Companies using Google Analytics ("Analytics") or similar platforms may be interested in recent rulings of several European data protection authorities that found Analytics data transfers to the U.S. to be non-compliant with the EU's  General Data Protection Regulation ("GDPR"). The authorities' concerns with the identifiability of the information and its potential vulnerability to FISA requests could apply more broadly.

Facts

In August 2020, following the European Court of Justice's decision invalidating the Privacy Shield ("Schrems II", decided July 16, 2020), the None of Your Business privacy rights advocacy organization ("NOYB") brought cases before 27 European data protection authorities alleging that Analytics transfers personal information from the European Union to the United States in a manner inconsistent with the GDPR. As it did in Schrems II, NOYB argued that personal information of Europeans collected by sites using Analytics was not being adequately protected because it was vulnerable to disclosure to the U.S. intelligence service.

Although Google argued that the information in question is not personal information and that it has implemented sufficient additional safeguards, the Austrian data protection authority and the French Commission nationale de l'information et des libertés ("CNIL") recently decided in favour of NOYB.

The CNIL's Findings

The following observations, which are based on the CNIL's findings, reiterate: (i) the EU's broad definition of "personal information", (ii) the EU's desire to see effective security measures implemented to protect personal information against U.S. Government requisitions; and (iii) the importance of explicit, enlightened, and informed consent.

A broad definition of "personal information"

The CNIL's decision confirms an inclusive definition of personal information (or personal data) that extends to any identifier that can be combined with other information in such a way as to create a profile. In the French case, a company the name of which is omitted from the judgement ("Company"), used Analytics to perform an analysis of its website's Internet traffic. The information collected included:

  • A visitor's identifier (the identifier of the Analytics visitor cookie, i.e. the Analytics customer ID);
  • For visitors who logged into the website through a user account, an internal company identifier;
  • The order identifiers, if any; and
  • An IP address.

The CNIL held that because they could be combined with other information, such as the address of the website visited, metadata relating to the browser and operating system, the time and data relating to the visit to the website, and the IP address, the identifiers provided a certain level of identification of an individual and thus qualified as personal information. Specifically, the French data protection authority stated:

"When several elements are combined, they can make it possible to individually identify visitors to the [...] website, on which Google Analytics is implemented. It is not required to know the actual visitor's name or (physical) address since, in accordance with recital 26 of the GDPR, such singling out of individuals is sufficient to make the visitor identifiable".

The CNIL also specified that universal unique identifiers ("UUIDs") do not qualify as pseudonymized data for the purposes of the GDPR and therefore are not, in and of themselves, privacy enhancing techniques.

Insufficiency of Standard Contractual Clauses

As with Schrems II, the crux of the present case rests with the fact that Analytics transfers the personal information it collects from the French company's site to the United States for storage. The GDPR only permits transfers of personal information from the EU to a third party if either the third party (i) is governed by laws of a country that the EU has deemed adequate – such as is the case with Canada – or (ii) has implemented any number of other measures, such as standard contractual clauses ("SCCs"), containing an adequate level of protection for personal information transiting from the EU to an entity in another country.

Because U.S. legislation has not been deemed adequate, the EU and the U.S. successively implemented two special arrangements – the Safe Harbour and the Privacy Shield – that were intended to allow personal information to flow between entities in these two jurisdictions. These mechanisms were struck down, in 2016 and in 2020 respectively, by the European Court of Justice ("ECJ") on the ground that they failed to provide adequate personal information protection. Although on March 25, 2022, the EU and U.S. announced another agreement in principle allowing for cross-border personal information transfers, ever since the ruling in Schrems II, these transfers have grown increasingly complicated from a compliance angle.

It is against this backdrop that the CNIL and other European data protection authorities found Analytics' personal information protection to be non-compliant with the GDPR. The CNIL held Analytics' transfer of Europeans' personal information to, and its storage in, the U.S. to be non-compliant with the GDPR because the information cannot effectively be protected from U.S. intelligence disclosure requests. According to the CNIL, Google LLC qualifies as a provider of electronic communication services and as such is subject to Foreign Intelligence Surveillance Act ("FISA") requests. Such a request in incompatible with the personal information protection offered by the GDPR for two reasons:

  • A FISA information request is not limited to what is strictly necessary and therefore violates the collection minimization requirement; and
  • FISA proceedings are secret, thereby denying an effective remedy to the subjects of such a request.

This denial of an effective remedy runs counter to the rights protected by the EU Charter of Fundamental Rights.

Furthermore, although the European Data Protection Board agreed in 2021 that if an entity adopted "supplemental measures" to protect personal information, such an entity could potentially share the information in question with a US entity, the CNIL held that the supplemental contractual, organizational, and technical measures Analytics had implemented were insufficient to protect against a FISA request. In particular, it found that:

  • The contractual and organizational measure that consisted in disclosing the fact that personal information could be subject to a U.S. government request was not the same as protecting the information against such a request.
  • The technical measures proposed – i.e., (i) securing data in transit between data centres, (ii) protecting communications between users and websites, or (iii) "on-site security" – did not in fact address the issue of preventing or reducing the possibilities of access by U.S. intelligence services.
  • The encryption of data at rest in the U.S. was not a form of protection because, as the CNIL stated, "Google LLC as data importer nonetheless has an obligation to grant access or to turn over imported personal data in their possession, including any cryptographic keys necessary to render the data intelligible [...]. In other words: As long as Google LLC has the possibility to access the data of natural persons in clear text, such technical measure cannot be deemed effective in the present case."

Consent as a fallback

The third point the CNIL decision emphasizes is that in the absence of explicit consent to the transfer of personal information to the U.S., a company cannot rely on the GDPR consent exception to personal information transfers. The French data protection authority is clear that a user's consent to storing cookies is not to be mistaken with a user's explicit consent to have their personal information transferred to the U.S. after being provided appropriate notice including information about the risks involved and the measures that an individual can take to reduce these. Consent to transfer must be explicit, express, and informed.

Conclusion

The European data protection authorities' decisions in response to NOYB's challenge of Analytics' data transfer practices are further proof that the European Union requires clear and effective personal information protection measures to be implemented before personal information can be transferred to the United States. The standard data protection claims of "encrypting data in transit" or disclosing that personal information is subject to U.S. government agency requests will not be accepted as substitutes for genuine protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.