CNIL CLOSES ALMOST ALL DOORS TO GOOGLE ANALYTICS IN FRANCE
- 13 Jun 2022
The “Commission Nationale de l'Informatique & des Libertés” (CNIL) published this Tuesday, June 07, 2022 a list of Questions and Answers following the formal notice of the CNIL concerning the use of Google Analytics.
And in answer to the question "Is it possible to configure the Google Analytics tool so as not to transfer personal data outside the European Union", the CNIL simply replied with a "No.".
As a reminder, it is because of the data transfers outside the European Union, that the CNIL put on notice on February 10, 2022 several French website managers who use Google Analytics to stop using it. The CNIL has concluded that these data transfers to the United States are not sufficiently regulated because they can allow American authorities to have access to them, which violates the GDPR rules.
On 25 March, the EU and the US announced an agreement aiming to provide a satisfactory framework for data flows to the US, but this remains only a political announcement. As the European Data Protection Committee (EDPS) notes in its statement of 06 April 2022, this announcement does not constitute a legal framework on which data exporters can base their transfers to the United States.
Alongside the discussions between the EU and the US, Google wants to satisfy the CNIL rather than see all its customers migrate to more GDPR-friendly solutions. However, we notice, through the publication of the Questions and Answers, that none of the additional guarantees offered allows to make the use of Google Analytics legal. Indeed, neither encryption nor pseudonymisation nor standard contractual clauses are considered by the CNIL to be sufficient to ensure a good level of protection in the event of an access request by the American authorities.
SIMPLY PUT, THE USE OF GOOGLE ANALYTICS MUST NOW BE CONSIDERED ILLEGAL UNDER GDPR.
However, as indicated in the title of the article, the CNIL has not closed all doors to the use of Google Analytics, it offers a possible solution: “Proxyfication”. This solution aims to avoid direct contact between the user’s terminal and the servers of the measurement tool (see images below/ CNIL source). The implementation of this solution must nevertheless respect a number of conditions.
But even according to the CNIL «The implementation of the measures described can be costly and complex and does not always meet the operational needs of professionals», and even advises “use a solution that does not transfer personal data outside the European Union.”
FINALLY, WE CAN INFER THAT THE CNIL IMPLICITLY INDUCES TO SWITCH TO A HEARING MEASUREMENT TOOL THAT CAN BE CONFIGURED TO MEET THE GDPR FRAMEWORK.
Currently, the CNIL has compiled a list of tools that could replace Google Analytics.
We consider the following two solutions as excellent alternatives:
- AT Internet, a French GDPR-compliant solution that stores data within the European Union. AT Internet can even benefit from the exemption of consent according to the configuration of the tool.
- Matomo, formerly known as Piwik, is an open source web analysis software that offers the possibility of a free installation on its server to manage the collection, storage, security and processing of its data.
These web analytics solutions can also be accompanied by Contentsquare, which allows for further analysis on the user journey.