The National Commission on Informatics and Liberty’s (“CNIL”) scrutiny of cookies compliance continues. Earlier this year, CNIL fined Google 150m euros and Meta 60m euros for inadequately facilitating the refusal of cookies.
This finding by CNIL is predicated on the Court of Justice of the European Union’s (“CJEU”) ruling in Schrems II where it decided that transfers to U.S. providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers under the EU GDPR and consequently, Privacy Shield was invalidated. Privacy Shield was the mechanism EU organisations relied on (prior to the CJEU’s ruling in this case) to transfer data to the U.S. As such, the EU-US data transfer landscape has been severely impacted by Schrems II, leading to significant scrutiny on EU-US data transfers and arguably, this decision by CNIL could have a significant impact too.
What does this mean for your organisation?
The international transfer implications of Schrems II are deemed to apply in the UK by the ICO and they have published a draft Transfer Risk Assessment tool (“TRA”) to be used to assess the risks to individuals associated with transfers to third countries using the UK International Data Transfer Agreement (the UK’s version of Standard Contractual clauses). Having said that, the Department for Digital, Culture, Media and Sport (“DCMS”) has made it clear that the United States is a top priority for a data transfer ‘partnership’ or adequacy agreement. Given this, it feels unlikely that we’ll see a similar finding against Google Analytics from the ICO (but we’re speculating on this point).
What options do organisations have now?
Following CNIL’s decision last week, in reality, there are only 2 options for organisations. Firstly, businesses could stop using GA and seek an alternative provider, ideally based in the EU/UK or that can sufficiently guarantee adequate safeguards are in place, for example, as it benefits from an adequacy regulation/decision or the Standard Contractual Clauses (“SCCs”)/International Data Transfer Agreement (“IDTA) can be used (alongside supplementary measures if required).
The second option is for organisations to continue using GA. Obviously, in France/Austria, its use would likely be deemed to breach the GDPR so the risks of regulatory enforcement for using GA on websites in these countries is much higher compared to the UK (or currently other countries in the EU). If an organisation chooses to continue using GA, in light of the adverse findings in France and Austria, we recommend organisations:
- Carry out a transfer risk assessment/transfer impact assessment (whichever is applicable) to assess the risks posed by the transfer;
- Turn on GA’s IP anonymisation feature;
- Enter into SCCs/IDTA (whichever is applicable) to contractually oblige Google to afford the same protections to the data transferred as under the EU/UK GDPR and subsequently implement any appropriate supplementary measures, if necessary; and
- Document the potential risk of non-compliance and communicate the risk to relevant stakeholders. Organisations that operate French/Austrian websites should highlight the higher risk in these countries.
Aside from considering the rules concerning international transfers, organisations should ensure they obtain consent from website users in order to place GA cookies on their device via a data protection compliant cookies banner and ensure they detail in their website’s cookies notice that they use GA and its purpose. The fact data is shared outside the UK/EU should also be included in this notice.
In addition to the suggested steps above, it will be prudent to keep any decision to continue using GA under review and maintain a watching brief in relation to any rulings or changes in legislation affecting cookies in the EU and UK.
As a specialist data protection consultancy, evalian® is well placed to assist you with navigating the law governing cookies. If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.