After nearly two years of tiptoeing around, it seems the fog of uncertainty is finally lifting on the EU-USA data management regulations. A new agreement between the European Union and the United States was signed on July 10, 2023, the Data Privacy Framework. It will come in place of the Privacy Shield.
So, what’s the inside scoop on this one? Are tools like Google Analytics back in the good graces of the law? Let’s try to understand what this new agreement mean.
February 2022 – Google Analytics Declared Illegal
On February 10, 2022, a decision by the National Commission on Informatics and Liberty (CNIL) sent marketers’ daily routines into a tailspin: the use of Google Analytics in France was judged non-compliant with GDPR, thus becoming illegal!
Indeed, the CNIL noted that GA assigns a unique identifier to each visitor, allowing the transfer of this identifier and the associated personal data to the United States. The CNIL judged these transfers as illegal due to the risk of access to these data by American intelligence services, following a complaint from the NOYB association (led by Max Schrems). While data transfer to the United States isn’t inherently illegal, the country is no longer categorized as adequate.
In this context, the CNIL relied on the Schrems II ruling by the Court of Justice of the European Union, which invalidated the Privacy Shield, an agreement that allowed American companies to certify that they offered a level of data protection equivalent to GDPR.
Following this decision, several websites were ordered to stop their use of Google Analytics and to turn to other analytics solutions compliant with GDPR. Whether due to habit, cost, or any other reason, many companies continued to use Google Analytics, with the Damocles’ sword of potential penalties hanging over their heads.
June 2023 – CNIL Clarifies Its Position on Google Analytics Remains
Despite the CNIL’s initial ban on the use of Google Analytics in France, a workaround has been found to allow the legal use of this tool. Indeed, in June 2022, the CNIL outlined specific conditions that would make data collection via Google Analytics legal: proxyfication, hashing, prevention of fingerprinting, and deletion of pseudonymous data. If these recommendations are applied, the use of Google Analytics 4 (GA4) is considered legal.
The data anonymization process involves the use of a proxyfication system. This system acts as an intermediary server between the client (user’s browser) and the Google Analytics server that collects the data. In the context of tracking, solutions like Google Tag Manager Server-Side or Commanders Act can be used. While server-side tracking can bypass ad blockers and limitations related to Apple (ITP on Safari and iOS), it also allows for transforming or deleting certain data.
It’s in this specific case that it becomes possible to comply with the CNIL’s recommendations, namely:
- No transfer of the IP address to Google’s servers
- Pseudonymization of the user’s identifier
- Deletion of external site reference information
- Deletion of all parameters contained in the collected URLs
- Deletion of user_agent, which can contribute to fingerprinting
- No collection of cross-site or deterministic identifiers
- Deletion of any other data that could lead to reidentification.
PS – If you want to learn more about setting up a proxyfication process in a server-side tracking context, feel free to check out our article.
Note that using less data makes some Google Analytics features more limited or less accurate. For instance, sending audiences from Google Analytics to Google Ads will no longer be possible. Similarly, geolocation and information on previous sites will be less accurate. To comply with the CNIL’s instructions, additional measures are necessary when setting up Google Analytics 4. In particular, GA4 can only be used for audience measurement, allowing to obtain data on sessions, the number of users, etc. In summary, although the CNIL initially deemed the use of Google Analytics illegal, solutions have been found to allow the legal use of this tool while respecting GDPR. However, this solution remains somewhat restrictive in terms of setup (requirement to implement server-side tracking) and precision of data collection.
July 2023 – New EU/US Framework for Data Protection
On July 10, 2023, a new chapter was written in the saga of data protection. The European Commission gave its seal of approval to the EU/US data protection framework, recognizing it as a safe harbor for personal data transfers from the EU to participating American companies.
The fine print reveals that Uncle Sam’s national security safeguards apply to all data transfers under the GDPR to US companies, regardless of the transfer mechanism used. It’s like a security blanket, covering not just the main body but also the fringes, making it easier to use other tools such as standard contractual clauses and binding corporate rules.
In a nutshell, it’s like a game of data protection Monopoly – we’ve gone back to ‘Go’ with a new Privacy Shield, now called the Data Privacy Framework. With the US now considered adequate for data transfers, companies within this framework can open their digital arms wide to receive personal data from European citizens. It’s a bit like a welcome party, but for data!
Companies joining the agreements
As mentioned earlier, to be eligible to receive personal data, an American company must be within the Data Privacy Framework. It’s like getting an exclusive membership to a very private digital club. You can find a complete list of participating organizations in the following directory: https://www.dataprivacyframework.gov/s/participant-search
Notable members of this club include big names like Google, Meta, Microsoft, and SalesForce.
July 2023 – NOYB’s Response
NOYB, the association founded by Max Schrems, the guy who sent the Privacy Shield packing, didn’t waste any time in reacting to this new agreement. They’ve called it a carbon copy of the Privacy Shield. NOYB believes that the transfer of personal data could be the equivalent of rolling out a red carpet for mass surveillance of European citizens by American intelligence agencies.
The association is gearing up to challenge this new agreement before the Court of Justice of the European Union (CJEU) by the end of 2023 or 2024, like a boxer preparing for a rematch. Max Schrems himself said, “We have several challenge options ready, although we’re tired of this legal ping-pong. We expect this to bounce back to the court early next year.”
If businesses are looking for stability, it seems to be playing hide and seek. We should probably brace ourselves for a rollercoaster of validations and invalidations over the years…
What should we do with Google Analytics (and others)?
In this uncertain climate, agility is key! But we can’t keep hopping from one analytics tool to another every two years as if we’re in a legal obstacle course.
For businesses that have opted for a third-party solution and are happy with it, there’s no reason to change. For those who have stuck with GA4 over the past year and a half, the threat of CNIL’s formal notice seems to be receding. But does this mean we should go back to business as usual and potentially face a new ban in a few months or years? I think it’s time to show responsibility and ethics in data collection, and proxyfication seems to be a good compromise.
With CNIL’s official recommendations now out of the picture (the article has even been deleted), each company can adjust its own variables according to its context. Do we really need to send a user’s IP, their hardware data (used for fingerprinting)? Decisions can be made with server-side tracking, helping us weather the upcoming storms.
While the new Data Privacy Framework brings clarity and a breath of fresh air for businesses using American tools and transferring data across the Atlantic, including Google Analytics, it’s not an infallible solution. In this fluctuating context, agility remains key, as does caution and responsibility when transferring data from your own users.
