The Danish Cnil considers that the use of Google Analytics remains inconsistent with the GDPR, despite the options added after the warnings of several European counterparts.
Proxyification, the best solution to bring Google Analytics into compliance with the GDPR? The Cnil has in any case dedicated a guide to it, published in early June. In the background, a decision that the authority had rendered in February. His conclusion: the audience measurement tool does not comply with European regulations, even when modifying the settings. The problem: transfers of personal data to the United States, without the required level of protection*.
His Austrian counterpart got the ball rolling in January; with broadly the same conclusion. In this case of European scope (101 complaints filed in 30 countries), the Italian Cnil followed suit in June.
The latest decision fell this week in Denmark. Despite the improvements that Google has made in recent months, the options offered by the tool are still not enough to make it compliant, judged the national authority. More measures need to be taken, she says.
Encryption, consent, pseudonymization… What leads?
What improvements are we talking about? In particular, additional filters making it possible not to collect certain data, relating in particular to user terminals (OS, browser, etc.). However, even once these filters have been activated, Google Analytics continues to collect personal data. At the top of the list, a unique identifier for each visitor.
According to Google, these identifiers cannot be considered personal data. This is not the opinion of the Danish Cnil. It considers that this information can make it possible to identify individuals. “Identify”, not necessarily in the sense of “give a name” or “associate an identity”. But simply to “distinguish an individual within a group”. Her reflection is based on an interpretation – which she admits to be “broad” – of the preamble of the GDPR. A not new position, however, underlines the authority. In 2007, the CNIL adopted a common position on the matter, under the aegis of the Article 29 working group (which was to become the EDPS).
The Cnil recognizes this in its guide: the proxy approach can be costly and complex to set up. His Danish counterpart does not comment on this subject, but offers other parades. Among them, encryption, effective… provided that the keys are not in Google’s hands; which is the case with Analytics.
Second solution: obtain the consent of the persons concerned (here, therefore, website visitors). The law allows, in specific situations, to rely on such a legal basis, admits the Danish Cnil. But that “should remain the exception”. However, in the case of Google Analytics, this would become the general rule, the transfer to the United States applying to all data collected.
Third solution, recommended in particular by the EDPB: pseudonymization. To implement it, again, the ideal is to go through a proxy server. And, in any case, take into account other data that the American authorities may hold about the persons concerned.
Google Analytics live with the US?
For those who do not use a proxy, Google Analytics includes an option that “anonymizes” IP addresses. It zeros the last octet (in IPv4) or the last 80 bits (IPv6). According to the American group, the operation is being done “as quickly as technically possible”. His statements to the Cnil did not, however, allow them to determine whether this happened before or after the transfer of the data to the USA.
It is assumed here that the initial collection is done on servers in the EU. The documentation of Google Analytics does indeed contain elements that go in this direction. The choice of data center is based on the visitor’s IP. This can cause problems, argues the Danish Cnil, if visitors are near a data center located on American soil. As part of this “direct” connectivity, it can be assumed that Google has firewalls in place that log incoming traffic. Data that could be cross-referenced with that collected by Analytics.
* As long as the so-called Safe Harbor and Privacy Shield agreements existed, they could be used to transfer personal data to the USA. But the Court of Justice of the European Union canceled them in turn (Schrems and Schrems II cases). Now, Google relies on standard contractual clauses… which oblige it to put in place “adequate measures” to ensure a level of protection “substantially equivalent” to that guaranteed in the EU.
Illustration photo © Foto-Ruhrgebiet – Shutterstock