Managing a website or mobile application requires the use of traffic and/or performance statistics, which are often essential for service delivery. The market standard, in this area, is Google Analytics (GA), which will soon have to change because it has been declared unlawful.
Italy's Privacy Guarantor recently sanctioned the operator of a website, in an order dated June 9, 2022. Its site was using the GA service that transfers European users' data to the United States, a country lacking an adequate level of protection. An influential member of the Garante's panel also confirmed that a series of sweeping audits on this issue (as scheduled by the Garante) have begun.
The Italian Privacy Guarantor's investigation found that operators of websites using GA collect, through cookies, information on users' interactions with the aforementioned sites, individual pages visited and services offered. Among the multiple data collected are the IP address of the user's device and information about the browser, operating system, screen resolution, selected language, and the date and time of the website visit. This information (which is personal data) was found to be transferred to the United States. Therefore, the processing was declared unlawful.
This was able to happen because the Court of Justice of the European Union, in a July 2020 ruling, declared the Privacy Shield, an international treaty that regulated data transfers between the European Union and the United States, null and void. That treaty did not provide adequate safeguards against the risk of unlawful access to European residents' personal data by U.S. authorities.
In March 2022, the European Commission and the United States adopted a joint statement on a future decision to properly regulate data flows to the United States. This is only a political announcement, with no legal value. In fact, on April 6, 2022, the European Data Protection Board (the EDPB i.e., the committee that brings together European privacy authorities) issued a statement clarifying that this statement is not a legal framework that organizations can rely on to transfer data to the United States.
CNIL's contribution
The privacy authority that, to date, has analyzed these issues most "practically" is the French authority.
The French privacy authority (CNIL) has made it clear that the use of GA is considered unlawful under the GDPR and remains so even by resorting to prior pseudonymization or cryptography practices of the data being transferred.
A question then arises. Can data continue to be transferred outside the EU using the legal basis of data subjects' consent?
Explicit consent of data subjects is one of the possible exemptions provided for some specific cases in Article 49 of the GDPR. However, as stated in the EDPB guidelines these exceptions can only be used for non-systematic transfers and, in any case, cannot be a permanent long-term solution, as the use of an exception cannot become the general rule.
Since explicit consent (or even GA) cannot validly be used, are there alternative means that are legitimate?
The CNIL has published a list of software that can be exempted from consent if properly configured.
This list includes tools that have already demonstrated to CNIL that they can be configured to be limited to what is strictly necessary to provide the service, thus not requiring user consent.
Whichever software is used, it is always necessary to verify, as far as possible, that the company producing it has no patrimonial or organizational ties with a parent company located in a country that allows intelligence services to request access to personal data located in another territory (for example: the United States but also China), and it is necessary to assess the legal framework of the country of export of the data.
The list of software suggested by the CNIL.
Without going into detail about the configuration required to use these software legitimately (which depends on several variables) we indicate below the list indicated by the CNIL:
- Analytics Suite Delta di AT;
- SmartProfile di Net Solution Partner;
- Wysistat Business di Wysistat;
- Piwik PRO Analytics Suite;
- Abla Analytics di Astra Porta;
- BEYABLE Analytics di BEYABLE;
- etracker Analytics (Basic, Pro, Enterprise) di etracker;
- Web Audience di Retency;
- Nonli;
- CS Digital di Contentsquare;
- Matomo Analytics di Matomo;
- Wizaly di Wizaly SAS;
- Compass di Marfeel Solutions;
- Statshop di Web2Roi;
- Eulerian di Eulerian Technologies;
- Thank-You Marketing Analytics di Thank-You;
- eStat Streaming di Médiamétrie;
- TrustCommander di Commanders Act.
The following sources were used in the preparation of this article, to which we refer for further study.
- Google: Privacy Guarantor stop the use of Analytics. Data transferred to the US without adequate safeguards
- The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (PDF, 322 ko) - CJEU
- Alternatives to third-party cookies: what consequences regarding consent?
- [FR] Utilisation de Google Analytics et transferts de données vers les États-Unis : la CNIL met en demeure un gestionnaire de site web