CNIL finds Google Analytics breaches GDPR
The National Commission on Informatics and Liberty’s (“CNIL”) scrutiny of cookies compliance continues. Earlier this year, CNIL fined Google 150m euros and Meta 60m euros for inadequately facilitating the refusal of cookies.
In its most recent clamp down on the use of cookies, CNIL has found that the use of Google Analytics (“GA”) by a French website is incompatible with Article 44 the EU GDPR on the basis that transfers of GA data to the U.S. “are not sufficient to exclude the accessibility of this data to U.S. intelligence services”. GA is an audience measurement and analysis tool. CNIL’s decision rendering the use of GA as illegal, comes less than a month after the Austrian Data Protection Authority determined the continuous use of Google Analytics contravenes the EU GDPR.
This finding by CNIL is predicated on the Court of Justice of the European Union’s (“CJEU”) ruling in Schrems II where it decided that transfers to U.S. providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers under the EU GDPR and consequently, Privacy Shield was invalidated. Privacy Shield was the mechanism EU organisations relied on (prior to the CJEU’s ruling in this case) to transfer data to the U.S. As such, the EU-US data transfer landscape has been severely impacted by Schrems II, leading to significant scrutiny on EU-US data transfers and arguably, this decision by CNIL could have a significant impact too.
What does this mean for your organisation?
GA is commonly used by organisations across the UK and EU so this finding from CNIL will be widely unwelcomed. As mentioned above, this is not the first case where an EU data protection regulator has ruled against an organisation in relation to its use of cookies and it is unlikely to be the last. However, in the UK, although the UK GDPR is practically identical to the EU GDPR (and the Schrems II decision applies to UK-US data transfers), the Information Commissioner Office is yet to enforce on cookies and there are no suggestions that it will anytime soon.
The international transfer implications of Schrems II are deemed to apply in the UK by the ICO and they have published a draft Transfer Risk Assessment tool (“TRA”) to be used to assess the risks to individuals associated with transfers to third countries using the UK International Data Transfer Agreement (the UK’s version of Standard Contractual clauses). Having said that, the Department for Digital, Culture, Media and Sport (“DCMS”) has made it clear that the United States is a top priority for a data transfer ‘partnership’ or adequacy agreement. Given this, it feels unlikely that we’ll see a similar finding against Google Analytics from the ICO (but we’re speculating on this point).
On the wider topic of cookie compliance in the UK, it is possible that the rules on cookies will become less stringent in the UK as DCMS proposes to make the consent rules for cookies less restrictive within its wide-ranging consultation on data-related reform proposals. One option proposed by the DCMS is to allow organisations to use analytics cookies and similar technologies without the user’s consent. The UK government’s second proposal is to allow the use of cookies without consent for other limited purposes, for instance, where the processing is necessary for an organisation’s legitimate interests where the impact on the privacy of the individual is likely to be minimal.
What options do organisations have now?
Following CNIL’s decision last week, in reality, there are only 2 options for organisations. Firstly, businesses could stop using GA and seek an alternative provider, ideally based in the EU/UK or that can sufficiently guarantee adequate safeguards are in place, for example, as it benefits from an adequacy regulation/decision or the Standard Contractual Clauses (“SCCs”)/International Data Transfer Agreement (“IDTA) can be used (alongside supplementary measures if required).
The second option is for organisations to continue using GA. Obviously, in France/Austria, its use would likely be deemed to breach the GDPR so the risks of regulatory enforcement for using GA on websites in these countries is much higher compared to the UK (or currently other countries in the EU). If an organisation chooses to continue using GA, in light of the adverse findings in France and Austria, we recommend organisations:
- Carry out a transfer risk assessment/transfer impact assessment (whichever is applicable) to assess the risks posed by the transfer;
- Turn on GA’s IP anonymisation feature;
- Enter into SCCs/IDTA (whichever is applicable) to contractually oblige Google to afford the same protections to the data transferred as under the EU/UK GDPR and subsequently implement any appropriate supplementary measures, if necessary; and
- Document the potential risk of non-compliance and communicate the risk to relevant stakeholders. Organisations that operate French/Austrian websites should highlight the higher risk in these countries.
Aside from considering the rules concerning international transfers, organisations should ensure they obtain consent from website users in order to place GA cookies on their device via a data protection compliant cookies banner and ensure they detail in their website’s cookies notice that they use GA and its purpose. The fact data is shared outside the UK/EU should also be included in this notice.
Next steps
In addition to the suggested steps above, it will be prudent to keep any decision to continue using GA under review and maintain a watching brief in relation to any rulings or changes in legislation affecting cookies in the EU and UK.
As a specialist data protection consultancy, evalian® is well placed to assist you with navigating the law governing cookies. If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.
