What's happened?
Google’s website statistical analysis tool, Google Analytics, has been subject to a series of data protection non-compliance findings in early 2022, where the aftermath of them continues to linger. These data protection non-compliance findings have been from the French, Italian and Austrian supervisory authorities, who have determined that Google Analytics data transfers were non-complaint with EU GDPR.
These findings stem from the Court of Justice of the European Union (CJEU) judgment from 16 July 2020, which held that the mechanism of the EU-US Privacy Shield, which enabled free flow of data between the European Union and the United States was invalid with immediate effect at the time. The CJEU concluded that the mechanism did not provide adequate safeguards against the risk of unlawful access by US authorities to European residents’ personal data. This major ruling was referred to as “Schrems II”.
The aftermath of Schrems II has had significant consequences. It is generally much more difficult to compliantly transfer personal data to the United States, as well as to other countries outside the UK and European Union (to the extent that there is not an Adequacy Regulation or Adequacy Decision in respect of such countries under the UK GDPR or EU GDPR, as applicable). To do so, one must demonstrate that personal data is subject to protections which are essentially equivalent to those under UK or European law (as applicable). Given the need to deal with concerns regarding the ability of the US intelligence services to access data, this is a difficult threshold to meet. These transfers can therefore, only take place if additional technical, legal, and organisational safeguards are put in place by the organisations to provide the necessary safeguards.
A number of European supervisory authorities have thus, sought to outlaw the use of Google Analytics for the types of purposes used by many public and private organisations. This includes the French supervisory authority, Commission Nationale Informatique & Libertés (CNIL). CNIL has highlighted that Google Analytics when measuring and analysing website visits, assigns a unique identifier to each visitor, which constitutes personal data. CNIL has then focused on the fact that this unique identifier, together with the associated data, are transferred by Google to the United States, without sufficient safeguards to exclude the accessibility of the personal data from the intelligence services in the United States. As a result, CNIL has issued orders in early 2022 to website operators to stop using Google analytics.
Implications
What is clear from the CNIL decision, is that the use of Google Analytics is not something which organisations can undertake without being in breach of the EU GDPR. Since the EU GDPR and UK GDPR are currently broadly similar in terms of content and interpretation, and as the Schrems II judgement is applicable to the UK, as it occurred pre-Brexit, one would assume that the same reasoning would apply under both regimes.
Although Google disagrees with the findings, believing that it has included appropriate supplementary measures to deal with the Schrems II decision, CNIL clearly seems to have a different opinion, confirming that:
- “the measures put in place by Google are not sufficient to exclude the possibility of access to data of European residents;
- the data of European Internet users is therefore illegally transferred through this tool.”
In May 2022, Google has included additional control preferences in its Google Analytics tool, to manage and restrict the collection of granular location and device data, as well as ‘Google-signals data’ on a per region basis, noting that website operators can then choose to stop collecting and transmitting the following data:
- City
- Latitude (of city)
- Longitude (of city)
- Browser minor version
- Browser User-Agent string
- Device brand
- Device model
- Device name
- Operating system minor version
- Platform minor version
- Screen resolution
Although, Google notes that when the changes are made to cease collection of the above data by a website operator via their settings, historical data is still retained as per the website operator’s retention settings.
With regard to ‘Google Signals’, Google describes this as: “session data from sites and apps that Google associates with users who have signed in to their Google accounts, and who have turned on Ads Personalization. This association of data with these signed-in users is used to enable cross-device reporting, cross-device remarketing, and cross-device conversion export to Google Ads.”
As is apparent from the above, Google Analytics is capable of collecting a wide data set, depending upon the configuration – so it is clearly more than just an identifier that is of concern.
Although Google’s changes to some settings seems to mitigate the collection and flow of information, it is still unlikely to address CNIL’s concerns.
Key points for organisations
Organisations using the Google Analytics tool will need to take the current observations from supervisory authorities such as CNIL into account. Furthermore, as the above illustrates for those which persist with the use of Google Analytics, they will need to be more mindful of the settings chosen for Google Analytics as well (taking into account their accountability obligations under UK and EU GDPR with regard to aspects such as purpose limitation, data minimisation and storage limitation) - as the website operators will be the controllers of such information, and therefore, responsible and liable for any EU or UK GDPR ‘fallouts’.
CNIL has also made reference to Google using EU standard contractual clauses (SCC) adopted by the EU Commission to seek to legitimise the international personal data transfer. However, as per the Schrems II decision, it has reiterated that the implementation of standard contractual clauses alone is not sufficient to use Google Analytics in compliance with EU GDPR, as this will not offer adequate safeguards in the event there is a request for access from foreign authorities.
CNIL has suggested that in order to ‘break the link’ between an individual’s device and the Google servers, organisations may be able to use a proxy server, which anonymises personal data before it is sent to Google in the USA, provided that this does not allow for reidentification of the individual. Of course, depending upon what mechanism is used, may also take away from what an organisation is seeking to do in the first place with the use of Google Analytics.
As a more important point for organisations, one has to bear in mind that Google Analytics has received this much scrutiny already, and many may consider it relatively innocuous data – yet, has your organisation considered what it is doing with its more substantive data, such as consumer or staff data which is being transferred internationally? - As the ramifications for getting those transfers wrong will clearly be much more significant!
How we can help
International personal data transfers give rise to a number of legal considerations, including (amongst others):
- Undertaking Transfer Risk Assessments (TRAs) and Data Protection Impact Assessments (DPIAs).
- Updating Privacy Notices.
- Completing IDTAs and SCCs.
- Preparing Data Processing Agreements.
- Undertaking Controller, Processor or Joint Controller assessments.
Mills & Reeve’s National IT, Data Protection and Cyber Law Team can assist your organisation with all of these and other legal requirements.
Please feel free to get in touch to arrange an initial consultation call.