French supervisory authority publishes guidelines on the use of website analytics in accordance with GDPR requirements | K&L Gates LLP
Following the 2020 Court of Justice of the European Union (CJEU) ruling invalidating the Privacy Shield (see our alert here), transfers of personal data from the European Union to the United States have obliged EU companies to implement additional safeguard mechanisms, as the CJEU found that US law did not provide sufficient safeguards against the risk of access by public authorities (including intelligence services) to imported data.
Following this decision, several EU Supervisory Authorities (SAs) received complaints from None of Your Business (NOYB), the association of Max Schrems, regarding the use of website analysis solutions based on US used to measure online audience (Analytics Service Solutions) by EU Data Controllers. In February 2022, following the position adopted by the Austrian SA in December 2021 (see an anonymised version online here – in German only), the French Data Protection Commission (CNIL) sent more than a hundred remains with EU data controllers (see an anonymized version online here – in French only) on the grounds that the use of the Analytics Service Solutions resulted in insufficiently regulated transfers to the United States. These notices raised the question of whether, pursuant to the provisions of Chapter V of the GDPR, technical measures or settings could enable the compliant use of the Analytics Service Solutions.
In its communication of June 7, 2022, the CNIL considered several measures to be insufficient, such as:
- Simply implement the basic version of the European Commission’s standard contractual clauses;
- Simply change the settings for handling IP addresses;
- Use encryption of the identifier generated by Analytics Service Solutions; Where
- Replace this identifier with an identifier generated by the operator of the website, as such a measure offers little or no additional guarantee against possible re-identification of the persons concerned.
The main problem encountered when using Analytics Service Solutions was considered to be the direct contact, via an HTTPS connection, between the individual’s terminal and the servers managed by the Analytics Service Solutions provider, allowing the servers to collect the IP address of users.
However, according to the CNIL, cutting the link between the terminal and the server could solve this problem and reconcile the use of Analytics Service Solutions with the requirements of the GDPR.
To do this, the CNIL has established that the use of a proxy server to avoid any direct contact between the Internet user’s terminal and the servers of the Service Analytics Solution could be considered as a solution.
Nevertheless, additional measures still need to be implemented, such as pseudonymisation prior to the export of personal data (see Recommendations of the European Data Protection Board 01/2020 of June 18, 2021). Controllers must, however, be able to demonstrate that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person, even if (i) it is cross-checked with other information and (ii) taking into account the considerable means available to the public authorities capable of carrying out such a re-identification.
In addition, the CNIL requires that several measures be implemented for the “power of attorney” to be valid and limit the data transferred, in particular but not limited to:
- The absence of transfer of the IP address to the servers of the Service Analytics Solution. If a location is transmitted to the servers of the Service Analytics Solution, it must be done by the proxy server itself, and the level of precision must ensure that this information does not allow the person to be re-identified (for example, by using a mesh guaranteeing a minimum number of Internet users per cell).
- Replacing the user ID with the proxy server. To ensure efficient pseudonymization, the algorithm performing the replacement must ensure a sufficient level of collision (for example, a sufficient probability that two different identifiers give an identical result after hashing) and include a variable temporal component (adding a value to the hashed data which evolves over time so that the result of the hash is not always the same for the same identifier).
- Removal of referral information external to the website.
- The removal of any parameters contained in the URLs collected (for example, Urchin tracking modules but also URL parameters allowing internal routing of the website).
- The reprocessing of information that can participate in the generation of a fingerprint, such as user-agents, to eliminate the rarest configurations that can lead to re-identification.
- The absence of any collection of identifiers between sites (cross-website) or deterministic (eg CRM, unique identifier).
- The deletion of any other data that may lead to re-identification.
In addition, the hosting conditions must be taken into account regarding the proxy server. They must be hosted under conditions guaranteeing that the personal data processed will not be transferred outside the European Economic Area (EEA) to a country which does not ensure a level of protection essentially equivalent to that provided for in the EEE without a technical and organizational measures required by the judgment Schrems II. In order to provide additional information to this communication, the CNIL published an online Q&A on June 7, 2022 specifying that following these recommendations, the notified companies have a period of one month to bring the international transfers of their Analytics Service Solutions. This one-month period can be renewed at the express request of companies using these solutions.
In any case, as the implementation of the aforementioned measures can be costly and complex, data controllers also have the option of opting for the use of Service Analytics Solutions that do not transfer personal data outside the European Union.