Should we stop using Google Analytics?
Three European judgments rendered

Jean-François Normand
Lawyer, Patent and Trademark Agent

Over the last few months, several European regulatory authorities have issued rulings on the application of the General Data Protection Regulation (“GDPR“) to cookies and the use of Google Analytics.

The rulings may be seen as good news for advocates of individual privacy rights, but could potentially be problematic for executives of companies that use Google Analytics or other similar tools.

We will discuss three decisions: two on the use of Google Analytics and one on the use of cookies, and we will conclude with an analysis of the situation.

Google Analytics: Website manager ordered by CNIL to comply

On February 10th, the Commission Nationale de l’Informatique et des Libertés (“CNIL”) issued a formal notice to a website manager for its use of the Google Analytics tool. Before presenting the case, it should be noted that the CNIL, as well as the regulatory authorities of the 27 member states of the European Union and those of three other countries of the European Economic Area (“EEA”), received a total of 101 complaints from the association None of Your Business (NOYB) against website managers for the transfer to the United States of data collected when users located in Europe visit these websites. The data in question was collected by the Google Analytics tool and then transferred to and stored on servers located in the United States.

It is worth recalling that, in July 2020, the Court of Justice of the European Union (the “CJEU”) delivered the “Schrems II” judgment, which invalidated the Privacy Shield, from which American companies could benefit. It essentially allowed for the use of a recognized mechanism to enable the flow (or transfer) of personal data between Europe and the United States. The CJEU had ruled on the risk that American intelligence services could access personal data transferred to the United States if the transfers were not properly supervised. Indeed, Google qualifies as an electronic communication service provider under 50 U.S. Code § 1881(b)(4) and is thus subject to intelligence surveillance under 50 U.S. Code § 1881a. In short, the 101 claims filed by NOYB follow the Schrems II decision and allege that Google does not provide sufficient safeguards to prevent disclosure of data to U.S. intelligence agencies.

In this case, the CNIL ruled in favor of NOYB, stating that visitors’ personal data (unique identifiers, digital footprints, etc.) were transferred to the United States in violation of Sections 44 and beyond of the GDPR. It mentions that despite the additional measures adopted to regulate Google Analytics data transfers, Google did not offer an adequate high level of data protection against intelligence services. The CNIL thus gave notice to the website operator to comply with the GDPR by ceasing to use Google Analytics (in its current form). The website operator in question has one month to comply.

Google Analytics: Austrian decision against a website operator

Like the CNIL, the Austrian regulatorty authority, the Datenschutzbehörde (the “DSB”), received a complaint from NOYB about a website operator’s use of the Google Analytics tool, more specifically, the potentially unlawful transfer – within the meaning of Article 44 of the GDPR – to the United States of personal data originating in the European Union.

In its ruling, the DSB further explores the scope of the definition of personal data:[1]

“any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her identity […]”

[Our Annotations]

In this case, the DSB decision demonstrates that the Java Script code implemented by Google Analytics on the website collects the user’s unique identifier, the address and HTLM title of the pages visited, information about the browser, operating system, screen resolution, language preference, date and time of the visit, and the IP address of the device used.

In the case at hand, the website operator and Google argued, among other things, that the data provided to Google, as detailed in the previous paragraph, did not constitute personal data and that, even if it did, sufficient additional measures were in place to protect such data. In addition, the safeguards taken by Google included (1) transparency reports on requests from U.S. authorities, (2) encryption-at-rest in data centers, and (3) pseudonymization of data.

It is important to mention that according to the interpretation given by the DSB, the fact that it is not possible to identify a person directly with certain data does not allow the application of the GDPR to be ruled out: indirect identification (e.g. with other data) is quite sufficient. However, with the unique identifiers (User ID/Client ID) of Google Analytics, it is possible to single them out by cross-referencing with other data (including the digital footprintdata collected by Google Analytics). The DSB also establishes that these identifiers do not need to be associated with a “face,” as Section 4 of the GDPR does not require this. The fact that the website operator did not specifically target the data is not an accepted defense, since it is possible that an individual could still be identified. As the DSB states in its ruling:

A standard of “identifiability” to the effect that it must also be immediately possible to associate such identification numbers with a specific “face” of a natural person – i.e., in particular with the name of the complainant – is not required […].

Such an interpretation is supported by Recital 26 of the GDPR, according to which the question of whether a natural person is identifiable takes into account “[…] any means reasonably likely to be used by the controller or by any other person to identify the natural person, directly or indirectly, such as singling out” [Annotations of the DSB]

In this case, since the service offered was Google Analytics, the combination of Cookie ID, IP address and browsing data (and thus the user’s Google account) reasonably allowed Google to identify the user in question without much effort.

We believe it is important to recall that, according to the European jurisprudence[2], an isolated dynamic IP address can be considered as personal data and does not lose its personal character only because the means of identifying the individual involve a third party. In other words, just because an organization cannot itself link a natural person to a certain piece of data (e.g. IP address), this is not sufficient to remove that data from the definition of Section 4(1) of the GDPR. All it takes is for it to be done by lawful means and with reasonable effort.

Thus, with a reasoning similar to that of the CNIL (based on the Schrems II judgment) mentioned above, the DSB concludes that the website operator has transferred personal data outside the territory of the European Union, without sufficient guarantee that an adequate level of protection is offered to said data. 

Cookies: The Council of State (France) imposes a heavy fine on Google

On January 28, the French Council of State confirmed the CNIL’s decision to impose administrative fines of 60 and 40 million euros against Google LLC and Google Ireland Ltd. Google is accused of automatically downloading seven cookies onto the computer when visiting, without the consent of the device’s owner. It also turns out that of the seven cookies, four were not exclusively for the purpose of enabling or facilitating electronic communication and were not strictly necessary for the provision of an online communication service at the express request of the user. During the proceeding, Google amended its practices, but continued to fail to directly and explicitly inform the user about the purposes of its cookies and how to opt out should they so choose to. At the time of the hearing, by Google’s own admission, there was still a cookie file – for advertising purposes – that was automatically downloaded when the user visited the site in question.

The Court concluded that the actions of Google LLC and Google Ireland Ltd are contrary to French and European legislation on the protection of privacy. The latter bases its judgment in particular on paragraph 3 of Section 5 of Directive 2002/58/EC[3] : Member States shall ensure that the storage of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user shall be permitted only with the consent of the subscriber or user, after having received, in compliance with Directive 95/46/EC [replaced by the RGPD], clear and comprehensive information, inter alia, on the purposes of the processing. [Our annotations]

The takeaway from this decision is that it is essential to obtain consent before downloading cookies to a visitor’s device. Some cookies are however exempted from obtaining this consent if they are strictly necessary for the provision of the service, i.e. cookies that (i) have a purpose strictly limited to the sole measurement of the site’s audience (performance measurement, detection of navigation problems, optimization of technical performance or ergonomics, estimation of the power of the servers required, analysis of the content consulted), exclusively on behalf of the publisher, or (ii) serve to produce anonymous statistical data only. As soon as a cookie is cross-referenced with other data or transmitted to a third party, the exception no longer applies, and consent must be obtained. As the CNIL reminds us, in order to benefit from the exception, cookies must not allow for the global tracking of a person’s navigation using different applications or browsing different websites. Any solution that uses the same identifier across multiple sites (via, for example, cookies deposited on a third-party domain loaded by multiple sites) to cross-reference, duplicate or measure a unified reach rate for a content is excluded.

Key Points

The GDPR and European law go hand in hand. Thus, it is important to mention that only companies subject to the GDPR are potentially affected by these decisions. Without going into the details of the applicability of the GDPR, let’s recall that any Canadian company (established or not in the European Union) processing personal data of individuals, located on European territory when this processing occurs, is subject to the GDPR if said company engages in any of the activities covered by the GDPR[4] . In this regard, we invite you to read or re-read an article we wrote on the subject when this law came into force in 2018.

More so, these decisions bring to light the importance for companies to have a technical understanding of their data flows, i.e., where the data is being transferred (country), who is receiving the data and how the data is being protected. Also, these decisions reiterate the importance of assessing any data transfer outside the EEA and that this assessment must be done on a case-by-case basis. However, in no way should these rulings be interpreted to mean that all transfers of personal data to the United States result in a breach of the GDPR or that all use of Google Analytics is prohibited.

On the more specific aspect of cookies, it is important to remember that your website should not download cookies to the user’s computer until the user has consented to such download, unless the cookies are essential to the provision of the service (for example, a login cookie to stay logged into a user’s account across pages of the same site).

It goes without saying that it is essential to inform users of the types of cookies that will be downloaded, how they will be used and, finally, how to opt out of the collection of data. Generally, this is done through a banner displayed at the time of the first visit to the site, in addition to the organization’s privacy policy. In this regard, a website manager must ensure that the deployment of cookies is not integrated directly into the site’s code, but is done through the use of tag managers (e.g. Google Tag Manager) which will take into account the user’s choice to accept or refuse cookies. Without the use of a tag manager, the site’s script would automatically download all cookies as soon as the page is loaded.

We also remind you that refusing cookies should be as easy as accepting them. In short, the use of buttons such as “Yes, I accept all cookies” and “preferences” (followed by a menu where you have to click in several places in order to refuse cookies) is not in compliance with European legislation. In addition, the mere fact that a visitor continues to browse the site following the display of a consent or information banner should not be interpreted as tacit consent and therefore does not allow the downloading of non-essential cookies.  

For additional information on cookies, including Canadian and Québec legislation on the matter, please see our article on the subject.

As for the use of the Google Analytics tool, the stakes still remain unclear. At the time of publication of our article, and according to our research, it does not seem possible to choose the storage location of the data collected by Google Analytics nor the service provider. This option seems to be reserved for Google Workspace (Calendar, Drive, Forms, Gmail, etc.). Thus, we recommend treading carefully when using the Google Analytics service – and any other similar service of a competitor – as personal data is transferred to the United States. It would be preferable to use a service whose data is stored in the European Union or Canada. With that said, some European firms have taken the position that it is possible to use Google Analytics by following certain configuration steps, including disabling data sharing settings and enabling IP address anonymization. Additionally, following the DSB ruling, Google has posted practical guidance for a website manager to comply with the GDPR in their use of Google Analytics. While it is not possible to know whether a different verdict would have been reached by the DSB to the extent that these recommendations had been followed by the website manager, we recommend taking them into account in order to at least be able to minimize the risks.

It will be interesting to follow the evolution of this case and thus see where the regulatory authorities will be taking a stance in the coming months (i.e. in the 99 other complaints filed by NOYB) on the use of Google Analytics and similar services. As the issue is far from being firmly resolved, each organization will have to make its own balance of conveniences and assess the risk of a prosecution by a European regulatory authority.

To conclude, we would like to emphasize that investing in privacy is no longer an option in 2022, whether you are located in Europe or in Canada. With the recent reform of the Private Sector Privacy Act (Bill 64), those of the other provinces[5] and the Personal Information Protection and Electronic Documents Act (Bill C-11) and the reform of health data (Bill 19), there is no doubt that Québec and Canada are taking the lead in the protection of personal information. In short, just because your company does not do business in Europe does not mean you should not be concerned!

If you have any questions, please do not hesitate to contact Me Jean-François Normand and our Data Protection, Privacy and Cybersecurity team.

[1] GDPR, section 4.1

[2] See paragraph 102.

[3] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

[4] Please consult with a professional to assess your GDPR compliance.

[5] See proposals in Alberta and Ontario.