On the 10th of February 2022, the CNIL, the French authority responsible for controlling the protection of personal data, estimated that the use of the Google Analytics tool is illegal.
Such a decision did not come as a shock, before it and after several complaints from NOYB were filed, and therefore in cooperation with its European counterparts, issued a formal notice to website managers.
The illegality of this tool is based on two reasons:
- The absence of adequacy decision with the United States after Scherms II
- Insufficient supervision and guarantees of the tool. Therefore, American intelligence services can still have access to this data.
However, considering the number of Google Analytics users, the company proposed a solution to use it without violation. In the first place, the users should respect adequate technical, organizational, and legal measures.
The users should therefore edit the settings of the IP address processing conditions. Even so, the CJUE ruled against such measures considering the data transfer to the US. Also, the encryption of the identifier generated by Google Analytics is still considered insufficient providing the unknown moment of anonymization, whether before or after the transfer. At last, Google Analytics has suggested replacing the IP address with an identifier generated by the operator of the site which can still re-identify data subjects.
The primary insufficiency of these solutions is the existence of direct contact between the terminal of the person and Goggle Analytics’ servers.
The CNIL has interfered and presented website managers with a temporary solution: a proxy server.
Therefore, the CNIL considered that the following measures will allow websites managers to use Google Analytics legally:
- Use of a proxy server, which will solve the main insufficiency and break any direct contact between the user’s terminal and the Google Analytics servers
- Pseudonymization before exporting data. The website manager should make sure that all the information transmitted does not in any way allow for re-identification of the person and delete any other data that could lead to re-identification
- No transfer of the IP address to the Google Analytics servers
- Replace the user’s ID with the proxy server’s ID (hashing)
- Removal of referrer information and parameters contained in the collected URLs
- No cross-site collection
- Ensure adequate proxy server hosting conditions
GDPR supporters should stay on the look for any upcoming adequacy decision with the US after Scherms II, which can be interpreted by some as unnecessary considering the present solutions to data transfer to the US.
