Google Analytics custom features do not make transfers legal, according to CNIL
CNIL has announced that even with the use of Google Analytics custom features, transfers are still not legal.
CNIL recently announced that even with the use of Google Analytics custom features, transfers are still not legal in the absence of a transfer deal between Europe and the US. This announcement was added in the Q&A on CNIL’s website, as a point of clarification, after numerous businesses hoped that the customization tool could be used to allow data transfers to the US from Europe through Google Analytics. However according to the CNIL, the use of this tool still does not comply with the GDPR despite the precautionary options now available.
While efforts have been made to replace the invalidated Privacy Shield, authorities say there is still a long way to go.
Earlier this year, CNIL sent out formal notices to a series of companies after deciding that data transfers to the US via Google Analytics were illegal. This decision was based on the Schrems II decision which invalidated the Privacy Shield two years ago. While a decision to replace the deal was announced, there is still a long way to go. European Commission Vice-President Margrethe Vestager confirmed at the International Cybersecurity Forum earlier this month, that negotiations are “finalised”, however that “a lot of work remains to be done.”
In the absence of the Privacy Shield, CNIL has addressed questions and concerns regarding other solutions that have been offered.
While we await a replacement for the Privacy Shield, CNIL has been very vocal, providing clarification when necessary. The authority addressed a question on the possibility of configuring Google Analytics so as to avoid transferring personal data outside the EU. CNIL’s response to this was an unambiguous “no”, followed by an explanation that “the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data.” This remains the case even in the absence of a transfer, as Google has confirmed to CNIL that all data collected by Google Analytics is hosted on US soil.
Many of the proposed solutions are not deemed satisfactory as any personal data transferred to the US seems to be at risk.
Google has proposed additional guarantees like anonymisation and encryption but none of these solutions are deemed satisfactory by the CNIL. CNIL acknowledges that Google offers an IP address anonymisation feature. However, this does not apply to all transfers, and Google has been unable to demonstrate that this anonymisation happens before data is transferred to the US. Unique identifiers are also not a great solution as their use can be identified through their association with other data. The CNIL states that the encryption solutions offered by Google were ineffective, as Google offers and saves encryption keys, allowing the company to access personal data if it so wishes. As a result, any companies or organisations who wish to use the tool need to obtain explicit consent from the individuals concerned.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.