Cnil, the French data protection and supervision organization, released the latest guidelines on the use of Google Analytics after discovering that a local website's decision to use Google traffic analysis tools violated EU laws earlier this year. It also confirmed that it had sent formal notifications to other organizations to make their use of the tool compliant.
This legal issue not only affects France, but also affects the use of this popular analysis tool in the whole EU - it depends on the transfer of user data to the United States for Google processing - after the European Supreme Court made a decision in 2020 to declare a data transfer agreement (also known as EU US privacy protection) invalid, the export of such personal data lacks sufficient legal protection, Because American intelligence agencies may illegally obtain European data.
Subsequently, the European Union and the United States (in March) announced a political agreement on alternative transfer mechanisms.
However, as cnil pointed out, their joint statement is not a legal framework. Before the EU formally adopts a practical alternative agreement, the practice of bringing European data across the Atlantic to the US cloud service cannot be invoked - the European Commission believes that this may not be achieved until the end of this year, which will almost certainly face new legal challenges to test whether the agreement is as flawed as the previous agreement, As data protection experts suspect).
Therefore, the bottom line is that EU websites either change their use of Google Analytics or risk regulatory enforcement - which may include ordering changes to their processes and financial penalties for violations. Moreover, as the regulatory guidance on this issue becomes more and more detailed, the risk of fines for non-compliance is likely to increase, because this means that there are fewer and fewer reasonable excuses for not making the necessary changes.
"All data controllers who use Google Analytics in a manner similar to that of [notified ] organizations must now consider that such use is illegal under gdpr. Therefore, they must turn to service providers that provide adequate assurance," cnil warned in the guide.
Any website that receives a formal notice from the regulatory authority about its use of Google Analytics has one month to comply with it -- it may be extended for another month after application.
Cnil's FAQ text on the use of Google Analytics continues to show that it is basically impossible for EU organizations to use the tool without some of their own additional safeguards.
"As part of the formal notification, the additional safeguards submitted to cnil cannot prevent or invalidate the U.S. intelligence agencies from obtaining personal data of European users when using Google analytics tools alone." It wrote in response to whether it was possible to rely on Google's claim that it applied additional safeguards to the tool.
Cnil also stressed that the standard contract terms are not enough to fill the legal gap in data export, because it is impossible to configure Google Analytics so that it will not transfer European personal data outside the group, and further warned. "Even without transfer, the use of solutions provided by companies subject to non European jurisdiction may create difficulties in data access. In fact, third country authorities may have an obligation to disclose personal data hosted on servers located in the EU".
In order to use the tool without violating the law, Google Analytics users in the EU may take additional safeguards only. Encryption (but only if the key is under the exclusive control of the data exporter or other entity established in the region that provides the appropriate level of protection); Or proxy server (to avoid any direct contact between the terminal of the Internet user and the server of the measurement tool).
Regulators suggest that obtaining users' explicit consent to data transfer can also be established - but only in special cases, because cnil points out that relief actions cannot be used for systematic transfer (Google Analytics' data flow is just enough). Therefore, the network service operator believes that it is a good idea to disturb each visitor with such requirements, and obtaining explicit consent is not a feasible solution.
Cnil has previously published a list of alternative analysis tools. It believes that the general need to obtain user consent when processing data can be avoided through configuration. However, it warns that the list does not take into account the issue of international transfer - therefore, website owners still need to do their own legal work to determine whether alternative analysis tools, such as those provided by software manufacturers headquartered in the European Union and all processing in the European Union, can provide less legal risk than Google analytics.
Other EU data protection agencies (e.g. Austria) have also been issuing decisions to websites within their jurisdiction on the non-conforming use of Google Analytics.
The regulatory review was conducted after the EU privacy advocacy organization NOYB filed a series of complaints as early as August 2020 - targeting Google Analytics and Facebook connections at that time. Therefore, although Google's analysis tools have become the first choice for DPA's decision, this problem is not limited to Google or analysis tools, and may affect more American services with customers in the EU.