Google Analytics remains a hot topic for businesses and apparently also for data protection authorities (DPAs). With the advent of these new decisions and the new CNIL guidance, businesses have an even harder time justifying their use of Google Analytics and companies will likely soon have to face fines. In the following article, we will analyze the newest DPA decisions and summarize the key takeaways for businesses.
After the decision of the Austrian data protection authority (Austrian DPA) on the use of Google Analytics, which we analyzed in a previous article, the French data protection authority (CNIL or French DPA) published a similar decision in February, followed by a more recent decision from the Italian Data Protection Authority (Garante or Italian DPA) in June of this year.
In each of the aforementioned decisions, the respective DPA considered the relevant data transfer of personal data to the United States during the use of Google Analytics to be unlawful pursuant to chapter five of the General Data Protection Regulation (GDPR) based on the Schrems II judgment issued by the Court of Justice of the European Union (CJEU) on July 16, 2020.
The CNIL further published FAQs in June on formal notices, which it has served to several organizations in France to require them to make their use of Google Analytics compliant with the GDPR. The FAQs also set out requirements for the use of the analytics tool and include the CNIL's request for all French website operators to ensure compliance in relation thereto.
In their press statements on the aforementioned decisions and in the FAQs, the CNIL as well as the Garante emphasized the coordination with other EU data protection authorities (DPAs) regarding their decisions, which indicates that their conclusions would likely also be followed by other DPAs.
It is thus becoming clear that the Austrian, French, and Italian DPA decisions are not just isolated cases but that the viewpoints and requirements outlined by the DPAs are generally of relevance for all website operators in the European Economic Area (EEA).
All of the aforementioned DPA decisions and the FAQs are based on complaints filed by Max Schrems' nongovernmental organization, NOYB, which has filed complaints against 101 European companies in all Member States of the EEA in relation to their allegedly transferring personal data to Google and Facebook in violation of the GDPR and the Schrems II judgment (article from NOYB).
The CNIL Decision
The French decision was enacted against a website operator with a principal office in France who utilized Google Analytics in relation to individuals from several EU Member States. Regarding the cross-border processing carried out, the CNIL determined itself to be the lead supervisory authority and, as such, submitted its draft decision to other concerned DPAs, which did not object to it.
Hereby, the CNIL especially determined that information collected via Google Analytics from users was transmitted to Google Analytics servers hosted in the United States. The French DPA further set out that the relevant contractual terms of Google Analytics referred to the Google Ads Data Processing Terms which incorporated standard contractual clauses (SCC). It also acknowledged the additional legal, organizational, and technical measures provided by Google regarding an international transfer of data via Google Analytics.
The CNIL FAQs on Formal Notices Regarding the Use of Google Analytics
In its FAQs, the CNIL especially outlines that it has already served formal notices on all French organizations in relation to which NYOB had filed complaints. The FAQs further set out requirements that the CNIL expects all website operators in France to comply with when using Google Analytics.
The Garante Decision
The Italian decision was enacted against a website operator located in Italy who utilized the "free version" of Google Analytics. The website operator concluded the Google Analytics Terms of Service, as the standard terms of Google, with Google Ireland Limited. The processing of personal data concerning the website operator's use of Google Analytics was regulated by the Google Ads Data Processing Terms, which incorporated standard contractual clauses (SCC). The Italian DPA also acknowledged Google setting out supplementary measures for international data transfers.
The Garante stressed the limited knowledge and understanding of the website operator in relation to the specifics of the processing performed by Google Analytics, especially regarding the applicable transfers of data to third countries and the actual implementation of the aforementioned supplementary measures by Google.
It was also determined that the feature of Google Analytics which allows for the so-called "anonymization" of the user's IP address by deleting several of its digits (Google - IP Anonymization (or IP masking) in Google Analytics) was not turned on by the website operator at the time of the filing of the complaint.
The decisions of the CNIL and the Garante ultimately concluded that:
Personal Data Transfer Finding
Just like the Austrian DPA, the French and Italian DPAs concluded that information transferred to the United States via Google Analytics constituted "personal data" under the GDPR. Hereby, both DPAs stressed that unique identifiers (such as the IP address) are used which can, in particular, in combination with other information (such as on the utilized browser), allow for the singling out of individual users. As opposed to that, it would not be necessary to know the name of the individual for the processed information to be considered personal data. Furthermore, according to the DPAs, the information related to individuals in possession of a Google account may be linked to a specific person.
"IP Anonymization" Feature of Google Analytics
Despite of the "IP Anonymization" feature of Google Analytics not having been activated at the time of the complaint, the Garante noted that its activation would only lead to the pseudonymization of the data and would not be able to prevent Google from reidentifying a particular user based on the additional information it possesses.
Furthermore, the CNIL questioned whether the "anonymization" under the aforementioned "IP Anonymization" feature even takes place before the transfer to the United States or whether the entire IP address may be transferred to the United States and be shortened there.
Insufficient SCC and Supplementary Measures Finding
The CNIL and the Garante both found that Google LLC was subject to FISA 702 as one of the laws referenced in the Schrems II judgment and, consequently, subject to surveillance by U.S. intelligence agencies. As proof, the DPAs referred to FISA 702 access requests set out in Google's transparency report. Based on the Schrems II judgment, they concluded that the SCC alone were not sufficient to comply with GDPR requirements on the transfer of personal data to Google in the United States.
The French and Italian DPAs also concluded that the supplementary measures implemented by Google LLC were not sufficient to achieve compliance with the GDPR and the Schrems II judgment. Hereby, both DPAs determined that the supplementary measures and, in particular, the encryption measures were unable to avoid the risk of access by public authorities in the United States. They primarily based this on Google LLC in the United States being in possession of the encryption key, whereas U.S. authorities would thus be able to request Google LLC to (i) provide them with access to the relevant personal data at issue and/or (ii) hand over the encryption key.
Insufficient Obtaining of Consent by the Website Operator in the French Decision
Even though the French decision includes only limited information in relation thereto, the website operator seems to have argued that users were able to refuse the tracking by Google Analytics and that this could have been considered consent pursuant to Article 49(1)(a) of the GDPR, which may justify the transfer to the United States in its view.
However, the French DPA did not consider the cited ability to refuse the tracking to be sufficient, as it did not encompass the required elements for the obtaining of explicit consent pursuant to Article 49(1)(a) of the GDPR, including, in its opinion, the necessary language for international data transfers.
In light of the similarities of the three DPA decisions and the CNIL guidance, the key takeaways set out in our previous article in relation to the use of Google Analytics generally still apply with the following additions:
DPAs in different EU Member States take a similar view.
EU DPAs seem to be taking very similar views on the use of Google Analytics. As the CNIL and Garante both also emphasized the coordination with other DPAs, one can assume that most EU DPAs share the general viewpoints outlined in their decisions. Consequently, and even though the decisions do not lead to an explicit ban of the use of Google Analytics across the EU, website operators will have to make sure to implement mitigation measures to address the issues covered by these decisions if they still intend to utilize Google Analytics in the EEA.
Using the new SCC is not enough to satisfy GDPR requirements for international data transfers.
Despite the Austrian, French, and Italian decisions referencing the previous version of the SCC, it is important to note that the issues set out in these decisions cannot be solved by the conclusion of the so-called new SCC alone, as they are also not binding on U.S. public authorities.
In any case, a Transfer Impact Assessment will have to be performed, whereas one will subsequently have to assess whether shortcomings set out therein could be mitigated with certain supplementary measures.
Turning on the "IP Anonymization" feature of Google Analytics does not avoid the applicability of the GDPR in the eyes of EU DPAs.
In particular, the Garante's decision also confirms that the EU DPAs generally do not consider the "IP Anonymization" feature to be able to avoid GDPR applicability.
As previously outlined, we still recommend activating the feature in relation to the use of Google Analytics in the EEA as a mitigation measure.
Obtaining user consent might mitigate some risk, even if it can be complicated in practice.
We still consider obtaining explicit consent pursuant to Article 49(1)(a) of the GDPR via a cookie banner to be a useful mitigation measure when it includes appropriate language for international data transfers.
The CNIL's rejection of the website operator's argument for consent as a legal basis in its decision seems to be based on the operator allegedly not taking all possible measures to properly implement it according to the CNIL. However, it has to be noted that the CNIL reiterated the restrictive interpretation of derogations under Article 49 of the GDPR by EU DPAs included in their related guidelines (EDPB – Guidelines 2/2018) "[…] as being exceptions from the rule […]" in its FAQs.
Consequently, the challenges outlined in our previous article in relation to the obtaining of consent for Google Analytics remain, namely (i) the restrictive interpretation of Article 49 of the GDPR by EU DPAs and (ii) the limited understanding of website operators regarding the processing performed by Google (see also DSK – Hinweise zum Einsatz von Google Analytics (in German)). As set out above, the Garante decision also noted the later point.
CNIL: Using a Proxy Server as a Possible Solution
The CNIL has also suggested the use of a proxy server under certain circumstances as a possible solution for the issue at hand. Hereby, the proxy server is meant to function as an intermediary between the website user and the servers of Google Analytics. However, the CNIL sets a high bar and outlines stringent requirements in relation to the implementation of such "solution."
In order for this measure to be viable, the CNIL expects the website operator to have determined, via a thorough analysis, that none of the transferred pseudonymized personal data can be attributed to an identified or identifiable natural person, including with the use of additional information. Hereby, the significant means available to public authorities (in the United States) will have to be taken into account.
Among other things, this requires prohibiting the IP address, location, browser fingerprint, and/or (other) identifiers/information, which may allow for the identification of a user, from being transferred to Google Analytics. Furthermore, the processing performed by the proxy server will have to be compliant with the GDPR and, in particular, its requirements on international data transfers.
It remains to be seen whether such measure will be widely implemented, as the CNIL itself outlines that its proper implementation can be costly and possibly cumbersome.
Summary of options and mitigation measures (that should be implemented if a website operator wants to continue using Google Analytics in the EEA).
In light of the above, several different options with varying levels of risk present themselves to website operators:
Implementing the second option (depending upon the specifics) and/or (all of) the measures set out in the third option may still not result in (full) compliance with the requirements for international data transfers under the GDPR in the view of EU DPAs. Nevertheless, the implementation of these measures allows a website operator to show a DPA that significant efforts have been undertaken in relation to GDPR compliance. If a website operator decides to keep using Google Analytics on its website, such efforts can lead to a (significant) improvement of its position in case of a complaint by a website user and/or an investigation by a competent DPA.