CNIL VS Google Analytics

The 16th of july 2020, the Court of justice of the European Union issued the so-called Privacy Shield decision which established that there was a lack of safeguards from the United States of America for the protection of personal data of the European Union residents. In the same idea multiple decisions have followed the Privacy Shield decision like the Austrian court of the 22 april 2022 that condemned Google Analytics for their lack of safeguards and lack of compliance with GDPR.

In the wake of this decision, in august 2020, multiple lawsuits have been made against website hosting the Google Analytics services who happens to be hosted in the U.S. The French Data Protection Authority, the CNIL has issued a formal notice to Google due to the lack of safeguards to protect EU resident against access to their personal data by national authorities and against the unlawful transfer of personal data of European web users through this tool. The result of this notification is that Google is attempting to comply itself with the GDPR using Google Analytics 4.

But then, how does Google Analytics 4 ensure better protection of personal data for the European web users?

To understand this, we first need to look at the problem with Google Analytics Universal. One of these problems is the means of protecting personal data: Anonymization of personal data.

Anonymization of personal data

Anonymization of personal data is a process of destroying the link between the person and the personal data, turning it into simple data, which cannot be used to trace the person from whom the data was collected. It should be noted that the mere use of a unique identifier on a site can be enough to identify an individual, anonymization requires more work to protect individuals than the simple solution of pseudonymization.

Anonymization is one of the best ways to protect personal data since it permanently removes the “personal” in “personal data” since the data cannot be linked back to the person from whom it came.

In the case of the older version of Google Analytics, Google Analytics Universal, there was a lack of anonymity in some of the data transfers, including a problem with the fact that we couldn’t know if the data was anonymous before or after its transfer to the United States and whether the authorities could access it if they wanted to.

In addition, the additional safeguards weren’t enough to compensate for the lack of a real guarantee of protection. Take the example of encryption, which is not guaranteed before the data is transferred, or the example of pseudonymization, an ineffective mean of protecting personal date since it still allows the link between the data and the individual. Since encryption is not being under the control of the exporter it is difficult to have a carry out a data transfer and to put in place an encryption and the personal data protection guarantees that the European Union requires before the transfer.

Insufficient means

The data collected by Google Analytics works in tandem with other Google services including Google Ads.

Using the data obtained from google Analytics, Google Ads has made it easier to identify people whose personal data has been collected in both services. We were able to find these people by using the browsing data that Google ads obtains through the overlay of IP addresses of users of both tools and their browsing history.

There are other ways to protect users when using Google Analytics. These means may be insufficient such as encryption, a method of protection that is not sufficient to protect individuals since Google itself must provide the encryption keys to make the data usable. Google therefore has the keys and the data, it must encrypt them itself and is obliged to provide them to the United States authority if they request them. Encryption protects but does not guarantee protection.

Furthermore, the legal basis for the processing of personal data by Google Analytics, consent, or necessary performance, is not sufficient here to justify such processing. Indeed, the process is systematic which means that it cannot be justified by the sole legal basis of the user’s consent to send data from a European Union country to a third country that doesn’t have the necessary guarantees and safeguards in accordance with the European guidelines on the matter.

Otherwise, it must be considered that the sole safeguards or contractual obligations, aren’t enough to ensure the protection of personal data. This means that it is necessary for the individuals using these tools to check for themselves that the countries to which they send data do not have contractual obligations and safeguards regarding the protection of these data.

Google Analytics response

The goal of Google Analytics 4 is to correct some of the problems and to do so, the tool has drastically reduced the scope of its information sources. The use of third parties cookies to obtain more data isn’t an option anymore in Google Analytics 4, which significantly limits the tool’s scope for harvesting data. The focus of Google Analytics used to be on the access to the different pages the user arrived at, but now, these points are only on the events, which further reduces the scope of usable information sources.

Universal Analytics used to have a system that worked on the basis of the pages seen by the user which includes:

• The events
• The number of views per page
• E-Commerce (Purchases made by people related to the products or services offered)
• The flow of people through the internet
• Social interactions (social networks)
• Exceptions in user behavior
• Screens

Google Analytics 4, however, focuses only on users and events, thus reducing the areas of data collection.

The most important element that allows us to know if Google Analytics 4 is GDPR-compliant is the guarantee of anonymization IP addresses from which personal data originates. By anonymizing IP addresses before they leave the UE, and by reducing the data collection areas, Google Analytics 4 can protect personal data in a more comprehensively.

Indeed, IP addresses are considered as personal data according to the CNIL, this addition reassures it because even if the maximum of safeguards have not been put in place by Google to protect like the missing proxy server in Europe, the anonymization of IP addresses from the very start is still a very good step forward for the good of personal data protection.

Alternative Options

For Google Analytics 4, there were other ways to protect personal data.

Among these solutions proposed by the CNIL, the idea of a proxy serverwas not retained in order to keep the data in the European Union and thus ensure their control and the respect of the protection of personal data on European territory. With a proxy server in the European Union, the anonymization, encryption, and the protection of personal data could have been done on the Union’s territory and this would have been a guarantee of protection.

In addition, we can add that the encryption, this insufficient protection of data, becomes actually very effective if it is under the control of the exporter of data. The exporter being in the Union, he would have been obliged to follow the European rules and therefore, in order to guarantee the protections, he limits the access of companies from third countries by keeping the encryption keys, which guarantees that they cannot themselves grant access to the authorities for personal data, and therefore, protect them.

If you want to measure your audience, it is not mandatory to use Google Analytics. Other direct competitors of Google have more comprehensive protections in this case due to their location in the European Union or their greater compliance with the GDPR. In this case, the competitors are either in Europe like Matomo and Swatis or are part of a CNIL list that offers different options of competitors whose tools do not requires consent to be used.

This means that it is always necessary to keep an eye on the settings of these Google Analytics competitors as it is possible that some settings make these tools non-compliant with the GDPR compliant if we use them on the basis of no user consent.

Google Analytics Universal will be replaced on July 1^st  by Google Analytics 4 due to the CNIL’s condemnation of the dangers and lack of protection of personal data transferred to the United States.

This decision, who’s still in the wake of the SCHREMS rulings, decisions of the Court of justice of the European Union that overturned the image of quality of the safeguards in place for the protection of personal data in the United States. These decisions have caused a certain amount of mistrust in all transfers of personal data in the European Union to countries outside the Union, in particular the United States here, especially with the popularity of Google, which is one of the main players in the United States in Europe.

Despite these condemnations, Google Analytics has managed, by limiting the scope of the data collected and inserting the anonymization of IP addresses from the beginning, to make the tool usable after collecting consent or without it depending on the settings included while complying with the GDPR. One can always regret the absence of an option that would have really contributed to the protection of personal data, but it is understandable that economic choices are behind these decisions.

On the other hand, it is possible to consider Google’s competitors, if not to have a better protection of personal data or perhaps to facilitate this protection by the use of servers positioned in France that would be under the GDPR.