The French CNIL in cooperation with other European counterparts has declared that Google Analytics’ transfers of EU data—protected under the GDPR—to the United States are in breach of the GDPR and has ordered a French website manager to comply with the regulation and, if necessary, to stop using Google Analytics under the “current conditions it provides” within one month.
Their decision was based on Google’s failure to guarantee that European data remains stored in line with the requirements of the GDPR. The CNIL also added that US government surveillance laws can require US providers like Google or Facebook to provide the personal details of internet users to US authorities. This decision though was squarely aimed at Google and Facebook and no other US providers.
Further reactions from the DPAs of other EU member states that are covered by the GDPR are expected to follow soon.
Piano recently organized a webinar to dive into the CNIL’s decision, explain the rulings levied upon Google Analytics, and how businesses can identify trustworthy analytics providers. The session featured leading data privacy experts Fabrice Naftalski, Attorney at Law Partner at Ernst & Young, Louis-Marie Guérif, Piano’s Group DPO, and Declan Owens, Piano’s Director of Solutions Engineering.
Watch the webinar here or read on for a detailed summary.
How is personal data and data transfer defined in the GDPR?
Under the GDPR, Personal Data is defined as “any information related to an identified or identifiable (directly or indirectly) physical person, in particular by reference to an online identifier.”
This notably includes any indirectly identifiable or pseudonymous information such as:
- IP addresses
- Any online identifier – cookie, mobile, advertising, fingerprinting
- Any information combination that can lead to a single person being identified – navigation, behavior or any other demographic data
Non-Compliant: Google isn’t fully transparent about what they classify as Personally Identifiable Information.
Article 14 of the GDPR states that the controller needs to inform where personal data is stored and that they need to provide information of all transfers of personal data outside the EU. This involves providing proper commitment and full transparency about where data is stored and potentially transferred.
Non-Compliant: Google fails to provide this information.
Why do the French CNIL and other DPAs consider Google Analytics to be illegal?
Following on from the European Court of Justice’s decision to invalidate the US Privacy Shield in 2020—a mechanism covering the transfer of data from the EU to the US—the CNIL has also now declared Google Analytics to have an insufficient level of protection for the transfer of European personal data protected under the GDPR.
Here’s how Google Analytics falls short of the legal requirements of the GDPR and the background to the CNIL’s decision.
Google’s misinterpretation of the GDPR’s definition of personal data
Google strays from the strict definition in the GDPR and doesn’t consider the following as personal data:
- Pseudonymous cookie IDs
- Pseudonymous advertising IDs
- IP addresses
- Other pseudonymous end user identifiers. This means that any IP request sent with an ad request (which includes almost all ad requests) is not officially considered as sending PII under the GDPR
The GDPR also states in article 5 that “Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject”. This means that all website and app publishers who gather personal data need to set out precisely how this information is collected and used.
Google Analytics fails to specify how its data is collected and used. On the Google Analytics Help page, it states that ‘usage data’ (the above categories) is not ‘Personally Identifiable Information’. The data protection supervisory authorities therefore expressly point out that the data processed with Google Analytics (usage data and other device-specific data that can be assigned to a specific user) is personal data within the meaning of the GDPR.
Failure to meet requirements for EU-US data transfer/storage
Data transfer to the US from the EU have strict requirements, notably the need to implement the appropriate safeguards (CCT, BCR), provide additional technical measures (pseudonymization, encryption), give full transparency on how data is accessed, strengthen the importer’s audit procedure and apply strict security and privacy policies (based on EU certifications/code of conduct, ISO standard).
Google is not transparent about where its data is stored. Under the GDPR, personal data transmission to non-EU countries is possible, with the implementation of appropriate safeguards (countries with adequate levels of protection, informing visitors, and respecting their rights)
- Google displays on their site that their data centers are distributed across the globe.
- They fail to guarantee that European data remains stored in the EU
- US government surveillance laws specifically require US providers like Google or Facebook to provide the personal details of internet users to US authorities
- According to the CNIL, there is a risk that American intelligence services could access personal data transferred to the United States if the transfers are not properly regulated
The background to the CNIL’s decision
The CNIL’s decision essentially states that Google Analytics and Facebook Connect fail to adhere to the above requirements to be GDPR compliant. It therefore only refers to these two providers and no other companies in the US or elsewhere. It was based on the 101 model complaints filed by noyb—the website run by Austrian data privacy activist Max Shrems and refers back to the 2020 “Schrems II” case declaring that the transfer of data to the US is in violation of the GDPR.
- The data protection authorities of several EU countries have joined the CNIL in reacting to the statement that Google Analytics is in breach of the GDPR:
- The European Data Protection Supervisor (EDPS) issued a decision after a complaint filed by NOYB confirming that the European Parliament violated data protection law on its COVID testing website. The EDPS highlights that the use of Google Analytics and the payment provider Stripe (both US companies) violated the Court of Justice’s “Schrems II” ruling on EU-US data transfers.
- The Austrian DSB was the first European authority to come to the conclusion that the use of Google Analytics violates “Schrems II”, based on the NOYB’s complaints.
- Datatilsynet, Norway’s data protection authority, advises organizations in Norway to consider alternatives to Google Analytics. The authority announced that two ongoing investigations may lead to convictions for using Google Analytics.
- The Dutch data protection authority (Autoriteit Persoonsgegevens) has announced that it is investigating two complaints also concerning the use of Google Analytics and indicates on its website that the use of this tool may no longer be authorized
What are the sanctions and potential solutions?
Companies that continue using Google Analytics need to take action fast or face the risk of penalties for a GDPR breach. Following a formal notice to the website manager (data controller) Google Analytics users need to immediately bring their analytics into GDPR compliance or stop using GA in its current version. They have a one-month deadline to comply.
Formal notice procedures have been initiated against managers of sites using Google Analytics including the use of the cloud and the transfer of data to countries outside the EU that do not provide an adequate level of protection. Specifically referring to the US, the CNIL has stated that:
- Extra territorial data transfer to the US does not provide sufficient guarantees, mostly due to possible access of US authorities to personal EU data
- Google’s Standard Contractual Clauses for transfer are not deemed sufficient
- Google’s data encryption is not sufficient and IP address not anonymized before transfer to the US
Companies currently using GA have several options to continue collecting and processing their user data in line with the GDPR. A new EU-US Privacy Shield may come soon but companies are still open to fines for past behavior. Another way to operate is to obtain extra consent from users for data transfers, but this would only apply to ‘exceptional circumstances’ and ‘occasional transfers’ under the GDPR.
Businesses could also choose to wait for any response measures taken by Google Analytics or wait for a possible appeal to the CNIL ruling. However, all of this is likely to take longer than the one-month deadline to stop using GA.
Perhaps the most viable solution is for companies to choose an analytics solution that is compliant with the GDPR. Several exist on the market and have already been evaluated by the CNIL. Piano Analytics is the first solution to have been accredited by the CNIL and has also been considered to be GDPR-compliant since the Piano aquired AT Internet in 2021.
How can analytics managers mitigate data privacy risks?
Piano’s Director of Solutions Engineering, Declan Owens continued the webinar by weighing the privacy risks involved in working with analytics on a daily basis.
The importance of mutual collaboration
Data and analytics are present throughout companies today. It’s therefore vital for stakeholders at all levels of the organization to support the data-centric approach. This particularly applies to the personas that the Analytics Manager depends on to carry out their role:
- Executive officers – they give recognition for results and provide the relevant strategic budgets that are the foundation for all digital activities in an organization from digital applications to SEO to analytics. Without executive support, there will be budgetary blocks to developing analytics projects and providing data to the different company stakeholders.
- Business users – depending on the size of the teams within the organization, business users are interdependent on the use of analytics which plays a crucial role in meeting their goals. They, therefore, rely on readily accessible and actionable data and need to play an active role in data governance. Without the collaboration of business users, they are likely to look for their own solutions which can create silos. This has a negative impact on an organization-wide global data strategy which can affect brand homogeneity and identity.
- Data Protection Officer – the DPO plays a crucial role in privacy compliance and it’s essential to work closely with them to make sure all aspects of the processing of personal data are in line with the GDPR. Without their support, your analytics setup will be severely hampered or even legally penalized.
How can the Analytics Manager meet the needs of these personas?
There are three steps an analytics manager needs to implement to meet the privacy requirements of teams in an organization. These are particularly important for companies that are questioning the compliance of their current analytics tool and thinking of migrating to an alternative GDPR-compliant provider.
- Carry out a Privacy Impact Assessment (PIA) – highly recommended by Data Protection Authorities (DPAs) who provide ready-made templates, this is a detailed assessment of all the data privacy and security aspects of your analytics setup. It covers all the tools and processes to ensure data privacy standards are in place across the board. If businesses don’t have a full vision of the implant of their data practices, they have no way of adjusting their strategy and plan accordingly.
- Work with an analytics provider that makes accountability easy – all companies are accountable to DPAs so they need to make sure they can quickly and simply demonstrate their privacy compliance and avoid the risk of penalties for non-compliance. It’s therefore important to work with a transparent tool that records and can demonstrate all the privacy measures you have in place and exactly how you’ve been ingesting and processing data. This also includes expert support from your analytics provider who are accountable and can ensure you have complete control over your data privacy.
- Include these conditions when setting up analytics for a business unit – it’s important to make business units aware that they need to take appropriate data privacy precautions when tracking audiences. They need to understand and abide by the legislation in place to avoid the potential consequences of a fine for a data privacy breach. Educating all the stakeholders involved about the importance of data privacy is the only way to implement a paradigm shift in the organization.
“We’re moving into a new era in data privacy. If you are strongly dependent on extensive tracking and invested in targeted advertising, you are heading towards a brick wall.”Declan Owens, Director of Solutions Engineering, Piano
What are the benefits of a privacy approach for the Analytics Manager?
The most important aspect of a privacy-centric approach is working in harmony with the DPO for the overall benefit of the organization. The PIA ensures that all the privacy bases are covered and ensures GDPR compliance so you are free to focus on developing analytics projects.
Having a solid privacy footing also provides peace of mind and an opportunity to build your analytics strategy unimpeded. Countless companies are thriving with fully compliant practices and it’s essential to become one of them.
Compliance also provides businesses with a competitive advantage as you are working on solid ground. If you embrace data privacy and work with it, you will be ahead of competitors that cling to an illegal and outdated approach to data collection.
What are the main data privacy requirements for a compliant and trustworthy analytics platform?
To round off the webinar, Louis-Marie, Piano Group DPO, explains what companies should expect from a vendor to ensure they are GDPR compliant.
Above all, companies looking to migrate to an alternative solution should look for those providing a balanced relationship between Data Controller and Data Provider (vendor), based on compliance. Conforming with article 28 of the GDPR, this involves a clear and explicit Data Protection Agreement (DPA) that specifies:
- Those responsible for all actions concerning the data and who informs which parties
- Exactly what personal data is processed, how and for what purpose
- Where the data is processed and stored and the associated guarantees
Companies should also make sure their provider has a DPA that is available in straightforward, accessible documentation on how to operate in line with the GDPR. This involves easily accessible support with clear answers to ensure compliance, as well as a specific data privacy contact person.
What’s the best approach moving forward?
In March 2022, the EU and US announced an agreement in principle on a Transatlantic Data Privacy Framework (TADPF) which should be the successor to EU-US Privacy Shield. However it has not been drafted yet and there is not expected to be a final adequacy decision before the end of 2022.
Google’s illegal data transfers to the US is a hot topic at the moment, but compliance with privacy legislation is nothing new and GDPR enforcement will continue. Carrying out impact assessments and anticipating the future use of data is the best way to avoid the risk of being penalized by sudden changes to the privacy situation.
It’s essentially about risk management and the guarantees you can get from your provider that makes choosing an alternative the safest and most viable option.
This article was first published on the Piano blog and is republished with kind permission. Piano helps the world’s biggest media companies build dedicated audiences and increase revenues.