Google Analytics custom features do not make transfers legal, according to CNIL

CNIL has announced that even with the use of Google Analytics custom features, transfers are still not legal. 

 

CNIL recently announced that even with the use of Google Analytics custom features, transfers are still not legal in the absence of a transfer deal between Europe and the US. This announcement was added in the Q&A on CNIL’s website, as a point of clarification, after numerous businesses hoped that the customization tool could be used to allow data transfers to the US from Europe through Google Analytics. However according to the CNIL, the use of this tool still does not comply with the GDPR despite the precautionary options now available. 

 

While efforts have been made to replace the invalidated Privacy Shield, authorities say there is still a long way to go.

 

Earlier this year, CNIL sent out formal notices to a series of companies after deciding that data transfers to the US via Google Analytics were illegal. This decision was based on the Schrems II decision which invalidated the Privacy Shield two years ago. While a decision to replace the deal was announced, there is still a long way to go. European Commission Vice-President Margrethe Vestager confirmed at the International Cybersecurity Forum earlier this month, that negotiations are “finalised”, however that “a lot of work remains to be done.” 

 

In the absence of the Privacy Shield, CNIL has addressed questions and concerns regarding other solutions that have been offered. 

 

While we await a replacement for the Privacy Shield, CNIL has been very vocal, providing clarification when necessary. The authority addressed a question on the possibility of configuring Google Analytics so as to avoid transferring personal data outside the EU. CNIL’s response to this was an unambiguous “no”, followed by an explanation that “the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data.” This remains the case even in the absence of a transfer, as Google has confirmed to CNIL that all data collected by Google Analytics is hosted on US soil.

 

Many of the proposed solutions are not deemed satisfactory as any personal data transferred to the US seems to be at risk. 

 

Google has proposed additional guarantees like anonymisation and encryption but none of these solutions are deemed satisfactory by the CNIL. CNIL acknowledges that Google offers an IP address anonymisation feature. However, this does not apply to all transfers, and Google has been unable to demonstrate that this anonymisation happens before data is transferred to the US. Unique identifiers are also not a great solution as their use can be identified through their association with other data. The CNIL states that the encryption solutions offered by Google were ineffective, as Google offers and saves encryption keys, allowing the company to access personal data if it so wishes. As a result, any companies or organisations who wish to use the tool need to obtain explicit consent from the individuals concerned.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Stop using Google Analytics: CNIL gives formal notice to website managers.

CNIL has given formal notice to website managers to come into compliance and to stop using Google Analytics due to illegal EU – US Data transfers. 

 

CNIL has joined several other EU watchdogs in ordering website managers to stop using Google Analytics. As a result of several complaints being filed by NOYB, against a total of 101 companies across the EU, the use of Google Analytics was found to be a violation of the GDPR and Schrems II. The service is commonly used to help business owners with traffic statistics for tracking visitors to their site, however this assigns each visitor a unique identifier, which constitutes personal data, and the visitors’ information is then available to Google Analytics in the US. Currently, data transferred to the US is still not considered adequately protected, and as a result CNIL has given formal notice to the website managers to stop using Google Analytics, according to this recent report

 

EU to US data transfers are currently deemed illegal if appropriate security measures are not applied, as the previously held Privacy Shield was invalidated since the Schrems II judgment. 

 

Since the Schrems II judgement in which the CJEU had highlighted the risk that the American intelligence services could access personal data transferred to the United States, if the transfers were not properly supervised, companies and organisations across the EU have been ordered to stop using various US services, one of which is Google Analytics. In a recent blog, we covered a sanction imposed on the European Parliament by the EDPS for the use of Google Analytics. CNIL, in its recent report stated that in total, 101 complaints were filed by NOYB across 27 Member States of the European Union and the three other States of the European Economic Area (EEA), over alleged data transfers to the US. 

 

CNIL reiterates that in the absence of an adequacy decision, EU – US transfers are not sufficiently protected. 

 

The CNIL has noted that any personal data of Internet users which is transferred to the United States is done in violation of Article 44 of the GDPR. Article 44 covers data transfers to third countries, for which certain conditions must be met in order to ensure the security of that data. In the case of data transfers to the US, in the absence of an adequacy decision for data transfers, any data transferred from the EU to the US is considered unprotected. Due to US laws, this data can be accessed by US intelligence, making these data transfers unsafe, and therefore also illegal, under the GDPR. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Explore alternatives to Google Analytics: advice from the Norwegian DPA

With multiple European authorities ruling against the use of this service, the Norwegian DPA suggests that companies explore alternatives to Google Analytics. 

 

In a recent blog, we covered why the use of Google Analytics (and Stripe) by the European Parliament was considered a violation of the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. After multiple European authorities have ruled against the use of Google Analytics, and the illegal transfer of data to the US, the Norwegian DPA has suggested in this report, that companies seek alternatives to the use of Google Analytics, as the pattern of companies and organisations being sanctioned over their use of the service is very likely to continue. 

Personal data transferred from the EU to the US is subject to very strict conditions, and may quite likely be illegal. 

 

The Austrian Data Inspectorate (DSB) recently investigated a website’s use of Google Analytics. They concluded that the use of Google Analytics means that personal information is sent to the United States, and that therefore, the use of   Google Analytics may be illegal. In light of the Schrems II ruling from the European Court of Justice, the Austrian DPA  came to the conclusion that this transfer was indeed illegal. With the use of Google Analytics, it is possible to de-identify the IP addresses of website users, however it is important to note that this will not solve the problems identified by the Data Protection Authorities. The Austrian DPA has pointed out that Google Analytics also involves cookies, and they believe that if a user is already logged in to a Google account, it is possible to link the analysis data to their Google account.

 

The Norwegian DPA foresees further sanctions for the use of the service and urges organizations to explore alternatives to the use of Google Analytics. 

 

The Norwegian Data Protection Authority is also currently dealing with two cases involving the use of Google Analytics. Although the Authority has not concluded in these cases, they will look at European practice in case processing. “We know that there will also be more decisions about Google Analytics from other European data regulators. Therefore, we now recommend everyone to explore alternatives to Google Analytics.” says section chief Tobias Judin. Transferring data to the US is not inherently illegal, however a number of measures need to be implemented in order to ensure that this is legal. In many of these cases, these measures are not in place. For this reason, the Norwegian DPA is suggesting that organisations explore alternatives to Google Analytics. It is also important to note that other website tools may also send personal information to the United States. Some tools send much more data than Google Analytics does. Therefore, it is important that website owners have a full overview of what tools they use and what personal information they process through the tools. If it is found that personal data is being transferred to the US through these tools, website owners may need to stop the use of these tools immediately, as serious cases may result in sanctions. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.