V of the GDPR in light of the requirements of the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). Furthermore, in the FAQs, CNIL reiterated that the mere conclusion of Standard Contractual Clauses ('SCCs') with Google LLC is insufficient to meet the requirements of the GDPR, further noting that additional legal, organisational, and technical measures are required, and that those implemented by Google were insufficient.
Further to these conclusions, the FAQs and guidance address, among other things, CNIL's stance on potential solutions to enable the continued use of Google Analytics and other audience measurements tools.
Solutions considered ineffective by CNIL
Adjusting configuration of settings in Google Analytics tool
Notably, CNIL outlined that it is neither possible to configure the Google Analytics tool so as not to transfer personal data outside the EU, nor to configure it so that only anonymous data is transferred to the US.
In addition, CNIL highlighted that although encryption is in theory a sufficient technical measure to prevent US intelligence access and therefore comply with the requirements of the Schrems II Case, it is only a sufficient safeguard to the extent that the data exporter has exclusive control over the encryption. CNIL further highlighted that, in the case of Google Analytics, Google encrypts the personal data in question itself and can access data in the clear, rendering such encryption insufficient to prevent US intelligence access.
Potential effective solutions according to CNIL
Proxy server use, subject to conditions
In particular, CNIL outlined that in order to prevent the issue of access to data by non-European authorities and lawfully use an audience measurement solution with US-based or -affiliated servers, it is first of all necessary to break the point of contact between the terminal device of the European user and the server. Therefore, CNIL suggests using a using a proxy server as a potential solution, noting, however, that such servers must nonetheless meet the criteria provided by the European Data Protection Board ('EDPB') in its Recommendations 01/2020 on measures that supplement transfer tools to ensure that only pseudonymised personal data that cannot be attributed to an identified or identifiable natural person is transferred outside the EU.
More specifically, CNIL outlined that the server performing the proxy will have to implement measures to ensure the following:
- the absence of transfer of the IP address to the servers of the measurement tool;
- the replacement of the user identifier by the proxy server;
- the deletion of the referring site information external to the site;
- the deletion of any parameter contained in the URLs collected (e.g. UTMs and URL parameters allowing the internal routing of the site);
- the reprocessing of information that can participate in the generation of a fingerprint , such as 'user agents', to remove the rarest configurations that can lead to re-identification;
- the absence of any collection of cross-site identifiers; and
- the deletion of any other data that may lead to re-identification.
Additionally, CNIL highlighted that it must also be ensured that a proxy server is hosted under conditions guaranteeing that the data it processes will not be transferred outside the EU. Moreover, CNIL emphasised that data controllers will be required to carry out an analysis to ensure that the aforementioned measures and guarantees are effectively implemented, as well as to monitor that they are maintained over time, as products evolve.
EU-based audience measurement solutions
Finally, CNIL acknowledged that the implementation of the above measures may be costly and complex, highlighting that such difficulties may be avoided by use a solution that does not transfer personal data outside the EU.
You can read the FAQs here and the guidance here, both only available in French.