France's data protection watchdog, the CNIL, has issued updated guidance on use of Google Analytics following a decision earlier this year that found a local website's use of the tool to be in breach of European Union law.
It has also confirmed that it has since issued formal notices to other organizations to bring their use of Google Analytics into compliance.
The legal issue -- which does not just affect use of the popular analytics tool in France but across the entire EU -- hinges on user data being transferred to the U.S. for processing by Google -- an export of personal data that lacks adequate legal protections in the wake of a 2020 decision by Europe's top court that invalidated a flagship data transfer agreement (aka, the EU-U.S. Privacy Shield) over the risk of unlawful access to Europeans' data by U.S. intelligence agencies.
Since then, the EU and the U.S. announced (in March) a political deal on a replacement transfer mechanism.
But, as the CNIL notes, their joint statement is not a legal framework and cannot be relied upon by users of U.S. cloud services that take Europeans' data over the pond for processing ahead of an actual replacement deal being formally adopted by the EU -- which the Commission has suggested may not happen until the end of the year. (It will also almost certainly face fresh legal challenges to test whether the deal is just as flawed as the earlier ones, as data protection experts suspect.)
So the bottom line is EU websites can either make changes to their use of Google Analytics or risk regulatory enforcement -- which could include an order to amend their processes and a financial penalty for being in breach. And it's likely that the risk of fines for non-compliance is stepping up now that regulatory guidance on the issue is getting more detailed because it means there are fewer plausible excuses for not having made the necessary changes.
"All data controllers using Google Analytics in a similar way to [already notified] organizations must now consider this use as illegal under the GDPR. They must therefore turn to a service provider offering sufficient guarantees of conformity," the CNIL warns in the guidance [which we've translated from French with machine translation].
Any sites that get a formal notice from the regulator about their use of Google Analytics are given one month to comply -- with the possibility of a further month's extension.
The CNIL's FAQ on use of Google Analytics goes on to suggest it is essentially impossible for EU based organizations to use the tool without applying certain additional safeguards of their own.
"None of the additional guarantees presented to the CNIL as part of the formal notice would prevent or render ineffective the access of U.S. intelligence services to the personal data of European users when using the Google Analytics tool alone," it writes in response to the question of whether it's possible to rely on additional safeguards Google claims it applies to the tool.
Standard contractual clauses also do not suffice to bridge the legal gap on data exports, the CNIL also emphasizes -- noting that it's not possible to configure Google Analytics so that it does not transfer Europeans' personal data outside the bloc and further warning: "Even in the absence of transfer, the use of solutions offered by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data. Indeed, organizations may be obliged by authorities of third countries to disclose personal data hosted on servers located in the European Union."
Per the FAQ, possible additional safeguards that EU-based users of Google Analytics might be able to apply to use the tool without breaching the law are limited to: Encryption (but only if the keys are held under the exclusive control of the data exporter or other entities established in a territory offering an adequate level of protection); or a proxy server (to avoid any direct contact between the internet user's terminal and the servers of the measurement tool).
The regulator suggests that obtaining explicit consent from users to a data transfer may also stand -- but only in exceptional circumstances, as the CNIL notes that the derogation cannot be used for systematic transfers (which are essentially what Google Analytics data flows are). So explicit consent is not a viable fix even if you thought it's a good idea to disrupt every visitor with such a request.
The CNIL has previously published a list of alternative analytics tools it has determined can be configured in such as way as to avoid the general need to obtain user consent for processing data. However it warns that list does not take account of the international transfers issue -- ergo, site owners still need to do their own leg work to determine whether alternative analytics tools, say offered by an EU-based software maker that carries out all processing in the EU, might offer a less legally risky option than Google Analytics.
Other EU data protection authorities (such as Austria's) have also been issuing websites with decisions pertaining to non-compliant use of Google Analytics.
The regulatory scrutiny followed a series of complaints filed by EU privacy advocacy group, noyb, back in August 2020 -- targeting Google Analytics and Facebook Connect. So while Google's analytics tool has been first in line for DPA decisions, the issue is not limited to Google nor to analytics tools and may affect many more U.S.-based services with customers in the EU.
Google was contacted for a response to the CNIL's guidance.