The French data protection authority (‘CNIL’) recently published FAQs concerning CNIL’s enforcement actions regarding the use of a famous web analytics tool, as well as guidance on bringing audience measurement tools GDPR compliant.
The issuance of this FAQ comes after the well-known Schrems II ruling in which the Court of Justice of the European Union invalidated the Privacy Shield, stating that the U.S legislation does not provide sufficient guarantees against the risk of access by authorities, including intelligence services, to the personal data of European data. Following this ruling, the French Data protection authority received several complaints questioning the use by French companies of the well-known website audience measurement tool. In its FAQ, the CNIL stated that the mere implementation of standard contractual clauses is not sufficient to use this tool in compliance with GDPR. Besides, the CNIL stated that ‘all data controllers using [this web analytical tool] must now consider this use as illegal under GDPR […] and must therefore turn to a service provider offering sufficient guarantees of conformity. ‘
This decision is of no surprise since earlier this year, the Austrian data protection authority issued a similar statement concerning the non-compliant use of this US-based web analytical tool by several websites.
However, the CNIL indicates that the use of a proxy server can avoid direct contact between the Internet user and the analytical tool servers. This alternative, which would concentrate the data collected during visits before transmitting them to an audience measurement service, could allow the use of such services while remaining a GDPR complaint. According to the CNIL, the use of a proxy would allow pseudonymizing the browsing data before transmitting it to an audience measurement service. The last process would prevent Google from identifying Internet users who would not be able to follow their navigation outside the site. Proxy server must be used only under strict conditions:
The server itself must be hosted in accordance with the regulation and must be located in a European country
- IP addresses must not be transferred to the measurement tools servers
- The proxy must replace the user’s identifiers
- External referrer information must be removed
- Parameters contained in URLs should also be removed
- Information that may be involved in generating fingerprint must be re-processed
- No cross-site collection of identification can take place
- Any data that could lead to re-identification must be removed
Depending on the cost and complexity, the implementation of the necessary measures can be an effective solution to limit the risk for data subjects in the case of overseas transfers of their personal data.