CNIL’s Decision on the Use of Google Analytics and Recommended Alternatives

Reading Time: 3 minutes


Shantanu Kulkarni | Data Protection Advisor

Date: 29 July 2022

After the Court of Justice of the European Union’s (CJEU) decision regarding Privacy Shield (Schrems II) the CNIL, on 10.02.2022, issued notices to a number of websites that used the Google Analytics audience measurement tool. In those notices, the CNIL stated that the use of Google Analytics inherently involves an element of data transfer to the United States and, therefore, could be violating Article 44 of the GDPR. CNIL followed up this action with updated information in June, including an article and FAQs, which stated that mitigating measures, such as minor adjustments of the  tools processing IP addresses or those encrypting the data containing an identifier may continue to be insufficient safeguards while transferring data to third countries via Google Analytics. It is therefore essential for all data controllers and website owners to explore alternatives to Google Analytics and also implement operational safeguards to meet the high standards set by the CJEU in its Schrems II decision. This article will present an overview of the responses to the CNIL’s Frequently Asked Questions, with the aim of highlighting some practical solutions as provided by the CNIL.

One of the recommendations from the CNIL is the use of Proxy servers as an operational safeguard while transferring data to a third country, along with the SCCs. The rationale behind the use of a proxy server, as noted by the CNIL, is to break the continuous link between the device located in the EU and the server located in a third country. However, the CNIL states that the proxy servers must adhere to the European Data Protection Board standards, suggested in 01/2020 Recommendations. In the words of the CNIL, the essential elements that any proxy server must have would be:

  1. It should ensure that the IP address of the EU device is not transferred by the analytics measurement tool;
  2. The proxy server should replace the unique identifier attached to the EU device;
  3. It must ensure that the data enabling device fingerprinting is not transferred by the analytics measurement tool
  4. The proxy server should also prevent any collection of cross – site identifiers

While the CNIL did provide an operational and practical alternative, it still recommends to avoid: 1) the transfers of personal data to a third country, and 2) the use of Google Analytics. CNIL acknowledges the fact that the costs of such activity may be higher but it also states that this is the recommended way to ensure maximum protection.

CNIL also acknowledges that personal data may still be transferred to third countries under explicit consent of data subjects. However this cannot be used for regular and continuous data transfers, due to the fact that this mechanism is stated to be an exception to the general rule of no personal data transfers to third countries as provided by Article 49 of the GDPR. Therefore, any exception must not replace the general rule.

In its conclusion the CNIL reiterates that it is not possible for a data controller to adopt a risk-based approach while transferring personal data to third countries through the use of Google Analytics. Rather, the CNIL recommends the implementation of additional technical measures to make the access to personal data almost impossible or ineffective.

Therefore, we recommend that all organisations that use the Google Analytics audience measurement tool carry out an assessment of the existing and already implemented technical measures. By following the advice provided by the CNIL, our suggestions are to review and implement additional measures, and if this is not possible, the safest option would be to stop the use of Google Analytics or even consider other EU based alternatives. Our final recommendation is to conduct a complete cookie review to verify the cookies in place in the website and to assess periodically the compliance of the same with the existing guidance.

Trilateral’s Data Protection and Cyber-risk team have data protection specialists with extensive expertise and experience in implementing and monitoring cookie compliance to meet legislative requirements. Trilateral Research has also created a dedicated cookie compliance guide to help increase cookie compliance. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs.

Related posts