The CNIL (the French data protection authority) has given notice to several organisations to comply with the use of Google Analytics due to the transfer of data to the United States without sufficient guarantees for the rights of European users. What other solutions exist for customers of this very widespread tool in France?
The formal notices issued by the CNIL come in the wake of the “Schrems II” judgment of the Court of Justice of the European Union (CJEU) of July 16th, 2020, which invalidated the Privacy Shield. This agreement, which governed the transfer of data between the European Union and the United States, was invalidated because it did not offer appropriate guarantees against the risk of illicit access by the American authorities, particularly those linked to intelligence and to the personal data of European residents.
The bodies notified had established standard contractual clauses with Google, which Google offers by default to its users. According to the CNIL, these standard contractual clauses alone cannot ensure a sufficient level of protection in the event of a request for access from foreign authorities, especially if this access is provided for by local laws.
The measures taken by Google deemed insufficient
In its response to the CNIL’s requests, Google indicated that it had implemented additional legal, organisational and technical measures. But the latter were deemed insufficient by the CNIL to ensure the effective protection of the personal data transferred, particularly against requests for access to the data by US intelligence services.
It is also not possible to configure Google Analytics so as not to transfer personal data outside the European Union. In response to the questionnaire sent by the CNIL, Google indeed indicated that all the data collected through Google Analytics was hosted in the United States.
Google also indicated that it uses pseudonymisation measures, but not anonymisation. Google does offer an IP address anonymisation function, but this is not applicable to all transfers. In addition, the elements provided by Google do not make it possible to determine whether this anonymisation takes place before the transfer to the United States.
The sole use of unique identifiers to differentiate individuals can help make data identifiable, especially when combined with other information such as browser and operating system metadata. This data enables precise tracking of users, and, in some cases, across multiple separate devices.
The problem of direct contact via the https connection
None of the additional guarantees presented to the CNIL in the context of the formal notice therefore makes it possible to prevent or render ineffective the access of the United States intelligence services to the personal data of European users when using the sole tool: Google Analytics.
The fundamental problem that prevents these measures from responding to the problem of access to data by non-European authorities is that of direct contact, by means of an HTTPS connection, between the person’s terminal and servers managed by Google. The resulting requests allow these servers to obtain the Internet user’s IP address as well as a lot of information about their terminal.
These can, realistically, allow a re-identification of the latter and, consequently, access to its navigation on all the sites using Google Analytics. Only solutions making it possible to break this contact between the terminal and the server can solve this problem.
The proxy server solution?
A solution allowing the involvement of a proxy server (or “proxy”) to avoid any direct contact between the Internet user’s terminal and the servers of the measurement tool could be envisaged. However, it must be ensured that this server meets a set of criteria in order to be able to consider that this additional measure is in line with what is provided for by the EDPS (European Data Protection Board) in its recommendations of June 18th, 2021.
Such a device would correspond to the use case of pseudonymisation before data export. As indicated in the recommendations of the EDPS, such an export is only possible if the controller has established, by means of an in-depth analysis, that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person, even if they are cross-checked with other information.
The server performing the proxying must therefore implement a set of measures to limit the data transferred. The CNIL considers, in principle, as necessary:
– the absence of transfer of the IP address to the servers of the measurement tool;
– the replacement of the user identifier by the proxy server;
– the deletion of the information of the referring site (or “referer”) external to the site;
– the deletion of any parameter contained in the URLs collected (for example the UTMs, but also the URL parameters allowing the internal routing of the site);
– the reprocessing of information that may contribute to the generation of a fingerprint, such as “user-agents”, to remove the rarest configurations that may lead to re-identification;
– the absence of any collection of identifiers between sites (cross-site) or deterministic (CRM, unique ID);
– the deletion of any other data that could lead to re-identification.
A list of alternative solutions
This is a very long list for an audience measurement specialist such as Google Analytics, which has made its success, like many other tools on the market, thanks to the ever finer precision of its data. It’s a safe bet that these requirements are not achievable except by drastically modifying the data collection model and in-depth transforming the product approach.
In the meantime, the CNIL has published a list of audience measurement tools that can be exempt from consent when correctly configured. This list includes the tools that have already demonstrated to the CNIL that they can be configured to be limited to what is strictly necessary for the provision of the service, and thus do not require the user’s consent, in accordance with article 82 of the Data Protection Act. However, this list does not currently examine the issues raised by international transfers, especailly the consequences of the “Schrems II” judgment.