On the usage of Google Analytics: are you violating the GDPR?
In February 2022, the French data protection authority, the CNIL, in cooperation with its European counterparts, followed the steps of the Austrian national data regulator in declaring illegal the use of Google Analytics.
What is Google Analytics?
Google Analytics is the most vastly used statistics and basic analytics program for search engine optimization (SEO) and marketing purposes on the market. It consists of a functionality that can be integrated by website operators to measure the number of visitors to the site. In this context, a unique identifier is assigned to each visitor. This user identifier constitutes personal data under the GDPR and therefore any access to such identifier from a location outside the European Economic Area (EEA) constitutes a international transfer of personal data under EU data protection laws.
The personal data that is processed through this service includes the user IP address and the user ID.
In 2020, the Vienna-based non-profit organization NYOB – European Center for Digital rights, filed 101 complaints in the 27 member countries of the European Union and the three additional countries that are part of the EEA concerning data transfers to the United States through the use of Google Analytics.
How it all started
In July of 2020, the Court of Justice of the European Union (CJEU) invalidated in its decision known as Schrems II the Privacy Shield, which was the EU-US legal framework regulating transfers of personal data for commercial purposes between the EU and the U.S. The Privacy Shield was an adequacy decision by the EU Commission to allow the transfer of personal data from the EEA (the EU plus Norway, Liechtenstein and Iceland) to the US without further safeguards being necessary.
Since Schrems II, appropriate safeguards must be put into place to control the transfer of data to the USA. The CNIL, the French data protection regulator, found that it was not the case concerning Google Analytics. Even if Google has adopted additional measures to control data transfers in connection with the Google Analytics functionality, they were deemed by the CNIL as not sufficient and not excluding the possibility of access to said data by U.S. intelligence services. Consequently, there was therefore a risk for the users of a French site that uses this tool and whose data is subsequently exported to the USA.
Online identifiers, such as IP addresses, can be used as means to identify a user, especially when combined with other similar types of information.
As a result, the operator of the website processing the personal data of French data subjects in the case presented before the CNIL was given a 1-month notice to comply with the GDPR, by ceasing to use the Google Analytics functionality if necessary or by using a tool that does not involve a transfer outside the EU and thus localizing data transfers within the EU. This decision sets a precedent in France, according to which the use of Google Analytics with no additional safeguards does not comply with the GDPR and must thus be prohibited. The CNIL also affirmed that audience measurement and analytics tools should solely produce anonymous statistical data if the consent of the data subject is not obtained.
Even if the CNIL is only one of 27 data protection authorities in the EU, its decision reflects the CJEU decision to invalidate the EU-USA Privacy Shield. Thus, it is reasonable to say that the other European authorities would go in the same direction and that the use of Google Analytics will be confirmed as not offering a sufficient level of security allowing for the transfer of personal data with no additional safeguards.
I am based in the United States, why is that of importance for me?
The GDPR has an extraterritorial effect, which means that every entity that processes personal data of residents of the European Union or the European Economic Area, regardless of where it is based, must comply with the GDPR. This is where the use od Google Analytics by US-based companies may become problematic: if your website is accessible to residents of the EU or the EEA and you use the Google Analytics functionality, you will be automatically storing, and thus processing in the U.S., personal data of data subjects that are protected by the GDPR. Arguing that you do not intent to study consumers’ behaviour on the web and that you do not intent to use the data for sales is not a solution, as Google Analytics is programmed to do exactly that: it helps its users to identify trends and patterns in how visitors engage on their websites. The problem is in the design itself of Google Analytics. Furthermore, regardless of the purpose of the processing, it poses undeniable problems, as the risk of access by the U.S. intelligence services remains.
Is it possible to use Google Analytics in compliance with the GDPR?
The CNIL suggested in its decision that there is no way that one may use Google Analytics without contravening to the GDPR. Let’s dig deeper into this claim.
If you are based in the US, it would for instance be possible to use Google Analytics and to conform to the GDPR if you block the access to any EU or EEA resident to your web pages where the functionality is enabled. Their personal data would thus not be collected. This could be done so through an analysis of the URL link of the users, or through a questionnaire upon entry on the website. The latter would ask where the users are from and, if they indicate that they are from the EU or from the EEA, it would collect their express consent regarding the processing of their personal data or, if they refuse to give said consent, block their access to the website. For instance, you could ask for their consent for the use of Google Analytics and related international data transfers in a cookie banner. It will be important that they understand all the risks to their personal data that could arise from them consenting to having it processed through your site.
When it comes to the adoption of additional specific measures to ensure the protection of transferred personal data, standard contractual clauses (SCCs) on their own are not enough. The CJEU itself declared that SCCs might not constitute sufficient means of ensuring the effective protection of personal data transferred to third countries 1 .
But what exactly are SCCs? Generally speaking, such additional safeguards can be used to remove the risk to the rights of individuals concerned by the data transfer. Indeed, the GDPR provides that personal data should have an effective level of protection in the third country that is identical to the level existing within the EU. SCCs provide contractual safeguards to that effect. However, SCCs are of contractual nature, which means that the national authorities (i.e., the American authorities in this case) are not bound by them, as they only apply to the two contracting parties. Thus, SCCs are not sufficient to guarantee the protection of personal data processed through the Google Analytics functionality.
The additional measures that have been implemented by Google following the Schrems II decision have also been considered by some national authorities of EU member states as not sufficient to guarantee the security of the personal data.
In conclusion, the situation surrounding the use of Google Analytics when it comes to the personal data of EU data subjects is complicated and at times ambiguous.
However, it seems that it is generally not safe to use this particular statistics program under the current conditions if you want to ensure your compliance with the GDPR, even if you are based in the U.S.
This does not mean that you have to renounce any use of a web analytics platform. Indeed, some alternatives that are deemed more respectful of the users’ personal data exist. Here are some alternative services that have been approved by the CNIL 2 when it comes to the processing of personal data of EU data subjects: Analytics Suite Delta of AT Internet (in its version available on March 30, 2021), SmartProfile of Net Solution Partner in its version 21, Wysistat Business of Wysistat in its version 12.1, etc. For more alternatives, please refer to the following page of the CNIL (in French).
It is also very important to follow the developments of the law in the field. Indeed, it is expected that more national authorities of EU Member States will decide whether the use of Google Analytics under its current conditions does indeed violate the GDPR. It is important for businesses and startupers alike to stay up to date with their legal obligations.
Our law firm members are admitted to practice in the U.S., in France, in England and in Canada. We also have particular expertise in EU privacy and data protection law. Contact us today !
1 CJEU, Schrems II, par. 126.
2 “Cookies: solutions pour les outils de mesure d’audience”, CNIL, 23 September 2021, online : < https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/cookies-solutions-pour-les-outils-de-mesure-daudience > (accessed 23.05.2022).
—
This article has been written with the participation of Irina Gueorguiev